The transnational organized crime threat landscape in Southeast Asia is evolving faster than in any previous point in history. This change has been marked by growth in the production and trafficking of synthetic drugs and cyber-enabled fraud, driven by highly sophisticated syndicates and complex networks of money launderers, human traffickers, and a growing number of other service providers and facilitators.

Despite mounting enforcement efforts, cyber-enabled fraud has continued to intensify, resulting in estimated financial losses between US $18 billion and $37 billion from scams targeting victims in East and Southeast Asia in 2023.1,2 A predominant proportion of these losses were attributed to scams committed by organized crime groups in Southeast Asia.

Fundamentally, the sheer scale of proceeds being generated within the region’s booming illicit economy has required the professionalization and innovation of money laundering activities, and transnational criminal groups in Southeast Asia have emerged as global market leaders. Building on existing underground banking infrastructure including underregulated casinos, junkets, and illegal online gambling platforms that have adopted cryptocurrency, the proliferation of high-risk virtual asset service providers (VASPs) across Southeast Asia have now emerged as a new vehicle through which this has taken place, servicing criminal industries without accountability.

Against this backdrop, it has become clear that several countries in Southeast Asia, and particularly those in the Mekong, have been targeted as a key testing ground for transnational criminal networks looking to expand their influence and diversify into new business lines. Asian crime syndicates have rapidly integrated new service-based business models and technologies including malware, generative AI, and deepfakes into their operations while opening up new underground markets and cryptocurrency solutions for their money laundering needs.

As law enforcement and regulators stepped up their efforts against casinos, illegal online gambling, and cyber-enabled fraud in Southeast Asia, organized crime have hedged and consolidated by expanding operations across inaccessible and autonomous non-state armed group territories and other criminal enclaves in and around the Golden Triangle and elsewhere in the region and beyond. It is now increasingly clear that a potentially irreversible displacement and spillover has taken place in which organized crime are able to pick, choose, and move value and jurisdictions as needed, with the resulting situation rapidly outpacing the capacity of governments to contain it.

Expanding on UNODC’s past analyses of casinos, money laundering, underground banking and transnational organized crime in Southeast Asia, the development of this report has required analysis of law enforcement investigations and prosecutions which have provided insights into the region’s shifting threat landscape. More specifically, it has been developed through extensive examination of criminal indictments and case records, intelligence analysis, court documents, and corporate records, as well as consultation with both international and regional law enforcement and criminal intelligence partners. UNODC has also conducted an extensive mapping and analysis of data obtained from thousands of Telegram underground marketplaces, groups, and channels attributed to Asian organized crime networks and affiliated service providers.

The report consists of three comprehensive chapters, offering insights into the latest regional developments and trends, underground banking and money laundering, and technological innovation fueling the ongoing situation. It presents information and data points that have not previously been pieced together, representing a unique attempt to further improve understanding of the region’s evolving criminal ecosystem and the convergence of cyber-enabled fraud, underground banking, and technological innovation.

Failure to address this ecosystem will have consequences for Southeast Asia and other regions as organized crime reinvest to further innovate, professionalize, and consolidate operations. The report provides recommendations to improve knowledge, awareness, policy, capacity, and coordination, and aims to serve as a foundation for accelerated solutions and deeper engagement between countries in Southeast Asia and their international partners.

Convergence of cyber-enabled fraud, underground banking, and transnational organized crime

While cyber-enabled fraud continues to expand and poses growing challenges, the region is witnessing a major convergence of different crime types and criminal services. Rapidly shifting advancements in physical, technological, and digital infrastructure have allowed organized crime networks to expand these operations. Casinos, hotels, Special Economic Zones (SEZs), and other business parks and property developments across the region have become hubs for the booming illicit economy, adding to existing governance challenges in many of the region’s border areas. These venues have been found to serve as strongholds from which transnational criminal groups may operate, convene, and conduct other criminal activities including drug production and trafficking, illegal gambling, trafficking in persons for forced criminality, prostitution, pornography, and money laundering operations, among others.

The development of novel digital solutions in money laundering and underground banking has enabled the continued expansion of the criminal business environment across Southeast Asia, creating highspeed channels for effectively integrating billions in criminal proceeds into the formal financial system with impunity. This has in turn attracted new criminal networks, innovators, and specialist service providers to enter illicit markets while simultaneously driving demand for sophisticated new channels to be created.

At the same time, significant developments relating to large underground online marketplaces explicitly servicing transnational criminal groups in Southeast Asia have also taken place and exacerbated existing challenges while accelerating ongoing convergence. Several platforms controlled by powerful and influential regional criminal networks have come to dominate the illicit economy, particularly on Telegram, representing key venues where criminals and service providers congregate, connect, and conduct business online, fueling the growth of the regional illicit economy. Together, this infrastructure and convergence has created conditions for self-sustained growth of the criminal ecosystem, enabling the targeting of people far beyond the region.

Professionalization and consolidation of a criminal service economy

Inflow of capital and expansion of markets has led to increasing professionalization among criminal operations and actors providing services to them. Cyber-enabled fraud operations have taken on industrial proportions, with independent and scattered fraud gangs being replaced by larger, consolidated criminal groups often operating under the guise of industrial and science and technology parks as well as casinos and hotels.3,4,5 Authorities have further indicated that these groups have created stable networks consisting of vast physical and internet communication technology (ICT) infrastructure while leveraging a new service-based business model online under which previously independent groups now operate.6,7

Rapidly expanding compounds such as KK Park in Myanmar’s Kayin State, have proliferated throughout Southeast Asia, particularly in the Mekong region and Philippines. They are often heavily fortified and securitized, characterized by high walls, barbed wire, armed guards, and strict surveillance of those who work there. Owners of these sites typically rent space to criminal groups and operators, and a single location may house numerous tenants engaged in a range of illicit online activities targeting different jurisdictions and managing online gaming platforms. In parallel to the expansion of physical infrastructure, the industry has seen an influx of increasingly specialized service providers. Focusing on specific services such as cybercrime, data harvesting, money laundering, and various AI-driven solutions, they have been at the heart of ongoing professionalization and have allowed criminal groups to leverage synergies and invest in a broad range of activities.

Expansion of regional underground banking and the rise of cryptocurrency misuse and high-risk VASPs

Under Regulated casinos and junkets as well as illegal online gambling platforms continue to represent a critical piece of infrastructure serving the needs of transnational organized crime groups operating in and beyond the region. These industries have increasingly come to utilize cryptocurrency and have turned to or in many cases evolved into unauthorized and high-risk virtual asset service providers (VASPs) based in vulnerable parts of the region, compounding challenges faced by international law enforcement.

It has proven extremely difficult for authorities in East and Southeast Asia to effectively enforce laws and regulations to contain the spread of illegal online gambling – let alone to determine the source of funds used to place illegal bets – and the multibillion-dollar industry has flourished across what some insiders prefer to call ‘grey’, ‘black’, or ‘preregulated’ markets. In so doing, illegal operators have proven their ability to serve as an effective legal, regulatory, and fiscal cover utilized by criminals to mask the true nature of illicit financial flows. The overwhelming success of this shadowy industry has also necessitated sophisticated new methods of processing and laundering vast amounts in illegal transactions and criminal proceeds. This has generated unprecedented demand for launderingas-a-service providers which have been heavily utilized by powerful criminal networks engaged in far more than illegal online gambling.

In addition to the complex challenges posed by underregulated casinos and junkets, illegal online gambling platforms, and the sophisticated underground banking and money laundering networks needed to service them, the rise of unauthorized and high-risk VASPs have complicated the present situation. More specifically, the proliferation of high-risk exchanges, over-thecounter (OTC) services, large peer-to-peer (P2P) traders and other related businesses controlled by and facilitating transnational organized crime has fundamentally reshaped the business environment for criminal groups operating in Southeast Asia, particularly the Mekong.

As cases examined in this report demonstrate, major gaps in regional regulatory frameworks, awareness, and enforcement capacity are clearly being exploited by high-risk that have VASPs who have been able to present themselves as legitimate, registered financial businesses despite being wholly unauthorized to engage in cryptocurrency-related activities.

The growing adoption of cryptocurrency within Southeast Asia’s illicit economy has served as an important catalyst for cyber-enabled fraud operators based in the region to expand globally. This is due to the ease with which rapid crossborder transactions can take place, widespread misinformation and low levels of understanding about how cryptocurrency functions, and, in some cases, the breakdown of cross-border law enforcement cooperation, investigation, case intake, and asset recovery.

Powerful transnational criminal networks have developed a range of sophisticated mechanisms, structures, and techniques to launder stolen funds, particularly using stablecoins – or cryptocurrencies pegged to and backed by fiat currencies like the U.S. dollar – which have become popular in East and Southeast Asia compared to other regions.8 While stablecoins have increased in popularity among legitimate users in recent years, they have become especially popular among criminal groups, particularly those involved in cyber-enabled fraud.9 This is consistent with the findings of authorities in East and Southerast Asia which continue to report that stablecoins, and particularly Tether (USDT) on the TRON (TRX) blockchain, represent the preferred choice for Asian crime syndicates engaged in cyberenabled fraud and money laundering operations servicing a wide range of criminal actors in and beyond the region.10,11

The role of VASPs and the impact of cryptocurrencies is best illustrated by the example of one high-risk Mekong-based VASP whose core business heavily relies on USDT. The entity has been found to have processed between US $49 billion and $64 billion in total cryptocurrency trading volume between 2021 and 2024, representing the largest service provider in its category in the Asia-Pacific region by some estimates.12,13,14 While transactions relate to both licit and illicit activity, on-chain analysis indicates that the entity has up to 4.5 times more counterparty exposure to transactions with higher risk entities including online gambling platforms, major multi-million-dollar cyber-enabled fraud schemes, and high-risk exchanges compared to its regional competitors.15,16 It has also engaged in at least hundreds of millions of dollars in transactions with entities directly involved in or connected to large-scale drug trafficking, human trafficking, cybercrime, and the sale and distribution of child sexual abuse material online. This includes transactions with OFAC-sanctioned entities and several wallets linked to Lazarus Group17- attributed hacking incidents.

Adoption of new technologies and growing sophistication of criminal networks

Much like companies operating in the formal economy, the way in which transnational organized crime groups and cybercriminals alike have developed services and products that are sold to other criminal actors has represented one of the most significant developments to take within the regional threat landscape over past decades. This has led to a thriving criminal service economy and promoted specialization within it, in turn lowering the barrier to entry across a range of cyber and cyber-enabled crimes as well as other crime types.

Criminals are no longer required to handle their own money laundering, coding malware, or stealing sensitive personal information to profile potential victims or obtain initial access for their attacks themselves. Instead, these key components can be purchased from service providers in underground markets and forums, often at very accessible prices.

These service providers continue to evolve, ranging from bulletproof hosting, so-called grey and black data products, and malvertising to phishing-, hacking-, money mule-, and software and malware, among others, which together have fueled the booming regional cyber-enabled fraud industry.

Criminal groups and service providers based in the region have also been quick to respond to mounting law enforcement pressure by capitalizing on the diffusion of powerful and increasingly accessible new technologies including blockchain, cloud computing, generative artificial intelligence, and machine learning, among others. This has provided criminal networks with a range of opportunities to develop new fraud capabilities, improve existing tactics and techniques, rely more heavily on technological processes as opposed to trafficked labour, and expand channels for obfuscating and laundering criminal proceeds. Taken together, this enables organized crime to dramatically scale up, fine-tune, and automate operations.

Perhaps most concerningly, the shifting threat landscape risks fundamentally reshaping the existing cyber-enabled fraud business model in Southeast Asia, making it considerably more difficult for many overwhelmed enforcement agencies and criminal justice systems to disrupt related criminal operations.

Integration of generative artificial intelligence

The integration of artificial intelligence (AI)18 technologies by transnational criminal groups involved in cyber-enabled fraud is a particularly complex and alarming trend increasingly observed in Southeast Asia.19,20,21 With the growing public accessibility of generative AI22 tools, this technology has become a powerful force multiplier for criminal activities such as identity theft, fraud, data privacy violations, and intellectual property breaches, as well as threats to national security. The increased availability of open-source tools further amplifies the risk, enabling a wider range of illicit activities, including biometric identification fraud and the creation of AI-assisted sextortion and other fraudulent content.

While some limitations to its use remain23, AI powered tools, tactics, techniques, and processes offer a wide range of possibilities to criminal groups looking to exploit this powerful technology. This includes but is not limited to automating phishing attacks, crafting convincing fake identities and online profiles, and generating personalized scripts to deceive victims while engaging in realtime conversations in hundreds of languages. Additionally, there is strong indication that AIgenerated content, and particularly deepfakes,24 is increasingly being misused by criminal groups in Southeast Asia for malicious purposes such as impersonation fraud, deepfake pornography, sextortion, and other cyber-enabled fraud schemes through the alteration of authentic video footage and audio.

These developments have not only expanded the scope and efficiency of cyber-enabled fraud and cybercrime, but have also lowered the barriers to entry for criminal networks that previously lacked the technical skills to exploit more sophisticated and profitable methods. The integration of AI-driven techniques will in turn increase cyber-enabled fraud in terms of volume – or amplifying fraudsters’ potential reach by enabling fraud to take place at greater speeds and scale – alongside sophistication over time which will increase the efficiency of criminal groups by enabling the creation of more convincing and personalized fraud content.

Deepfake-related crimes are on the rise in the Asia-Pacific region, with some studies reporting a staggering 1,530 per cent increase between 2022 and 2023.25 In addition to the increased ease of adoption by organized crime groups, this creates significant challenges in criminal justice systems not equipped to deal with the broader impact of failing content-based verification at scale. This has also caused major issues for consumers and industries depending on digital know-your-customer (KYC) processes.

Analysis of hundreds of regionally-focused Telegram underground marketplaces and forums shows that the growing integration of deepfake technology is being driven by new online vendors and service providers marketing AI-powered tools to criminal groups engaged in cyber-enabled fraud. This includes the use of AI-generated content for social engineering in fraud schemes, deceptive recruitment campaigns (i.e. recruitment of victims of trafficking for forced criminality), disinformation, and money laundering by services specializing in bypassing KYC measures – demonstrated by more than a 600 per cent26 increase in mentions of deepfake-related content targeting criminal groups across monitored platforms between February and July 2024.27 There is also increasing evidence of AI tools including jailbroken large language models (LLMs) being used to develop malicious code, as well as use in data processing to enhance victim profiling efficiency.

More recently, the deepfake technology suite on offer in the region has been expanded to include an integrated audio deepfake or so-called voice swap feature, with some vendors same-day onsite installation across several Southeast Asian countries.

Recommendations

The following broad recommendations are intended to help countries in the region address the findings and vulnerabilities identified in this report, and ultimately to strengthen the awareness, understanding, and capacity of governments, oversight authorities, and law enforcement in Southeast Asia, and particularly those in the Mekong region. They build on targeted recommendations informed by ongoing dialogues and consultations with governments and law enforcement in the region, and are also aligned with comprehensive and strategic recommendations provided in the ASEAN + China Roadmap to Address Transnational Organized Crime and Trafficking in Persons Associated with Casinos and Scam Operations in Southeast Asia. 28

Knowledge and awareness

• Systematic organized crime analysis and threat monitoring is undertaken on online gambling platforms, junkets, cyber-enabled fraud, and the integration of artificial intelligence, as well as related money laundering, underground banking, trafficking for forced criminality, and other forms of organized crime. This includes analysis and monitoring of the infiltration of organized crime in legitimate business sectors, in particular real estate, construction, logistics, online gaming, virtual assets, and travel tour operators.

• An institutionalized regional intelligence sharing and threat monitoring platform focused on cyber-enabled fraud and related transnational organized crimes is developed and adopted by governments in East and Southeast Asia to improve situational awareness and regional responses.

• Collaborative research is done with governments in Southeast Asia to understand illicit financial flows within the region, with an emphasis on facilitators, offshore jurisdictions, and methods and typologies.

• Monitoring of organized crime involvement in casinos, junkets, cyber-enabled fraud operations, and high-risk VASPs operating in border areas, SEZs, and other criminal hubs is conducted.

• Forums where transnational organized crimes are discussed are used to expand awareness of, and build momentum to address cyber-enabled fraud, underground banking and money laundering, and related organized crimes and emerging technological threats.

• Advocacy is undertaken to expand public awareness about the connection of the underregulated casino and virtual asset industries to organized crime.

Policy and legislation

• High level policy commitment, including adoption of the Regional Strategic Roadmap by ASEAN Senior Officials Meeting on Transnational Crime.

• National action plans and a regional strategy to deal with organized crime, underground banking, money laundering, and related criminality, in casinos, junkets, SEZs and other criminal hubs are developed.

Legislation and regulatory frameworks related to money laundering, virtual assets, asset forfeiture, casino supervision and management, online gambling, and SEZs is revised and strengthened.

• Mechanisms are established and enforced to review profiles of investors in casinos, including online platforms and junket operations, and SEZs, as well as VASPs, to determine beneficial ownership and associations with organized crime.

• Where applicable, legislation related to offshore online casino operations fall in line with emerging industry best practices in moving away from the Point of Establishment (‘POE’) model to the Point of Consumption (‘POC’).

• Mutual legal assistance and judicial cooperation frameworks are adapted to allow for more efficient freezing and seizing of asset.

• Strengthening national counter trafficking legislation, including through expansion of the non-punishment principle to ensure that victims are not criminalized for offences committed as a result of their exploitation, and to assure that trafficking in person for forced criminality is reflected and prosecuted according to the context of organized crime.

Enforcement and regulatory responses

• A regional inter-agency forum to share information and intelligence on the use of casinos, virtual assets, and high-risk or unauthorized VASPs for money laundering is created with participation of regulatory bodies, financial intelligence units, and law enforcement authorities.

• Unlicensed and unregulated casinos, including online platforms, and high-risk or unauthorized VASPs, particularly cryptocurrency exchanges, over the counter (OTC) services and large peer-to-peer (P2P) traders, are identified and prevented from operating.

• Increase regional identification of victims of trafficking according to UNODC indicators on trafficking in persons for forced criminality; strengthen regional cross border investigations that result in strategic litigation against transnational organized crime (part of UNODC trafficking in persons regional programme)

• Digital forensic evidence is recovered, preserved, analyzed and shared

• A mechanism is established with social network service providers to monitor job recruitment advertisements.

• Authorities are trained on online gambling operations and money laundering methods enabled by sophisticated technologies, particularly cryptocurrencies.

• Regulations put in place and enforced in relation to filing of suspicious transaction reports (STRs) for casinos, VASPs, and related service providers.

• Regulators improve capacity for land-based and online casino management and supervision, particularly in the areas of integrating suspicious transaction reporting software and surveillance technologies, and enforcing anti-money laundering measures including enhanced beneficial ownership requirements, and KYC and customer due diligence (CDD) policies and procedures, particularly in the case of junket and associated VIP rooms.

• Specialized training on money laundering and underground banking investigations, virtual assets, asset forfeiture, is offered to police, prosecutors, and regulators.

• Funds entering land-based casinos and online gambling platforms as well as VASPs over a prescribed threshold should be verified as to their origin, and sufficient information should be provided to allow for CDD and source of funds verification and analysis.

• Licensing regimes and enforcement frameworks for money service businesses and VASPs are reviewed and strengthened, making it a criminal offence for a business to be engaged in related activity without a license, including cryptocurrency exchange. Transnational Organized Crime and the Convergence of Cyber-Enabled Fraud, Underground Bank

Read or download full report