The scam factories in South East Asia (notably Cambodia) are widely known for “pig butchering” and romance scams, seeking payments from unsuspecting victims. Now, another sector is emerging: Intellectual Property (IP) and brand fraud. These operations steal from victims and damage the global brand of brand owners.
By impersonating news outlets, retailers, consumer brands cand financial institutions, fraudster syndicates create online digital fakes to dupe consumers through various scams.
Scam compounds operate with corporate-like precision, often divided into departments: recruitment, IT/technical support, and “frontline” scammers. In the context of brand fraud, their technical teams create digital twins of legitimate corporate identities on websites or social media.
Typosquatting: Registering domains that look nearly identical to real brands (for example, wellsfargo-secure.com instead of wellsfargo.com). Typosquatting refers to the practice of registering domain names that are visually similar to those of well-known brands, often by changing, adding, or omitting small details. These domains are typically registered through privacy-shielded registrars (companies that keep the domain owner's identity hidden) within jurisdictions having weak enforcement cooperation, and cycled every 48 to 72 hours, fast enough to outpace conventional takedown processes. (Staff, 2025)
Aesthetic Mirroring: Employing high-resolution logos, CSS styling (the code that determines the appearance of a website), and legal warnings stolen directly from the target brand’s site to create a convincing replica. Increasingly, automated cloning tools (software that copies all visual and functional elements of websites) can replicate an entire brand website, layout, imagery, checkout flow, in under an hour. (Smart, 2026) The output is often indistinguishable from the real site to an ordinary consumer.
Media Laundering: Placing ads on social media that use the logos of trusted news organisations to “verify” a scam. Media laundering involves making fraudulent ads appear legitimate by borrowing the identity of well-known brands. These ads are purchased through compromised (stolen or fraudulently created) advertising accounts, making it difficult for platforms to trace spend back to the operators.
What makes these operations resilient is not the front-end content, it is the infrastructure behind it. Operators use bulletproof hosting providers (services that intentionally ignore malicious or illegal activity), domain registrars that allow bulk registrations with minimal identity checks, and payment processors based within jurisdictions having low or unenforced compliance standards (countries or regions where laws are not strictly applied). Enforcement actions focused only on taking down websites or social media pages overlook this reality. The operators simply spin up a replacement within hours, often using pre-registered domain inventories (lists of previously registered web addresses) numbering in the hundreds. (Piscitello, 2024)
1. The “News Outlet” Endorsement (CNN, BBC, and CNBC)
In late 2025 and early 2026, cybersecurity researchers identified a massive campaign in which scam factories created over 17,000 “baiting” news sites. (BaitTrap: Over 17,000 Fake News Websites Caught Fueling Investment Fraud Globally, 2025) These sites perfectly mimicked the branding of the BBC, CNN, and CNBC. The scammers ran Facebook and Google ads featuring a local celebrity claiming to have found a “wealth loophole.” Clicking the ad led to a fake news article on a cloned version of a BBC or CNN page. Because the reader trusted the news brand, they were more likely to register their details for the “investment,” which was actually an opening to a scam compound’s sales floor.
2. Luxury Retail and “Clearance” Scams
Reports from the Global Initiative Against Transnational Organised Crime highlighted compounds in Myanmar and Cambodia that specialise in fake e-commerce. (Compound crime: Cyber scam operations in Southeast Asia, 2025) These groups create temporary “clearance” websites for luxury brands like Louis Vuitton, Rolex, and North Face. Victims saw an ad for an “80% off” warehouse sale using official marketing photography and trademarks. The victim either received a low-quality counterfeit (shipped from a separate logistics hub) or, more commonly, nothing at all, while the scammers harvest their credit card information for account takeover fraud. The logistics chains behind these operations sometimes overlap with established counterfeit distribution networks, meaning a single enforcement action can expose both the fraud and physical counterfeiting operations simultaneously. (Global Law Enforcement Agencies, With Support From Meta, Disrupt Major Criminal Scam Networks Based in Southeast Asia, 2026)
3. Financial Institution Phishing
According to INTERPOL’s 2026 Global Financial Fraud Assessment, scam centres are increasingly using “Agentic AI” (artificial intelligence systems able to operate complex tasks independently and make decisions) to impersonate bank representatives. (INTERPOL report warns of increasingly sophisticated global financial fraud threat, 2026) They use the branding of major banks like HSBC or JPMorgan Chase in sophisticated emails and SMS messages (phishing communication sent by text). These messages direct users to a cloned login portal (a fake website made to look like a legitimate banking login page) that looks identical to the bank’s official site, where their credentials are stolen. The AI component is significant: it allows operators to generate personalised phishing content at scale, adapting language, tone, and even local banking terminology to fit the target market, something that previously required native-speaker staff in each jurisdiction.
4. Coupon and Discount Fraud
Bots (automated scripts that carry out repetitive actions) blasted social media and messaging apps (WhatsApp and Telegram) with links to “exclusive” anniversary vouchers in 2025, with a $750 Walmart Gift Card or a £250 Tesco Voucher to celebrate a “75th Anniversary.” ((Svistunova), 2025) To “claim” the voucher, users answered a survey and then shared the link with 10 to 20 contacts, turning each target into an unwitting distributor of the scam. No voucher ever arrived. Instead, victims were redirected to partner sites that installed adware (software that automatically displays or downloads advertising material) or attempted to subscribe them to expensive monthly SMS services.
For scammers, IP fraud is an efficiency tool. Building trust from scratch takes weeks; stealing it from a brand takes seconds. Many frauds supposedly entitle the victim to something of value associated with the brand: free gifts, discounts, or fake products. Consumers can be tricked by an AI-created digital shopfront. Who doesn’t love a freebie?
While the scam factories have faced high-profile actions, particularly in Cambodia, this often pushes the fraudsters to decentralise. Networks of fraudsters can run similar intellectual property (IP) and brand fraud operations, lacking the need for large numbers of staff held against their will. A single technically competent operator with access to required software tools and online hosting systems can manage dozens of fraudulent brand storefronts simultaneously, making the threat harder to detect and trace back to its source.
Financial organisations with information security teams will already be focused on this. Other IP owners may not be.
The starting point is that this is an intelligence, IP and fraud problem. An effective response requires a multidisciplinary team spanning security, IP, and legal functions, combined with the systematic collection and analysis of online brand misuse data from multiple sources. Simply cutting off visible links and ads does not stop the fraud, it forces operators to rotate to pre-prepared infrastructure. What matters is identifying the control points in the network: the registrars, hosting providers, payment processors, and ad account structures that the operators depend on. Disabling these is harder than taking down a single website, but it produces lasting results rather than a temporary gap before the next site goes live.
Complex online investigations to trace these networks are often necessary. While some criminal authorities have the capability and appetite for this, others may need a preliminary intelligence picture or supporting evidence before engaging. The investigative approach matters as much as the legal strategy: fragmented, reactive takedowns rarely produce attribution, whereas coordinated intelligence-led operations can expose the infrastructure behind multiple campaigns simultaneously.
Legally, this activity can constitute both IP and financial crimes, which provides options for remedies. In some jurisdictions, financial crime leads to stronger penalties and more responsive enforcement agencies. In others, pursuing both IP and financial crime angles simultaneously compounds the deterrent. The choice of legal pathway should be driven by what produces the most operational leverage in the specific jurisdiction, not by which legal team picks it up first.
Nick Redfearn leads Rouse’s Enforcement team.
Oliver Walsh leads Rouse’s Evidence and Investigations team.
References
Staff. (July 31, 2025). Due Process in the DNS: Are 48-Hour Suspension Policies Fair to Registrants?. DN.org. https://dn.org/due-process-in-the-dns-are-48-hour-suspension-policies-fair-to-registrants/
Smart, J. (February 12, 2026). The Clone Wars: How AI Website Builders Have Become the Scammer’s Most Powerful Weapon Against Trusted Brands. WebProNews. https://www.webpronews.com/the-clone-wars-how-ai-website-builders-have-become-the-scammers-most-powerful-weapon-against-trusted-brands/
Piscitello, D. (2024). Cybercrime Supply Chain 2025: Measurements and Assessments of Cyber Attack Resources and Where Criminals Acquire Them. Interisle Consulting Group. https://interisle.net/insights/cybercrimesupplychain2025
(July 8, 2025). BaitTrap: Over 17,000 Fake News Websites Caught Fueling Investment Fraud Globally. CTM360. https://www.ctm360.com/media/
(2025). Compound crime: Cyber scam operations in Southeast Asia. Global Initiative Against Transnational Organized Crime. https://globalinitiative.net/analysis/compound-crime-cyber-scam-operations-in-southeast-asia/
(March 11, 2026). Global Law Enforcement Agencies, With Support From Meta, Disrupt Major Criminal Scam Networks Based in Southeast Asia. Meta. https://about.fb.com/news/2026/03/meta-global-law-enforcement-disrupt-major-southeast-asia-criminal-scam-networks/
(March 16, 2026). INTERPOL report warns of increasingly sophisticated global financial fraud threat. INTERPOL. https://www.interpol.int/News-and-Events/News/2026/INTERPOL-report-warns-of-increasingly-sophisticated-global-financial-fraud-threat
(Svistunova), O. A. (2025). Telegram scams in 2025. Kaspersky official blog. https://www.kaspersky.com/blog/phishing-and-scam-in-telegram-2025/54090/
Mularski, K. (August 25, 2025). Why Attribution Matters: Knowing Your Adversary in Cybersecurity. Pittsburgh Technology Council. https://www.pghtech.org/news-and-publications/Attribution
