Fraudsters flee Cambodia’s ‘scam city’ after accused boss taken down
By AFP
January 16, 2026
Hundreds of people fled a suspected Cambodian cyberfraud centre, after the country's most wanted alleged scam kingpin was arrested and deported
By AFP
January 16, 2026
Hundreds of people fled a suspected Cambodian cyberfraud centre, after the country's most wanted alleged scam kingpin was arrested and deported
- Copyright AFP TANG CHHIN Sothy
Sally JENSEN
Hundreds of people dragged away suitcases, computer monitors, pets and furniture as they fled a suspected Cambodian cyberfraud centre, after the country’s most wanted alleged scam kingpin was arrested and deported.
Boarding tuk-tuks, Lexus SUVs and tourist coaches, an exodus departed Amber Casino in the coastal city of Sihanoukville, one of the illicit trade’s most notorious hubs.
“Cambodia is in upheaval,” one Chinese man told AFP. “Nowhere is safe to work anymore,” he said Thursday.
Similar scenes played out at alleged scam compounds across Cambodia this week as the government said it was cracking down on the multibillion-dollar industry.
But residents said many of the people working inside the tightly secured buildings moved out several days before the arrival of authorities, and an analyst dubbed it “anti-crime theatre”.
From hubs across Southeast Asia, scammers lure internet users globally into fake romantic relationships and cryptocurrency investments.
Initially largely targeting Chinese speakers, transnational crime groups have expanded operations into multiple languages to steal tens of billions annually from victims around the world.
Those conducting the scams are sometimes willing con artists, sometimes trafficked foreign nationals who have been trapped and forced to work under threat of violence.
AFP journalists visited several alleged internet scam sites in Sihanoukville, in the wake of the high-profile arrest in Cambodia and extradition to China of internationally sanctioned accused scam boss Chen Zhi.
Few of those departing the casinos, hotels and other facilities were willing to speak with AFP, and none were willing to be identified due to concerns for their safety.
“Our Chinese company just told us to leave straight away,” said a Bangladeshi man outside Amber Casino.
“But we’ll be fine. There are plenty of other job offers,” he added.
Studded with casinos and unfinished high-rises, the glitzy resort of Sihanoukville has become a cyberscam hotbed, where thousands of people involved in the black market are believed to operate cons from fortified compounds.
Before Chen was indicted last year by US authorities who said his firm Prince Group was a front for a transnational cybercrime network, the Chinese-born businessman ran multiple gambling hotels in Sihanoukville.
A 2025 Amnesty International report identified 22 scam locations in the coastal resort, out of a total of 53 in the country.
The UN Office on Drugs and Crime estimates global losses to online scams reached up to $37 billion in 2023, and that at least 100,000 people work in the industry in Cambodia alone.
– Tipped off –
But the Cambodian government claims the lawless era has come to an end, with Prime Minister Hun Manet pledging on Facebook to “eliminate… all the problems related to the crime of cyber scams”.
Cambodia’s anti-scam commission says it has raided 118 scam locations and arrested around 5,000 people in the last six months.
Following Chen’s deportation to China, the Cambodian government has tightened the screws on some Prince Group affiliates, ordering Prince Bank into liquidation and freezing home sales at several of its luxury properties.
In recent months, China has stepped up its pursuit of the scam industry, sweeping up Chen and other key figures from across Southeast Asia to try them on its own soil.
But while Cambodia says it is “cracking down”, there are suspicions over the timing.
A tuk-tuk driver in Sihanoukville told AFP hundreds of Chinese people left one compound this week before police arrived.
“Looks like they were tipped off,” said the 42-year-old, declining to give his name.
Mark Taylor, former head of a Cambodia-based anti-trafficking NGO, said the “preemptive shifting of scam centre resources”, including workers, equipment and managers, had been seen ahead of law enforcement sweeps.
It was “seemingly the product of collusion”, he added, in a strategy with “dual ends” of boosting the government’s anti-crime credentials while preserving the scamming industry’s ability to survive and adapt.
Amnesty has accused the Cambodian government of “deliberately ignoring” rights abuses by cybercrime gangs, which sometimes lure workers with offers of high-paying jobs before holding them against their will.
AFP journalists saw several coachloads of Mandarin speakers leaving Sihanoukville on the main highway to the capital Phnom Penh.
Multiple people said they “didn’t know” where they were going or what their plans were, but appeared anxious as they anticipated law enforcement closing in.
Outside the Amber Casino, holding a fake designer hold-all, the Bangladeshi man fell in with the crowd, saying: “This is about survival now.”
How dark web criminals seek to recruit business insiders
By Dr. Tim Sandle
Real world examples
Researchers at NordStellar found dark web posts from users who claim that they are searching for employees from specific organizations over the past year. A significant part of these posts focuses explicitly on insiders who work for social media or cryptocurrency platforms.
Real world incidents highlight how these threats can translate into actual breaches — for instance, in 2025, the cryptocurrency exchange platform Coinbase revealed that cybercriminals bribed its employees to leak user information.
This is according to Vakaris Noreika, cybersecurity expert at NordStellar, who has told Digital Journal that while some cybercriminals openly recruit malicious employees through dark web posts, others are more discreet. Over the past 12 months, the NordStellar team identified 25 unique dark web posts seeking out insiders.
Insider threats take on a new dimension
“Employees can grant cybercriminals access to critical data, such as personal customer information and confidential business agreements,” says Noreika.
The expert adds: “This data can be utilized to deploy ransomware attacks, sell intel on business agreements to competitors, or to carry out sophisticated phishing scams on unsuspecting victims whose personal data they managed to get their hands on.”
According to Noreika, insider threats can be challenging to spot and, therefore, may go undetected by security teams for a significant amount of time. Employees are trusted members of the organization and have legitimate access to company resources. Consequently, it can be challenging to pinpoint any anomalies in their behaviour.
“Unlike external threats, insiders may not trigger typical security alerts, such as unusual login attempts or data transfers,” adds Noreika. “Insiders are also familiar with the organization’s internal security policies and weaknesses, allowing them to adjust their actions to avoid suspicion.”
Direct insider recruitment
Noreika emphasizes that although some cybercriminals are searching for insiders on the dark web, the recruitment process is usually carried out privately. Bad actors target specific employees within the organization, especially those with technical capabilities that aid in their operations or have access to highly sensitive company data.
Safeguarding against insider threats
For businesses seeking to protect themselves, Noreika emphasises that high observability into system and data usage is the foundation of an insider threat-resistant cybersecurity strategy. He explains that any unexpected system behaviour or access patterns must be flagged, reported, and thoroughly examined.
“Patterns of unusual behaviour are the first indicator that the user might be an insider,” says Noreika. “Security teams should keep an eye out for employees who are frequently accessing sensitive information and make sure that they have the proper authorization. Data exfiltration to external parties or devices is another major red flag to look out for.”
According to Noreika, an incident recovery plan is a significant requisite in minimizing the fallout of a cyberattack caused by insider threats. An effective recovery plan should cover incident detection and outline the key steps the organization should take to contain the threat and mitigate damage.
Google and the dark web – related news
Google will start shutting down its dark web monitoring tool — the Dark Web Report — which was designed to scan the dark web for users’ exposed personal information:January 15, 2026: The scans for new dark web breaches stop.February 16, 2026: The dark web report is no longer available, all data related to the report will be deleted.
Google previously stated its intention to focus on tools that provide customers with clearer, more actionable steps to protect their online information. However, no concrete announcements regarding new cybersecurity tools have been made by the company to date.
By Dr. Tim Sandle
SCIENCE EDITOR
DIGITAL JOURNAL
January 12, 2026
Cybercriminals can find a "safe" space to operate in dark web marketplaces
January 12, 2026
Cybercriminals can find a "safe" space to operate in dark web marketplaces
. — © AFP PHOTO / Robyn BECK
Cybercriminals are actively searching for insiders from various organizations on the dark web. From dark web recruitment posts to private messages on LinkedIn, how cybercriminals enlist malicious employees to compromise a selected company.
This way cybercriminals can use malicious insiders as a direct means to access sensitive company resources, stealing confidential data or using the access to deploy a devastating cyberattack.
Cybercriminals are actively searching for insiders from various organizations on the dark web. From dark web recruitment posts to private messages on LinkedIn, how cybercriminals enlist malicious employees to compromise a selected company.
This way cybercriminals can use malicious insiders as a direct means to access sensitive company resources, stealing confidential data or using the access to deploy a devastating cyberattack.
Real world examples
Researchers at NordStellar found dark web posts from users who claim that they are searching for employees from specific organizations over the past year. A significant part of these posts focuses explicitly on insiders who work for social media or cryptocurrency platforms.
Real world incidents highlight how these threats can translate into actual breaches — for instance, in 2025, the cryptocurrency exchange platform Coinbase revealed that cybercriminals bribed its employees to leak user information.
This is according to Vakaris Noreika, cybersecurity expert at NordStellar, who has told Digital Journal that while some cybercriminals openly recruit malicious employees through dark web posts, others are more discreet. Over the past 12 months, the NordStellar team identified 25 unique dark web posts seeking out insiders.
Insider threats take on a new dimension
“Employees can grant cybercriminals access to critical data, such as personal customer information and confidential business agreements,” says Noreika.
The expert adds: “This data can be utilized to deploy ransomware attacks, sell intel on business agreements to competitors, or to carry out sophisticated phishing scams on unsuspecting victims whose personal data they managed to get their hands on.”
According to Noreika, insider threats can be challenging to spot and, therefore, may go undetected by security teams for a significant amount of time. Employees are trusted members of the organization and have legitimate access to company resources. Consequently, it can be challenging to pinpoint any anomalies in their behaviour.
“Unlike external threats, insiders may not trigger typical security alerts, such as unusual login attempts or data transfers,” adds Noreika. “Insiders are also familiar with the organization’s internal security policies and weaknesses, allowing them to adjust their actions to avoid suspicion.”
Direct insider recruitment
Noreika emphasizes that although some cybercriminals are searching for insiders on the dark web, the recruitment process is usually carried out privately. Bad actors target specific employees within the organization, especially those with technical capabilities that aid in their operations or have access to highly sensitive company data.
Safeguarding against insider threats
For businesses seeking to protect themselves, Noreika emphasises that high observability into system and data usage is the foundation of an insider threat-resistant cybersecurity strategy. He explains that any unexpected system behaviour or access patterns must be flagged, reported, and thoroughly examined.
“Patterns of unusual behaviour are the first indicator that the user might be an insider,” says Noreika. “Security teams should keep an eye out for employees who are frequently accessing sensitive information and make sure that they have the proper authorization. Data exfiltration to external parties or devices is another major red flag to look out for.”
According to Noreika, an incident recovery plan is a significant requisite in minimizing the fallout of a cyberattack caused by insider threats. An effective recovery plan should cover incident detection and outline the key steps the organization should take to contain the threat and mitigate damage.
Google and the dark web – related news
Google will start shutting down its dark web monitoring tool — the Dark Web Report — which was designed to scan the dark web for users’ exposed personal information:January 15, 2026: The scans for new dark web breaches stop.February 16, 2026: The dark web report is no longer available, all data related to the report will be deleted.
Google previously stated its intention to focus on tools that provide customers with clearer, more actionable steps to protect their online information. However, no concrete announcements regarding new cybersecurity tools have been made by the company to date.
No comments:
Post a Comment