Indian Call Center Scammers partner with Chinese Money Launderers

 

At the end of August 2025, The US Attorney's office in San Diego announced four indictments against members of a Chinese organized crime ring that stole at least $65 million from thousands of older Americans.  The case was notable because the US Attorney credited two YouTube channels with the leads that led to 25 arrests so far in California, New York, Texas, and Michigan. 

When we see 25 Chinese arrests, it might be tempting to think this is all Chinese Organized Crime, but those who actually watch the videos will realize that's not the case.  The referenced videos are from late 2020 and early 2021 and each started with Scammer Payback (Pierogi) responding to a refund scam.

Indian Call Center operators refer to this type of "lead generation" as "email blasting" and we have tens of thousands of example posts from Facebook groups offering the "service" of sending bogus Microsoft Defender emails, claiming that the victim's credit card is being charged and offering a telephone number to dispute the charge. The ads for this service in Tech Support Facebook groups have been constant for years, including ads as recently as this week: 

A typical "Microsoft Defender Refund" from this time period looked like this: 

We've called dozens of these numbers and they all follow a similar script, they convince the caller to allow remote control to their computer to assist them with the "refund." We often feed a Virtual Machine to the scammers and use it to help us understand what remote control tool they are using and where it is hosted.  But Scammer Payback goes quite a bit further! 

When Pierogi received the numbers from a similar call center scam, he called the number.  His video makes clear that the scammers he was communicating with were speaking Hindi to one another. He not only lets the remote control happen, but he helpfully has a bank account open.  The scammers see the millions of dollars available and can't help themselves.  He is a juicy target!

Scammer Payback: https://www.youtube.com/watch?v=hrLZbc-Rfbo

The scammers have Pierogi type in his own refund amount - but they alter it to make it appear that he typed too many digits resulting in a much larger than intended refund.  Then they demand that he withdraw the difference in cash and ship it back to "them."

Being a very compliant victim, Scammer Payback agrees immediately, taking down the address and agreeing to send the package of cash "overnight delivery." At this point, Pierogi engages the Trilogy media team. Trilogy agrees to take their camera crew to the pick up site to find out who is on the other end of the package. 

Trilogy Media: https://www.youtube.com/watch?v=in_Y5q_-F2Y

But in three out of three cases where Pierogi uses Trilogy to deliver a cash package, the package is being sent to a young Chinese person who is at an Air BNB that has been rented for a very short time period. 

We actually have seen this model in other cases ... in 2022, we write about the case of Jianjie Liu on this blog in a post called "Chinese Call Center Runner Pleads Guilty in Georgia."  

Jianjie Liu did cash pickups for a wide variety of scams, including Grandparent scams, Inheritance scams, and Government Grant Scams.  She was actually arrested in a case involving Walmart Gift Cards that led to the discovery of 718 Gift Cards in her vehicle. In one case almost exactly like those above, Liu was sent a $20,000 Cashier's check after someone processing a $555 refund was accidentally refunded $20,555 and had to send the difference back to the scammers.  The check was made payable to a shell company in Georgia controlled by Liu.

Where do these Chinese agents doing the cash, check, and gift card payment come from? Recently it is one of the most popular "Crime As A Service" offerings from the various Chinese Guarantee Syndicates.  Each of the Guarantee Syndicates has a menu of vendors who have made a large deposit in USDT in order to have the right to sell their services there.  This category is usually called some variation of "Collection Services." 

You may have heard of "Huione Pay" which is generally considered the largest of the Chinese Guarantee Syndicates.  FinCEN took action, with an announcement that "Cambodia-based Huione Pay" is a money laundering concern, and proposing new Rule-making calling them a "Primary Money-Laundering Concern" to combat this type of cybercrime.  After this announcement, Huione migrated most of their vendors over to a former competitor, Tudou Danbao (which means "Potato Guarantee.")

The "Buy and Sell" channel for Potato currently has 130,000 subscribers, while one of their primary channels has 209,000 subscribers.  Category 2 on their vendor menu is "Collection Services" which currently has 656 vendors who have paid deposits between 15,000 USDT and 259,000 USDT to have their services recommended and advertised by the new Guarantee Syndicate.  These are the teams that are offering cash pickup services across the United States.

(findings from non-profit Intelligence for Good)

Many other Guarantee Syndicates have dozens to hundreds of similar vendors in their respective Collection Services vendor category.  Here is a typical ad, boasting of the cities where the vendor maintains teams of workers, ready to pick up packages: 

The US Financial Crimes Enforcement Network (FinCEN) has issued two recent reports about Chinese Money Laundering Networks.  One is an advisory regarding the use of Chinese Money Laundering Networks by drug cartels from Mexico.  The other has detailed analysis on several different models used by Chinese Money Laundering networks.

Several "Red Flags" are shared as advice to Financial Institutions to help them recognize CMLO behaviors that should be reported via Suspicious Activity Reports: 

Attorney Generals go after Bitcoin ATMs for supporting Fraud

On 08SEP2025, the District of Columbia's Attorney General filed a lawsuit against Athena, a "Bitcoin ATM machine" provider with 4100+ BTMs installed. Athena charges as much as a 26% fee when someone deposits cash to buy cryptocurrency. More importantly, the lawsuit claims that 93% of all deposits into Athena “BTMs” in the DC area were made by scam victims.

The main argument made by this lawsuit is that Athena knows that it is facilitating fraud, it is making substantial profit from that fraud (up to 26% per transaction), and that it refuses to refund money to the victims, despite 1/4th of the money still being in Athena's coffers after a transaction!  

https://oag.dc.gov/sites/default/files/2025-09/Athena%20Complaint.pdf

The DC AG goes further, with a very significant accusation:

"Athena also has allowed elderly consumers to deposit very large amounts of cash over short time periods into wallets that Athena knew had already been used by other scam victims. Athena’s ineffective oversight procedures have created an unchecked pipeline for illicit international fraud transactions." 

 The DC AG's lawsuit claims that the average age of the victims who were enticed to depositing fraud funds into an Athena BTM in their district was 71 and that half of them deposited at least $8000!

Despite included statistics showing only 1.2% of elders invest in Bitcoin, the vast majority of BTM deposits are made by those over the age of 60. The FBI’s IC3.gov in 2023 reported $124 Million in Bitcoin ATM scams against those over 60, compared to $33 Million for all other ages combined.

In response to the common claim that Bitcoin ATMs are intended to help the "unbanked", there is nothing to support that claim. Compare that statistic to an FDIC Survey of "unbanked" Americans, which showed that only 1.2% of "unbanked" citizens use crypto for any reason other than "Investment." I loved this survey question by the FDIC in their 2023 survey.

https://www.fdic.gov/household-survey/2023-fdic-national-survey-unbanked-and-underbanked-households-report

The FDIC Survey also broke down crypto usage by household income.

While the DC AG's lawsuit is significant, it was not the first. Iowa's Attorney General filed two similar lawsuits, one against Coinflip and the other against Bitcoin Depot. (Click to see a list of the Factual Allegations for each.) Iowa's lawsuits show that Coinflip BTMs in Iowa were used to assist in the theft of $13 Million from scam victims between Jan 2021 and June 2024, while Bitcoin Depot BTMs in Iowa were used to assist in the theft of $7.2 Million between October 2021 and July 2023. That's $20 Million in scams in a state with only 3.2 million residents.

My favorite quote from Iowa:

“At best, Bitcoin Depot is a willfully blind participant in the victimization of hundreds of Iowans. At worst it is a silent partner to many scammers’ preying on Iowans, taking a cut of each scam with its excessive and deceptive BTM fees that are further paired with a lack of refunds.”

This analyst would believe that statement could be applied to every “Bitcoin ATM” in every state.

Coinflip Lawsuit

Bitcoin Depot Lawsuit

While the process of using a BTM involves the display of several warnings and disclaimers, the lawsuits point out that the elderly victims of these scams are almost always on the phone with a scammer while they conduct the transaction, who is warning them to ignore all of these disclaimers. But the disclaimer itself is given as evidence that the BTM providers are fully aware that their company is being used to facilitate significant volumes of fraud against the elderly, and that this fraud is providing significant revenue to said companies. These images are from the DC AG v. Athena complaint:

Bitcoin Depot has over 8,000 BTMs, but boasts more than 16,000 locations where you can buy cryptocurrency (including their "BDCheckout" where you can purchase crypto at a cash register.) Here's a location breakdown by state, including 414 Iowa locations (and 399 in my home state, Alabama!):

http://branches.bitcoindepot.com/

Coinflip has over 5500+ BTM locations and claims to have processed at least $4 Billion in transactions. But what percentage of those transactions are fraudulent?

https://coinflip.tech/about

Chinese Guarantee Syndicates and the Fruit Machine

When I was speaking to a group of Bank Security people in New York City yesterday, I mentioned "machine rooms" -- which are rooms full of Apple iPhones that are used to send iMessage phishing spam. Someone in the audience asked "Where would they get that many phones?"

The kids like to use the acronym "IYKYK" (If You Know You Know).  I learn new IYKYK phrases in Chinese Telegram every day. 

Today's new favorite phrase? 水果机 - Shuǐguǒ jī - "Fruit machine." 

 Example usage: 🔥低价出正品水果机 ("Genuine fruit machines at low prices") 

Fruit machine is coded language for Apple iPhones.

This advertiser pays HuionePay's Haowang Guarantee for the right to share an ad for their group once each hour in Huione, their highest rate, so that one line advertisement is posted 24 times per day to Haowang Guarantees "buy and sell" group. 

What? You thought Telegram had banned HuionePay? hahahahahaha ... but they do try to hide their traffic by rebranding their "Crime As A Service" vendors to be "Potato Guarantee" rather than Haowang Guarantee.

Group: "Yongle smuggles Apple phones"
The Chinese characters above the "danbao" spell "Potato" (tǔ dòu)
The Chinese characters below "danbao" are "Guarantee" (dān bǎo)

Links shared by this advertiser go to a 38,438 member "Potato Guarantee" group called "Yongle smuggles Apple phones" and share that Yongle has deposited "208,000 USDT" in order to insure that your transactions are safe. (The "Trust Model" of the Chinese Guarantee Syndicates is that vendors make a deposit to be listed in the vendor directory and the Syndicate promises that any transaction up to the level of the deposit will be backed by the Syndicate should anything go wrong.)

(Google translated)

The welcome message for the group says:

"Various models of iPhone are available, all smuggled into the country as brand new, unopened, and unactivated official Chinese versions, suitable for personal use or resale." They go on to say that your phone will be delivered within 72 hours and that if it is shown to be used, they will refund 10x your purchase price!

Another September ad using the "Fruit machine" language in a major HuionePay group also now goes to a "Potato Guarantee" group with 12,154 members. (Group 2851, with a 38,000 USDT Deposit) The translated "welcome" message when joining the group calls the group "Xili Smuggles mobile phones and digital products" and promises "Various models of iPhone are available, all smuggled into the country as brand new, unopened, and unactivated national versions, suitable for personal use or resale."

Group: "Xili Smuggles Mobile Phones and Digital Products"

Xili, who prefers to call himself "Heineken," is currently taking deposits for iPhone 17s. He also will throw in an Apple watch if you pay 1000 Yuan extra. Currently he charges 5999 Yuan for an iPhone 16 ProMax 1TB, or approximately $850. 

Xili / Heineken's most recent advertisement

If that whole thing sounds insane, I would encourage you to read the book "Apple in China" by Patrick McGee. Smuggling iPhones is an EXTREMELY lucrative organized crime business in China!

There are of course many more Guarantee Syndicates, with many thousands of vendors who have paid to advertise their "Crime As A Service" offerings, from Gift Card and Cash Pickups, SMS/iMessage/RCS Phishing, Credit Card Theft, Trade-based Money Laundering and anything else you can imagine, from Human Trafficking to Cigarette smuggling.  

Here are a few that we are tracking ... 

#HuionePay #CMLO #Apple #iPhones #Guarantee #Danbao #Haowang #iMsgSpam #SMS #Smishing

California Tax Refund Mobile Phish

A new round of mobile phish is imitating the State of California's "Franchise Tax Board" in a round of phishing sites that are gaining prominence in the past few days. I visited ftb.ca-gov-sg[.]top/notice from a burner phone to see how the scheme works (the page doesn't load from the Windows browsers I tested.)

After harvesting all of my private information, the site informs me that I had a $1050 refund available. The phish claims that "Bank Routing" is unavailable due to "system maintenance" and offers the option to send my refund via my Credit Card if I just provide the card number, expiration date, and CVV.

urlscan.io shows at least 300 domains have been observed, all using a hostname pattern that starts with "ftb.cagov" or "ftb.ca-gov" following by some random characters and using TLDs ".cfd" or ".cc"

Most of the observed domains were registered at Dominet (HK) Limited, and likely all are hosted at TENCENT, though most are having their location protected by the reverse proxy service at CloudFlare. (All of the non-CloudFlare ones are on TenCent).

Some recent example hostnames are:

• ftb.cagov-ac[.]cfd
• ftb.cagov-bd[.]cfd
• ftb.cagov-ch[.]cfd
• ftb.ca-gov-ci[.]cfd
• ftb.cagov-ckt[.]cc
• ftb.cagov-ga[.]cc
• ftb.ca-gov-gd[.]cfd
• ftb.cagov-gi[.]cc
• ftb.cagov-go[.]cc
• ftb.cagov-idr[.]cc
• ftb.cagov-nb[.]cfd
• ftb.cagov-ork[.]cc
• ftb.ca-gov-pf[.]cfd
• ftb.cagov-rld[.]cc
• ftb.cagov-tes[.]cc
• ftb.cagov-tuf[.]cc
• ftb.cagov-tug[.]cc
• ftb.cagov-tum[.]cc
• ftb.cagov-vkd[.]cc
• ftb.cagov-whe[.]cc
• ftb.cagov-wht[.]cc
• ftb.cagov-whu[.]cc
• ftb.cagov-why[.]cc
• ftb.ca-gov-yg[.]cfd
• ftb.cagov-ytk[.]cc

There have been 190 domains observed by URLScan that included the pattern "*.cagov-xx.cc" with the first round imitating California's DMV from June 23rd to June 25th. The "FTB" pattern began August 19th with ftb.cagov-ge[.]cc/notice and continuing with 143 more reported domains, including 32 domains reported today. The "cagov-XX.cfd" pattern began on August 31st and has been seen using 31 domains. "ca-gov-XX.cfd" also began August 31st and has used 58 domains so far, all hosted at TENCENT.

Searching by IP address using ZETAlytics ZoneCruncher, we find at least 105 domains hosted on four TenCent IP addresses:

 
41 domains hosted on 170.106.140[.]181
38 domains hosted on 43.153.19[.]10
14 domains hosted on 49.51.188[.]94
12 domains hosted on 43.130.56[.]94

Chinese SMS Spammers Go Mobile

CommsRisk once more has a story today about how Chinese organized crime is recruiting people online to drive around with SMS Blasters installed in their vehicles. 

https://commsrisk.com/thais-caught-with-smishing-sms-blaster-say-chinese-boss-paid-75-per-day/

In many countries, notably NOT the United States, government telecom regulations has made a significant impact on scammers by blocking the scam and fraud campaigns being sent via SMS messaging.  The response to these blockages has been the use of mobile base stations.  The technique turns a vehicle into a mobile cell phone tower, allowing it to send SMS messages directly, bypassing cell phone company's ability to block the messages. But the downside is that, depending on the power used, there is a limit to the range from 100 yards to a couple miles. 

In this case, the scammers were recruited in a Chinese WeChat channel where they were contracted by the scammer and trained how to install and set up their mobile station, which they installed in a small Mazda.  Their rig was on the low end, with a limited number of SIM cards, but was still able to send 20,000 SMS messages per day.

In November 2024, the Thai Royal Police picked up a much larger rig that was operating from a van being driven by a 35-year old Chinese national, Yang Muyi.  This device sent over a million messages in a three day period before being seized by police, as revealed in a press conference by Police Lt. General Thatchai Pitaneelabut.

Image from ThaiExaminer

Thai police have been greatly assisted in their investigations by a partnership with AIS (Advanced Info Systems) who have been helping them locate the false base stations. The image below shows the rig seized in a Honda CRV in January 2025 driven by two Chinese men, aged 47 and 49.  Police then went to the apartment where additional mobile phones, SIM cards and other telecom equipment was seized. 

Image from TheNation

On 10JUL2025, the Royal Oman Police shared a high-production quality video PSA on their Facebook, X.com, and Instagram channels warning about a Chinese tourist arrested with a vehicular-borne SMS Blaster case being used to send messages claiming to be from a local bank!

https://x.com/RoyalOmanPolice/status/1943369135477657693

Telecom Fraud expert Eric Priezkalns regular writes about this emerging technique and his map at CommsRisk showing details of more than 50 similar cases provides the most comprehensive information about such cases. 

https://commsrisk.com/fraud-dashboard/#baseStationsSection

One of the UK-based cases above happened in June 2025, with the investigation beginning when a local police officer received an SMS message claiming to be from HMRC - His Majesty's Revenues & Customs - the UK tax office. Their investigation identified Chinese student Ruichen Xiong who had been driving around London with a generator and an SMS blaster in his vehicle.

Image from The Guardian

"Captured SMS Blasting" 

The use of "captured SMS blasting" started in China where local advertisers used the technique to push advertisements for their store or services only to phones that are physically close to their location.  But scammers quickly realized there was a far more lucrative market by using the service to drive calls to fraud call centers!

The "3" over Beijing, China in this map actually goes back as far as 2014.  One of those three is a story from 2014 about Beijing police making 1,530 arrests and seizing 2,600 SMS Blasting devices! Already then, several of the text messages were imitating financial institutions, claiming a phone was infected with malware, or that their AliPay password had been changed.

Image from IBTimes

Because of the range limitations, scammers have frequently targeted places where crowds congregate.

If the problem comes in large crowds, perhaps the answer is ... 

Crowd-Sourcing Rogue Base Stations Identification

What can be done to detect and refer more of these cases to law enforcement?  The Gold Standard would have to come from Radio Yakuza! After noticing that his phone had a 2G connection to a fake base station, "Radio Yakuza" decided to investigate the situation.  He ended up recruiting a small army of volunteers on social media who reported incidents of fake base station capture and helped him to map out the possible locations.  In his initial break-through case, he was actually able to track the false base station to a black Audi hatchback!  The car was observed several more times by his team of volunteers, who noted that the driver had swapped the license plate!  His team was even able to help him get photographs of the equipment in the back of the car and demonstrate that the gear was identical to that shown in arrest photos in Thailand. 

https://x.com/denpa893/status/1911755963516014940

As with all the best reporting on this topic, the most detailed story comes from Eric Priezkalns on CommsRisk: "Amateur Detectives Find More Fake Base Stations in Japan" 

Radio Yakuza ==> https://x.com/denpa893

In a troubling example that Eric reports on, (See https://commsrisk.com/amateur-sleuths-plot-route-of-tokyo-sms-blaster-and-other-news-about-fake-base-stations/ )  one of Radio Yakuza's most recent discoveries involved a base station that was circling the Imperial Palace during Japan's recent Senate elections.  

https://x.com/denpa893/status/1946887928380367291

As Eric points out, the idea of mobile SMS Blasters being used for political mischief has also been observed in the Philippines. Maria Ressa's The Rappler.  Last month, their headline was "Spoof, smear, sabotage: How disinformation marred Cagayan de Oro’s 2025 polls."  One example they showed was an SMS campaign that claimed if people came to one politician's rally, they could show their copy of the SMS messages to receive 50,000 Pesos! (That candidate, Lordon G. Suan, went on to win his Congressional race.) 

(I can't mention The Rappler without begging you to read Maria Ressa's book, which I reviewed in December 2022 ==> 

Ghanaian fraudsters arrested for BEC/Sakawa

 In Nigeria, scammers who specialize in Romance Scams and BEC are called "Yahoo Boys."  In Ghana, the term for the same activity is "Sakawa."  Several Ghanaian headlines are talking about this case with headlines such as "Multimillion dollar Sakawa" or "Sakawa Chairman Busted" or "Sakawa Kingpin Bows to Extradition!" 

On 08AUG2025 the US Attorney's office in the Southern District of New York announced the extradition of four Ghanaian scammers who stole more than $100 Million via Romance Scams and Business Email Compromise. 

https://www.justice.gov/usao-sdny/pr/ghanaian-nationals-extradited-roles-criminal-organization-stole-more-100-million

The names likely are not well known in the US, but the first two are creating a stir in some parts of Ghana: Isaac Boateng, Inusah Ahmed, Derrick Van Yeboah, and Patrick Kwame Asare.

Inusah Ahmed, also known as Pascal, and "Agony" is the owner of the PAC Academy Football Club in the Ashanti region of Ghana. Ghana Soccer quotes one source as saying "Pascal was not just the owner; he was the heart and soul of PAC Academy.  This is a huge blow!" 

https://ghanasoccernet.com/pac-academy-fc-faces-uncertain-future-amid-owner-inusah-ahmed-pascals-arrest-over-alleged-internet-fraud

Isaac Kofi Oduro Boateng, better known as "Kofi Boat," claims to be the owner of ICEFOOD, a frozen food company specializing in chicken and fish in Ghana. But he is better known as the "godfather" of singer Shatta Wale.  

Kofi Boat

Shatta, whose real name is Charles Nii Armah, was featured on the Beyonce track "Already" on her 2019 Lion King album.  Last week he had his 2019 Lamborghini Urus seized by the government of Ghana, after the FBI informed them it was purchased with stolen funds.

https://www.bbc.com/news/articles/cq687q927r7o

Ghana and the City of Lexington BEC

The source of those Lambo funds was Nana Kwabena Amuah, another Ghanian, who performed a $3.9 Million Business Email Compromise against the city of Lexington, Kentucky. When Amuah was arrested in 2023, he posted bail and four days later was arrested attempting to flee to Canada on an Amtrak train. 

In an unusual court document, 58 victims of Amuah's BEC crimes are listed with complete street address and the amount of money stolen.  Victims are identified in Alabama, Arizona, California, Colorado, Florida, Georgia, Iowa, Illinois, Michigan, Minnesota, Missouri, North Carolina, Oklahoma, Pennsylvania, Tennessee, Texas, Vermont, Wisconsin, the United Kingdom and Switzerland.  Collectively they were tricked into sending $4,743,443 to Amuah and his co-conspirator, Shimea Maret McDonald.  McDonald had opened a shell company, Gretson Company LLC, and had bank accounts at many major banks in that name that were used to receive the funds. 

Victim Restitution Worksheet (1-20 of 58)

There were others arrested in this ring, including Samuel Kwadwo Osei, who was recruited into "Sakawa" by a Nigerian computer programmer, Sapphire Egemasi, who the Nigerian media calls a "Tech Queen." Nigerian blogger Linda Ikeji (who I've followed for many years) shared this photo of Sapphire: 

https://www.lindaikejisblog.com/2025/6/fbi-arrests-nigerian-tech-queen-sapphire-egemasi-over-alleged-fraud-in-us-2.html

Samuel Kwadwo Osei ("Tuga"), Derick Nii Ashitey, Chinemezu Sapphire Egemasi, and Fred Brobbey Awuah were all charged in the same ring as McDonald and Amuah. 

Osei laundered funds through his BofA account in the name "Lasko Company LLC."
Ashitey operated from the United Kingdom. Sapphire operated from Nigeria, while Awuah resided in the Netherlands. 

Another Boateng? Dada Joe Remix 

Perhaps the first linked case in this string of Ghana-related arrests comes from the 27MAY2025 arrest of  Joseph Kwadwo Badu Boateng, who was extradited to Arizona for ties to a romance scam case.  In Ghana, he is known as "Dada Joe Remix" and claims to be involved in oil and gas as well as real estate. According to "Pulse Ghana" he is "rumoured to be the man behind Shatta Bandle, Ghanian self-acclaimed billionaire and richest man in Africa."  A Ghanian "prophet" Abusua is now claiming that Dada Joe was formerly "his small boy." Abusua claims that he took him into the bush for three months to teach him how to invoke spiritual powers to help him have success in his frauds. 

https://x.com/StateDeptDSS/status/1940078310156865950

Are Ghana's "Elite" panicking? 

My favorite paragraph in the Pulse story "Accra socialite Dada Joe Remix nabbed in alleged FBI sting"  reads: 

"Since news of the arrest broke, panic has reportedly gripped Accra’s elite social circles. Several prominent figures allegedly involved in cryptocurrency, forex trading, and high-end real estate have gone underground. Phones have reportedly been switched off, luxury homes have fallen silent, flights are rumoured to be hastily booked, and inner circles – including partners, baby mamas, and close associates – are allegedly being coached on what to say should they be questioned."