US Targeting TCOs’ Role in ‘Scam Centers’

On March 6, President Donald Trump issued a first-of-its kind executive order to combat cyber-enabled fraud and scams that are “coordinated campaigns carried out by transnational criminal organizations” (TCOs), including from “scam centers.” 

The order identified illicit cyber-enabled activities ranging from ransomware and phishing to financial fraud, sextortion and other schemes that often target vulnerable groups, such as youth and the elderly. The executive order should be understood in the context of actions taken over the past year by the DOJ, the Treasury Department and other agencies, which have now culminated in a formal, whole-of-government approach to address the issue of TCOs engaging in scams and cyber-enabled fraud. 

A key element of the executive order centers on the federal government’s coordination with private sector entities to address these issues.

The order directs the following actions:

• An inter-agency group (State, Treasury, the Department of War, DOJ and the Department of Homeland Security) will conduct a 60-day review of the relevant “operational, technical, diplomatic and regulatory frameworks” and identify how these can be improved.
• This inter-agency group will submit an action plan within 120 days that identifies TCOs responsible for scam activity and proposes solutions to “prevent, disrupt, investigate and dismantle” these TCOs. A new operational cell within the National Coordination Center (NCC) will coordinate these efforts, including by “involving the private sector as appropriate.” Further, DOJ and DHS, supported by DOW, will make plans to use relevant technical capabilities, threat intelligence and “operational insights from commercial cybersecurity firms and other non-federal entities” to enhance attribution, tracking and disruption of malicious cyber actors.
• The DOJ will continue to prioritize prosecutions in this area and will develop within 90 days a recommendation for a victim restoration program that would remit funds to victims of cyber-enabled fraud schemes from funds recovered from TCOs. 
• The State Department will engage with foreign governments to demand enforcement actions against TCOs operating within their borders, on pain of limitations of foreign assistance, targeted sanctions and other measures.

In recent months, the federal government’s focus on cyber-enabled threats from TCOs has been growing in prominence. The 2025 annual threat assessment, prepared by the office of the director of national intelligence, highlighted TCOs that engage in illicit activity, including fraud scams, as a national security threat. Leadership at the Treasury Department and the DOJ have emphasized that they are using all available tools to address these threats. On the diplomatic front, in October 2025, the White House highlighted increased cooperation from Cambodian and Thai officials to take action against scam centers in connection with the announcement of trade agreements with those countries.

Cybersecurity

CMMC Phase One Reality Check: Documentation Alone Won’t Pass Muster

by Marci Womack

January 29, 2026

With Phase Two enforcement approaching in November 2026, early preparation matters in a market where assessment capacity has become limited

Read moreDetails

The executive order builds on a concerted campaign by the DOJ and Treasury over the course of 2025 to target TCO scam and fraud networks operating in Southeast Asia.

In October 2025, FinCEN issued a final rule under Section 311 of the Patriot Act that identified a Cambodia-based financial services conglomerate, Huione Group, as of “primary money laundering concern” related to its role in carrying out scams, effectively severing Huione Group from the US financial system. FinCEN determined that Huione Group has served as a critical node for transnational criminal organizations in Southeast Asia and illicit actors from North Korea, laundering over $4 billion of illicit proceeds, including over $336 million linked to scams, between August 2021 and January 2024. The final rule prohibits US financial institutions from opening or maintaining correspondent or payable-through accounts for, or on behalf of, Huione Group and requires US financial institutions to implement risk‑based procedures and screening to identify and block transactions involving Huione.

OFAC also employed its authorities, including under a 2011 transnational criminal organizations executive order, to impose sanctions on TCOs engaged in cyber-enabled fraud. In May 2025 OFAC sanctioned a Burmese warlord and militia for their role in facilitating TCO cyber scams targeting US citizens. Then, in September 2025, OFAC sanctioned entities and individuals involved in scam centers operating in Burma and Cambodia. In October 2025, OFAC also sanctioned 146 individuals and entities associated with the Prince Holding Group, which was designated as a TCO for operating at least 10 “scam compounds” in Cambodia. The DOJ indicted the founder of the organization and initiated a civil forfeiture action seeking about $15 billion from proceeds and instrumentalities of the fraud and money-laundering schemes — the largest forfeiture action that DOJ has ever pursued. OFAC has also taken action to target cartel-linked timeshare fraud schemes, which it has identified as a source of revenue for cartels that “often targets vulnerable older Americans and can defraud victims of their life savings.”

The administration also took action to target the infrastructure that is utilized by TCOs. In May 2025, OFAC sanctioned a Philippines-based company, Funnull Technology, for “provid[ing] computer infrastructure for hundreds of thousands of websites involved in virtual currency investment scams.” That company “purchas[ed] IP addresses in bulk from major cloud services companies worldwide and s[old] them to cybercriminals to host scam platforms and other malicious web content.” The FBI issued a parallel cybersecurity advisory highlighting Funnull’s expansive infrastructure and suggesting that internet service providers should take steps to “increase the risk metric for domains hosted on [Funnull’s] infrastructure.”

FinCEN has also issued guidance to financial institutions on relevant fraud typologies. FinCEN Director Andrea Gacki emphasized that “FinCEN is concerned about a wide and diversified array of fraud, which continues to be our most-reported type of suspicious activity,” with a focus on “[c]yber-enabled fraud” that can be perpetuated by “sophisticated criminal networks … without ever physically entering the United States.” Following on FinCEN’s September 2023 alert on “pig butchering” schemes, FinCEN issued guidance to financial institutions identifying red flags for financially motivated sextortion (September 2025) and the use of cryptocurrency kiosks, also referred to as “crypto ATMs,” in scams (August 2025).

Banks, fintechs, social media and telecom companies and other stakeholders will want to monitor the executive order’s implementation closely. The administration’s emphasis on the importance of working with the private sector suggests that there will be opportunities for private-sector stakeholders to engage actively with the government on these issues. The executive order was issued on the same day as the president’s cyber strategy, which highlighted “destroying online scammers’ networks” as a priority, and emphasized that the administration seeks to establish “a new level of relationship between the public and private sectors.”