Buy a licensed company 
VASPs live data and insights 
Learn about crypto safety 
Read the latest research 
The Anatomy of a Crypto Scam Center
- It is a transnational enterprise rather than a few fraudsters with bad websites. Social engineering, call-center discipline, fake platforms, professional laundering, and in many cases trafficked labor.
- Pig butchering is the center of gravity but not the whole map. The same infrastructure runs task scams, impersonation, wallet drainers, and recovery scams.
- The numbers keep climbing. The FBI logged $7.2 billion in crypto investment fraud for 2025, and Chainalysis estimated at least $14 billion in on-chain scam inflows.
- Court records now show org charts. The Prince Group indictment alleged ledgers mapping scam types to specific rooms and floors, plus phone farms and violent coercion.
- The threat is a full-stack supply chain, so the response has to be one too. The actions that worked in 2025 and 2026 hit domains, recruitment, payments, stablecoins, and the managers all at once.
The mental picture most people have of a crypto scam, a lone operator behind a fake exchange, is wrong, and it is wrong in a way that changes how you defend against it. The public evidence describes something far more organized: a transnational enterprise that combines social engineering, call-center discipline, fraudulent websites and apps, cross-border payments, professionalized money laundering, and, in a large share of documented cases, labor trafficking and coercion.
Public reporting and official actions place many of the biggest clusters in Southeast Asia, especially Cambodia and the Myanmar-Thailand borderlands. But INTERPOL has warned the model is globalizing. As of March 2025, victims from 66 countries had been trafficked into these operations, with 74% taken to Southeast Asian hubs.
The dominant product is still relationship-enabled investment fraud, the thing usually called pig butchering. The same infrastructure increasingly carries adjacent frauds too: task and job scams, tech-support and government-impersonation scams, phishing-and-drainer thefts, fake staking products, and recovery scams. What ties them together is not a single script or coin. It is a repeatable business process. Acquire leads, build trust, induce payment into controlled accounts or wallets, manufacture false proof of profits or urgency, block withdrawals, then move the funds through shell companies, OTC desks, exchanges, bridges, mixers, gambling services, or specialized laundering networks.
The FBI’s 2024 IC3 report recorded 41,557 complaints and $5.8 billion in losses from crypto investment fraud alone. The 2025 report put that figure at $7.2 billion, the largest single driver of financial losses to Americans that year. Chainalysis estimated crypto scams and fraud took in at least $14 billion on-chain in 2025, projected the final total could exceed $17 billion as more illicit wallets are identified, and reported that stablecoins accounted for 84% of all illicit transaction volume. These are lower-bound estimates. Complaint data undercounts victims, and blockchain attribution improves with time.
This article touches on fraud, coercion, and trafficking. If you or someone you know has been affected and is struggling, that is worth taking seriously, and speaking with a trusted person or professional can help.
Scope and a working taxonomy
A “crypto scam center,” for this purpose, is a fraud operation organized at scale that uses cryptocurrency in at least one of three places: as the product being invested in, as the payment rail used to receive or move victim funds, or as the laundering layer used to cash out. That lines up with how the FBI, FinCEN, DOJ, SEC, and CFTC describe confidence-enabled crypto investment fraud, fake platforms, recovery scams, and scam compounds.
A few caveats are worth stating plainly. The public evidence skews toward U.S. victims because U.S. agencies publish more detailed reports and court filings than most other jurisdictions. Not every large crypto scam runs from a physical compound or with forced labor; some are fully remote. Not every Southeast Asian scam center is primarily crypto-focused; many run parallel products like impersonation, sextortion, or task scams.
Pig butchering and its fake-yield variants have the highest industrialization potential, because trust-building scales cleanly through scripts and software. Task and job scams and impersonation scams rank close behind. Phishing and wallet-drainer scams scale well on the technical side. Recovery scams, rug pulls, and Ponzi-style “platform” frauds round out the picture at a more moderate level. The analytical point is that pig butchering sits at the center, but it is not the whole picture, and the same network often runs several of these products from the same infrastructure.
Inside the scam center
The evidence increasingly shows these operations structured more like sales floors than loose chat groups. In the Shunda case, U.S. investigators said the compound operated in Myanmar from at least January to November 2025. After the site was seized, FBI agents and Thai partners reviewed thousands of devices and interviewed former workers, which led them to identify a hierarchical organization of Chinese operators. Publicly identified roles included a high-level manager and enforcer, a team leader supervising workers who targeted U.S. victims, and trafficked workers forced to conduct the fraud under threat of violence and torture.
The Prince Group indictment alleged an even more granular model. Prosecutors said Chen Zhi kept records for specific scam compounds, tracked profits, mapped scam types to buildings, floors, and rooms, and used the term “jingliao,” scripted chat, in connection with crypto investment fraud. The indictment also alleged phone farms made up of thousands of phones and millions of mobile numbers. Ledgers, room assignments, script labels, and telecom assets together point to workflow management and measurable production targets.
Recruitment happens through both deception and coercion. The FBI’s 2023 crypto fraud report warned that scam compounds use false job ads on social media and employment sites, offering high salaries, travel, room and board, and roles like tech support, customer service, or salon work. Once workers are abroad, passports may be taken, debt imposed, and violence used to compel participation. INTERPOL and UNODC frame scam centers as a trafficking and forced-criminality problem. The strike force’s 2026 Telegram seizure shows how role-specific that recruitment gets: the channel advertised Cambodia jobs for people with “American” accents, required night shifts aligned to U.S. daytime hours, and in some ads specifically sought attractive female candidates. Accent and gender presentation were treated as production assets because they improved the credibility of specific scripts.
A composite role map, drawn from the Shunda investigation, the Prince Group indictment, and the laundering cases, runs from owners and principals at the top, through compound managers, team leaders and trainers, outreach operators who make first contact, closers who push the larger deposits, fake customer-support staff who handle the “withdrawal problems,” tech operators who build the domains and apps, recruiters and traffickers, enforcers, and laundering coordinators. Exact org charts vary, and public records rarely reveal full staffing ratios, but the evidence strongly supports a layered hierarchy with technical, sales, coercive, and laundering functions.
The technical and financial machinery
The infrastructure layer is deliberately modular. A victim might first see a credible LinkedIn or Instagram profile, then move to WhatsApp or Telegram or SMS, then get routed to a landing page impersonating a legitimate broker, then be told to download an app with a different name, then speak to “customer support,” then move money first by bank wire and later by crypto. Operators separate branding, communications, and payment rails so that if one asset gets flagged, the rest of the pipeline survives.
The Tai Chang seizure affidavit is the clearest illustration. Investigators described a newly registered domain that copied a legitimate broker’s logo, address, and similar contact details, while keeping the actual deposit app decoupled from the public-facing site. The affidavit said separating the landing-site brand from the mobile applications helped protect the brand when the apps were taken down and let the same domain keep funneling victims toward new applications. That is a resilience pattern, designed by people who expect parts of their operation to be seized.
At the communications layer, the same center may run romance-chat flows, wrong-number texts, call-center impersonation scripts, and group-chat social proof at the same time. The 2026 Telegram recruitment case showed workers using cold calls, WhatsApp, and Microsoft Teams while posing first as bank representatives and later as detectives or court officials. On the web3 side, Chainalysis describes crypto drainers as phishing tools that trick victims into connecting wallets and approving harmful transactions, with the stolen funds increasingly moving to mixers, DeFi projects, bridges, and gambling services rather than straight to centralized exchanges. In 2025 Chainalysis also reported that phishing-as-a-service tools, impersonation kits, and AI-generated personas were becoming core scam infrastructure.
Financially, the system often begins off-chain and ends on-chain. Daren Li admitted directing co-conspirators to open U.S. bank accounts for shell companies, monitor inbound victim wires, convert victim funds into USDT, and distribute that USDT to wallets controlled by co-conspirators. In the Axis Digital case, the DOJ said more than $36.9 million from U.S. victims was routed through a Deltec Bank account in the Bahamas, converted to USDT, and sent to a wallet controlled by individuals in Cambodia, who then transferred the USDT to leaders of scam centers in Sihanoukville and across the region.
FinCEN’s 2025 Huione action explains the next stage. It described Huione Group as a network in which Haowang Guarantee functioned as a Telegram-based marketplace for illicit goods and services, Huione Pay handled fiat and crypto payment services, and Huione Crypto operated exchange and stablecoin functions. FinCEN found at least $4 billion in illicit proceeds laundered through the group between August 2021 and January 2025, and highlighted failures or absence of AML and KYC controls. Elliptic and TRM similarly describe guarantee platforms as one-stop markets for SIM cards, personal data, scam technology, money-laundering services, and cash-out services.
The reported loss numbers track the growth of all this. The FBI’s figures for crypto investment fraud run $2.57 billion in 2022, $3.96 billion in 2023, $5.8 billion in 2024, and $7.2 billion in 2025. IC3 repeatedly warns these figures likely understate reality, because many victims never recognize the fraud in time or never report it. The stablecoin share is operationally significant: stablecoins reduce volatility for criminals, simplify cross-border settlement, and are especially useful for guarantee-market transactions and OTC cash-out flows.
How the victim is worked
The operational playbook is remarkably standardized. A 2025 academic interview study of pig-butchering victims breaks the scam into stages, lure, bond, bait, feed, cut, and encore, and those line up closely with FinCEN’s pig-butchering alert, CFTC advisories, the Prince Group indictment’s four-stage description, SEC fake-platform cases, and multiple DOJ affidavits. The vocabulary differs. The substance does not.
The lure uses either apparent chance or apparent affinity: a wrong-number message, a dating-app match, a friendly LinkedIn connection, an unsolicited social-media approach. The persona is engineered to feel slightly lucky rather than overtly promotional, and the victim is rarely asked for money right away. The bond phase exploits reciprocity and emotional mirroring, with daily communication over weeks or months, supported in many cases by photos, audio calls, even video calls. That is one reason so many victims say the interaction felt real. The scam does not rely on one fake profile. It relies on the cumulative weight of many small signals.
The bait and feed phases are where the operation behaves most like a sales organization. The operator introduces crypto as a hobby, a side income, or an insider opportunity, then coaches the victim through account creation and pairing with a “customer service” or “advisor” figure. Small initial deposits are often followed by visible gains and sometimes an allowed withdrawal, because the goal was never the first payment. It was the later concentration of more capital. The cut begins when the victim tries to exit, or when the operator decides the remaining financial capacity should be harvested aggressively: blocked access, account-review messages, withdrawal fees or taxes, sometimes added blackmail based on romantic communications. The encore phase gets underrated. The same 2025 research found many victims were re-targeted through impersonated law-enforcement contacts or supposed recovery specialists, and the FBI’s 2023 report warned that investment-scam victims are often targeted by businesses claiming to recover lost cryptocurrency. The logic is industrial. Once a network has a list of distressed victims who have already proven willing to pay under pressure, the list itself becomes an asset.
The scripts are not just verbatim talking points. The Prince Group indictment’s reference to “jingliao” points to a formalized approach where tone, sequence, objections, and escalation paths are standardized, and the strike-force Telegram case showed those scripts tailored to market segment, product, and victim geography.
Cases, detection, and the response
The public cases show a clear trajectory: from platform seizures and victim recovery toward leadership indictments, infrastructure disruption, and sanctions-based pressure on laundering ecosystems. In April 2023 the DOJ seized $112 million tied to crypto confidence scams, six virtual-currency accounts used to launder pig-butchering proceeds, which demonstrated that on-chain seizure and victim recovery were possible. Through 2023 and 2024, CFTC and SEC actions established that U.S. market regulators could frame these schemes as securities and commodities fraud. The Daren Li and Axis Digital matters, running 2024 to 2026, pushed public understanding from the scam front-end to the laundering back-end, with more than $73.6 million laundered through shell companies, U.S. bank accounts, USDT conversion, and transfer to Cambodia.
The October 2025 Prince Group indictment and roughly $15 billion Bitcoin forfeiture is the clearest public case linking compound management, forced labor, governance records, telecom scale, and large-scale laundering under one corporate umbrella. Prosecutors alleged the group had profited from fraudulent schemes since at least 2018 and that one co-conspirator boasted by 2022 of earning over $30 million per day from such schemes and related activity. Those allegations have not been tested at trial, but they are supported in the public file by ledgers, images, and a parallel civil forfeiture action. The Scam Center Strike Force actions from November 2025 to April 2026, Tai Chang, Shunda, the Telegram channel, and more than 503 seized fake investment sites with over $701 million in crypto restrained, show the emerging doctrine of layered disruption. FinCEN’s pressure on the Huione ecosystem, with Telegram removing the Huione and Xinbi channels in May 2025, showed both the scale of scam-enabling marketplaces and how quickly they reconstitute.
Detection has one advantage unique to crypto: blockchains are public and persistent. Early work by Meiklejohn and colleagues showed Bitcoin pseudonymity is limited because clustering heuristics can link addresses likely belonging to the same entity, and later work by Yousaf and co-authors showed transfers can be traced across ledgers using exchange and cross-currency-trade patterns. In practice, investigators can follow a victim payment from an initial wallet, to a consolidation wallet, across a swap or bridge, and on to a cash-out service, especially when off-chain evidence like domains and exchange subpoenas is available. The limits are important too. The 2025 “Ghost Clusters” paper found commercial attribution systems can provide a reliable lower bound with very few false positives, but coverage changes over time and attribution stays probabilistic. Heuristics create leads. Strong attribution comes from combining on-chain data with exchange KYC records, registrar data, seized devices, interviews, and money-flow reconstruction.
The strongest operational red flags link behavior across layers. On-chain, investigators look for rapid post-deposit sweeps, consolidation wallets, peel-chain behavior, repeated stablecoin routing, and common cash-out endpoints. Off-chain, they look for newly registered domains impersonating established firms, mismatched app and website branding, customer-support channels that exist only in messaging apps, heavy emphasis on paying taxes or fees before withdrawals, and accents or working hours that reveal an offshore call-center model aimed at a specific country.
The response landscape has sharpened. FinCEN issued a 2023 pig-butchering alert aimed at helping financial institutions file useful suspicious-activity reports. The FBI built Operation Level Up to proactively identify victims, and by March 2026 had notified 8,935 crypto-investment-fraud victims, 77% of whom did not know they were being scammed, with estimated prevented harm of roughly $562.7 million. Sanctions and financial-regulatory tools now target the service layer too. FinCEN’s Huione action used Section 311 authorities against a financial institution of primary money-laundering concern, and OFAC actions in 2025 and 2026 targeted scam-center operators and facilitators in Myanmar and Cambodia, including Treasury’s April 2026 action against Cambodian senator Kok An and related networks. These tools aim at the enabling ecosystem rather than only the front-line scammers who are easiest to replace. After law-enforcement alerts, Meta, Microsoft, and JPMorgan reportedly took internal investigative measures against scam activity on or under their brands, and Telegram removed marketplace channels after Elliptic supplied data. Follow-on reporting suggests rapid migration to successor services, which is the recurring lesson: takedowns work best as sustained ecosystem pressure.
Prevention
For users, the most effective defense is to distrust the funnel. If the opportunity begins with a stranger on social media, a dating app, a wrong-number message, or a messaging-app friend you have never met in person, treat the whole interaction as suspect. The CFTC advises keeping conversations on the original platform, verifying identities in real time, checking registration of platforms and firms, and never paying more money to get money back. The FBI and DOJ urge victims to preserve wallet addresses, transaction hashes, platform names, wire details, and all communications, because fast reporting can materially improve freezing and seizure prospects.
For platforms and exchanges, the most useful controls are cross-surface rather than siloed: impersonation-domain detection, app-developer and certificate graphing, wallet-risk screening, behavioral AI for KYC and mule detection, and escalation channels for suspected scam victims before funds leave the platform. Because stablecoins dominate much of the illicit activity, issuers and exchanges should invest in rapid response for flagged wallets. For policymakers, the priority is to force friction at multiple choke points at once: beneficial-ownership transparency for shell companies, stronger supervision of OTC and money-services businesses, faster international asset-freezing mechanisms, trafficking enforcement against recruiters and compound operators, and sanctions against service providers knowingly supporting scam ecosystems. If the criminal enterprise is full-stack, the policy response has to be too.
Frequently Asked Questions (FAQ)
What is a crypto scam center, exactly?
An organized fraud operation that uses cryptocurrency as the fake product, the payment rail, or the laundering mechanism in a repeatable scam business. Documented cases have used fake investment platforms, shell companies, stablecoin conversion, and specialized laundering networks, and in many Southeast Asian cases, authorities have also tied them to labor trafficking.
Is every pig-butchering scam run from a physical compound?
No. Some are remote and distributed. But the most thoroughly documented industrial cases, especially around Cambodia and the Myanmar-Thailand border, do involve physical compounds with management, recruiters, enforcers, and technical staff.
Why do scammers prefer crypto over bank transfers?
Crypto allows fast cross-border movement, easy wallet proliferation, and access to global laundering services. Stablecoins are especially attractive because they reduce price volatility while keeping transfers fast and internationally portable. Even so, many schemes still begin with bank wires to shell or mule accounts.
How do scam centers get around KYC and AML checks?
Shell companies and mule accounts, OTC cash-out services, chain-hopping, bridges, mixers, gambling services, and marketplaces that sell cash-out and identity services. Chainalysis has also reported AI-assisted KYC bypass, and FinCEN found Huione entities lacked effective AML and KYC controls.
Can blockchain analysis identify the perpetrators?
It can identify wallet clusters, flows, cash-out points, and service providers across chains in many cases. But attribution stays probabilistic and improves when combined with subpoenas, exchange records, seized devices, or witness interviews. It is best understood as a strong lead or a lower bound.
What should a victim do immediately?
Stop paying. Preserve all evidence: wallet addresses, hashes, screenshots, chat logs, phone numbers, emails, bank wires, app names, and domain names. Report quickly to law enforcement and the relevant provider. U.S. authorities encourage reporting to IC3 and note rapid reporting improves the chance of freezing funds. Do not pay recovery firms upfront.
Are enforcement actions making a dent?
Yes, but unevenly. Large seizures, sanctions, strike-force actions, and marketplace removals have disrupted some operations and prevented losses. At the same time, operators migrate quickly to new domains, channels, and services. The evidence supports sustained, multi-layer disruption over one-off takedowns.
