Full Report
A WIRED investigation reveals that criminals who make billions from scam compounds in Myanmar—where tens of thousands of people are enslaved—are using Starlink to get online.
Analysis Summary
# Incident Report: Criminal Exploitation of Starlink Satellite Internet in Southeast Asian Scam Compounds
## Executive Summary
This report details the exploitation of SpaceX's Starlink satellite internet service by organized criminal syndicates operating large-scale "pig butchering" and fraud compounds, primarily near the Myanmar-Thailand border. Victims held in modern slavery leverage Starlink to maintain continuous operations when traditional internet connections are severed. While advocates and officials have alerted SpaceX to the misuse for fueling billions in global fraud, a coordinated response to terminate service to these confirmed locations notably has not yet been confirmed, allowing criminal activities to persist during regional crackdowns.
## Incident Details
- Discovery Date: June 2024 (Victim communication referencing Starlink installation) / November 2024 – February 2025 (Mobile phone data acquisition)
- Incident Date: Ongoing, notably increasing in the past year leading up to February 2025.
- Affected Organization: SpaceX/Starlink (as the service provider being exploited); Numerous global victims of cryptocurrency scams.
- Sector: Satellite Communications, Financial Crime, Human Trafficking.
- Geography: Primarily the Myawaddy region, Myanmar-Thailand border.
## Timeline of Events
### Initial Access
- Date/Time: Ongoing; Starlink installation confirmed around June 2024 following the initial service disruption elsewhere.
- Vector: Direct procurement and installation of Starlink hardware (satellite dishes) on compound rooftops.
- Details: Victims reported that after their traditional Thai internet connection was cut, organized criminals installed Starlink, enabling scam work to continue normally.
### Lateral Movement
- *Not directly applicable*: This incident describes the use of a specific technology (Starlink) to maintain command and control/communication infrastructure, rather than standard network lateral movement within a compromised corporate environment.
### Data Exfiltration/Impact
- Impact: Facilitation of ongoing, large-scale, multibillion-dollar cryptocurrency "pig butchering" scams targeting global victims.
### Detection & Response
- **Detection:** First reported by a trafficking victim in June 2024 to the anti-scam group GASO. Confirmed via mobile phone location data between November 2024 and February 2025, showing 40,000+ connections at eight compounds.
- **Response Actions:**
- Santa Clara County DA advocate (Erin West) contacted a SpaceX lawyer in July 2024 offering information to disrupt bad actors; no reported reply.
- Thai MP Rangsiman Rome tagged Elon Musk on X in early February 2025 regarding criminal exploitation; no reported reply.
- Thai authorities cut traditional internet, electricity, and fuel to some compounds, resulting in thousands of rescues, but criminal operations persisted via Starlink.
- Thai officials seized 78 Starlink receivers believed to be destined for compounds.
## Attack Methodology
- **Initial Access:** Not applicable (This is infrastructure misuse, not typical network infiltration).
- **Persistence:** Physical installation of Starlink hardware on compound buildings, providing reliable, high-speed remote connectivity independent of local infrastructure cuts.
- **Privilege Escalation:** Not applicable.
- **Defense Evasion:** Starlink connectivity allows operations to continue even when local law enforcement/authorities disrupt traditional cellular or wired internet infrastructure serving the compounds.
- **Credential Access:** Not applicable (Focus is on communication infrastructure, not local credential theft).
- **Discovery:** Implicitly, the syndicate uses reconnaissance to identify the most reliable connection methods available.
- **Lateral Movement:** Not applicable.
- **Collection:** Victims are forced to engage in online romance/investment scams to collect funds digitally from global victims.
- **Exfiltration:** Financial assets are exfiltrated via cryptocurrency scams facilitated by the reliable Starlink network.
- **Impact:** Continuation of human trafficking and massive global financial fraud enabled by robust connectivity.
## Impact Assessment
- **Financial:** Directly fuels multibillion-dollar cryptocurrency scams across Southeast Asia.
- **Data Breach:** Not explicitly detailed as a data breach *of this specific entity*, but massive financial data targeting hundreds of thousands globally through fraud.
- **Operational:** Continuation of human trafficking operations and forced labor despite regional law enforcement crackdowns.
- **Reputational:** Potential reputational damage for SpaceX if services are seen as enabling organized crime and human rights abuses.
## Indicators of Compromise
- **Network indicators (Defanged):** Reliance on Starlink IP ranges identified at known geospatial threat locations.
- **File indicators:** None specified related to malware, but procurement records for Starlink hardware would be relevant.
- **Behavioral indicators:** Mobile device location data connecting to known scam compound regions with high frequency using Starlink connectivity (40,000+ logs between Nov 2024 and Feb 2025).
## Response Actions
- **Containment:** Thai efforts included cutting traditional internet, electricity, and fuel supplies to some compounds. Starlink devices were seized by Thai authorities (78 receivers).
- **Eradication:** No documented eradication steps taken by SpaceX to shut down confirmed active devices within the compounds.
- **Recovery:** Thousands of trafficking victims rescued by Thai authorities; however, services supporting these victims face funding cuts (USAID funding cuts to the DOGE-affected NGO sector).
## Lessons Learned
- **Key Takeaways:** Organized transnational crime syndicates actively integrate advanced commercial technology (like Starlink) to bypass law enforcement countermeasures, rendering conventional disruption tactics (e.g., cutting local internet) ineffective.
- **What could have been done better:** SpaceX did not reportedly act on specific intelligence provided by law enforcement advocates detailing the exact criminal compounds exploiting their network.
## Recommendations
- Implement robust, immediate vetting and service termination protocols when credible intelligence identifies Starlink hardware being used by identified modern slavery or organized crime operations, adhering to Starlink’s own policies regarding fraudulent activities and unauthorized locations.
- Increase proactive monitoring and collaboration with international law enforcement or recognized anti-trafficking organizations (like GASO) when allegations regarding high-risk geographic areas arise.
- Review internal escalation processes for handling reports from government officials and advocates concerning criminal exploitation of core services.