FT Film (2025) ¦ Scammers, Spies and Triads: inside Cyber-Crime’s $15tn Global Empire

How online crime became industrialized and transnational

A decade ago, pulling off large‑scale cyber fraud required technical virtuosity and small, tightknit teams. Today, the industry has been industrialized: cyber crime is offered as a service, with ready‑made toolkits, off‑the‑shelf hardware, encrypted communications and commercialized support. The business model looks disturbingly familiar – recruiting, development, HR, logistics, customer support – but the product is fraud, theft and exploitation at scale. Global losses attributable to cyber crime now exceed $15 trillion a year and, at current growth rates, may top $20 trillion by 2026. Those numbers put cyber criminality in the same economic league as nation states, and they explain why criminal syndicates have become professional, diversified and dangerously embedded across jurisdictions.

China’s networks, triads and commercialized crime

Part of this transformation is geographic and organizational: Chinese organized crime groups, triad networks and transnational syndicates have exported scaled‑up models of fraud. These groups operate like multinational enterprises. They establish bases in permissive or poorly governed zones across Southeast Asia and beyond, set up “compounds” where hundreds or even thousands of people work in scam factories, and use a global menu of services – from SIM farms and SMS blasters to IMSI catchers and phishing kits – to carry out campaigns. Those tools are often supplied from China or other Asian hubs and sold on encrypted channels or darknet markets as turnkey criminal products.

The result is a blurred distinction between cyber crime, cyber espionage and transnational organized crime. The same techniques used by state actors for surveillance and intelligence – fake base stations, covert interception equipment, manipulated communications – are increasingly sold to criminal enterprises. IMSI catchers and nimble “catcher” backpacks that harvest phone metadata are marketed openly in videos and adverts; they enable both mass fraud campaigns and low‑level spying. Criminal enterprises recruit highly skilled personnel – sometimes ex‑intelligence officers – and combine that expertise with mass‑market tools, widening the pool of would‑be fraudsters.

From smishing triads to SIM farms: the mechanics of modern scams

Modern scams are modular. A “smishing triad” might sell seasonal SMS-phishing kits with templates, hosting, payment laundering services and IT support, while SIM farms and encrypted communications platforms supply scale and anonymity. The kits themselves are trivial to assemble: a form masquerading as a postal or financial message, a cloned website, an SMS blast and an instructive backend. One network’s kits reportedly generated billions in revenue in a single year. Telegram channels and other encrypted platforms function as marketplaces and recruitment sites; videos of ostensible dorm rooms celebrating big returns normalize the business to new recruits.

Hardware plays a central role. SIM farms enable thousands of virtual numbers to be controlled from a handful of servers, facilitating mass smishing and account takeover. IMSI/IMSI‑type catchers, meanwhile, can impersonate mobile base stations to intercept messages, harvest credentials and track targets. Law enforcement raids in New York and elsewhere have seized SIM farms linked to both criminal and state actors, showing the cross‑use of infrastructure between organized crime and geopolitically motivated operations.

Bastian Schwind-Wagner _Follow

"The industrialization of cyber crime has turned scams into a global, highly profitable business model that leverages commercial‑grade tools, trafficked labour and political cover to operate across borders. Without coordinated international regulation, targeted sanctions, and stronger controls on telecom hardware and illicit marketplaces, efforts to dismantle these networks will remain piecemeal and reactive.

Individuals and organisations must prioritise resilience: adopt stricter verification practices, share threat intelligence, and invest in detection technologies that can keep pace with AI‑enabled fraud. Only a combined approach of prevention, enforcement and public education can reduce the asymmetric advantage that rewards fraud at scale."

The human cost: trafficking, coercion and forced criminality

Not everyone in these operations is a willing participant. Tens or hundreds of thousands of people – estimates suggest between 200,000 and 500,000 – have been trafficked, lured or coerced into scam compounds across Southeast Asia, where they are forced to run fraud operations. Those compounds are often located in unregulated zones, around special economic enclaves or in areas with militia control, where criminal groups exploit weak governance to create protective environments for their businesses. Victims are trapped, exploited and used as disposable labor to call, message and manipulate victims worldwide.

Transnational reach and local permissiveness

The criminal networks’ reach is transcontinental. Compounds in Cambodia, Laos, Myanmar, the Philippines and parts of Africa host operations that serve clients and customers based in Europe, North America and elsewhere. Legitimate business structures are used to shield illicit activities.

Over the last decade cyber‑crime has shifted from the preserve of highly technical specialists to an industrial, transnational business that sells criminal capability as a service. What was once work for a few skilled hackers has grown into a full‑blown global economy where entire teams and infrastructures are rented, sold or subcontracted. The result is an ecosystem in which equipment, software, recruitment, training, and even HR functions are packaged and offered to buyers around the world. At today’s rates the cost of cyber‑crime exceeds $15 trillion a year and, barring major disruption, is projected to top $20 trillion by 2026. That size and growth make organised online fraud a geopolitical as well as a law‑enforcement problem.

From compounds to SIM farms: the new industrial model

Scam operations now resemble multinational companies. In Southeast Asia, compounds in Cambodia, Laos and Myanmar house hundreds, sometimes thousands, of people working in coordinated fraud operations. These sites are not only places to run scams; they act as training centres and labour pools – and, in many cases, scenes of coercion and trafficking. Estimates suggest hundreds of thousands of people have been trafficked, exploited or otherwise compelled to work in forced criminality.

Parallel to these compounds are physical infrastructures such as SIM farms and portable base stations (often called IMSI catchers). These devices can broadcast fake text messages to thousands of phones, intercept communications, and harvest credentials. They are advertised openly online and can be shipped from Asia to distant jurisdictions. Authorities have found them used both by organised scammers and by state actors, blurring the line between fraud and espionage.

Crime as a service: modular, scalable and widely available

The modern fraudster need not be a coder or a telecoms engineer. A la carte menus of criminal services are readily accessible: phishing kits sold on cloud‑based messaging platforms, prebuilt scam websites, IMSI‑catcher hardware for rent, “smishing triad” subscription services, and even on‑demand software from darknet vendors. One investigation traced a family of phishing kits to a network focused in China’s southern coastal region, Taiwan, Vietnam and the Philippines; operators behind these kits reportedly generated revenues in the billions in a single year.

AI and deepfake tools have further lowered technical barriers. Deepfake video calls and simulated profiles enable romance and confidence fraud at scale; automated messaging and botnets amplify reach. With automation, fraudsters become more efficient: they can send millions of deceptive messages cheaply and accept that only a small fraction of victims need respond to yield large returns – a “lottery ticket” business model that scales easily.

Convergence of crime and espionage

The techniques and tradecraft of espionage – sophisticated social engineering, covert surveillance, use of intelligence assets – are being co‑opted by organised criminal syndicates. These groups actively recruit former intelligence officers and people with specialist skills, professionalising their operations. At times, criminal figures operate with political patronage or protection, allowing them to expand into regulated markets and even influence local governments.

The case of high‑profile conglomerates and offshore hubs illustrates this convergence. Investigations and sanctions have targeted large corporate groups accused of running scam compounds, laundering proceeds through gambling and other legitimate‑looking businesses, and buying political cover. Special economic zones, unregulated casinos and offshore licensing regimes have provided fertile ground for this activity, enabling syndicates to diversify into online gambling, sexual services and large‑scale fraud.

Geography, jurisdiction and the law‑enforcement challenge

One of the greatest difficulties for investigators is the fragmentation of the crime scene. The perpetrator, victim, infrastructure and servers may all be in different countries. Scammers operate through layers of intermediaries, shell companies, cryptocurrency channels and international money‑laundering networks. Islands, special jurisdictions and third‑country bases – from parts of Southeast Asia to locations closer to home such as the Isle of Man and small offshore financial hubs – have been exploited as staging grounds or laundering centers.

Law enforcement faces resource and jurisdictional constraints. Raids on SIM farms and compounds demonstrate that takedowns are possible, but they are expensive, complex and seldom eliminate the underlying market for criminal services. Authorities increasingly recognise that prosecution alone will not be enough: prevention, public education, stronger regulation of telecoms equipment and platforms, private‑sector cooperation and cross‑border intelligence sharing are essential.

Human cost: coerced labour, recruitment and deception

Not all perpetrators are voluntary. Many who operate inside scam compounds were lured with false promises or forced into participation. Victims of trafficking are exploited both as cheap labour and as plausible money‑mules or account holders. The industry’s growth has exposed a humanitarian dimension that intersects organised crime, migration and labour abuses.

At the same time, many fraudsters are small‑scale operators or lone actors drawn into scams by profit or limited opportunities. Countries such as Nigeria continue to produce a broad base of independent scammers, while transnational syndicates deploy talent globally. Collaboration – and sometimes tension – between local groups and international syndicates amplifies reach but also complicates attribution.

Practical implications and where policy must shift

The scale and modularity of modern cyber‑fraud mean policy responses must be multi‑layered. Technical remedies – better detection of fraudulent SMS, blocking SIM farms, platform moderation to remove phishing infrastructure – are necessary but insufficient. Wider actions should include:

• Strengthening international cooperation on asset seizures, extradition and joint investigations to follow money and dismantle service providers.
• Regulating the sale and import of telecom interception equipment and closing legal loopholes that allow such devices to circulate commercially.
• Targeted sanctions and financial restrictions against corporate groups and operators found to be central nodes in scam ecosystems.
• Public education campaigns that focus not only on awareness but on practical resistance to social‑engineering tactics and verification norms for messages purporting to be from banks, postal services or government agencies.
• Industry standards and responsibilities for messaging platforms, registrars and payment processors to detect, disrupt and refuse service to criminal kits and infrastructure.

The inevitability of technological progress means law enforcement and policy must anticipate, not just react. AI will automate many steps fraudsters now perform manually, increasing scale and lowering cost. At the same time, defenders can use the same tools to spot patterns, automate detection and limit harm – but that requires coordinated investment and data sharing across the private and public sectors.

Conclusion: a systemic threat requiring systemic solutions

Online fraud is now a global industry with criminal supply chains, customer bases and political entanglements. From SIM farms and IMSI catchers to phishing kits and AI deepfakes, the tools and techniques are widely available, modular and cheap. The human toll ranges from the emotionally devastated victim of romance fraud to the trafficked worker forced into scams.

No single country or agency can solve this alone. Effective disruption requires technical countermeasures, new regulatory frameworks, coordinated international enforcement, and public resilience against deception. Until defenders match the commercial sophistication of the criminal marketplace, the asymmetric economics of cyber‑fraud will continue to reward those who buy into the market with impunity.