Cybercrime

US Treasury accuses Pyongyang of stealing $3bn in digital assets to finance its nuclear weapons programme over three years.

North Korea has denounced the latest United States sanctions targeting cybercrimes that the US says help finance its nuclear weapons programme, accusing Washington of harbouring “wicked” hostility towards Pyongyang and promising unspecified countermeasures.

The statement on Thursday by a North Korean vice foreign minister came two days after the US Department of the Treasury imposed sanctions on eight people and two firms, including North Korean bankers, for allegedly laundering money from cybercrime schemes.

The US Treasury accused North Korea of operating state-sponsored hacking schemes that have stolen more than $3bn in mostly digital assets over the past three years, an amount unmatched by any other foreign actor. The Treasury Department said the illicit funds helped finance the country’s nuclear weapons programme.

The department said North Korea relies on a network of banking representatives, financial institutions and shell companies in North Korea, China, Russia and elsewhere to launder funds obtained through IT worker fraud, cryptocurrency heists and sanctions evasion.

The sanctions were rolled out even as US President Donald Trump continues to express interest in reviving talks with North Korean leader Kim Jong Un. Their nuclear discussions during Trump’s first term collapsed in 2019 amid disagreements over trading relief from US-led sanctions on North Korea for steps to dismantle its nuclear programme.

“Now that the present US administration has clarified its stand to be hostile towards the DPRK to the last, we will also take proper measures to counter it with patience for any length of time,” the North Korean vice minister, Kim Un Chol, said in a statement.

He said US sanctions and pressure tactics will never change the “present strategic situation” between the countries or alter North Korea’s “thinking and viewpoint”.

Kim Jong Un has shunned any form of talks with Washington and Seoul since his fallout with Trump in 2019. He has since made Russia the focus of his foreign policy, sending thousands of soldiers, many of whom have died on the battlefield, and large amounts of military equipment for President Vladimir Putin’s war on Ukraine while pursuing an increasingly assertive strategy aimed at securing a larger role for North Korea in a united front against the US-led West.

In a recent speech, Kim Jong Un urged Washington to drop its demand for the North to surrender its nuclear weapons as a condition for resuming diplomacy. He ignored Trump’s proposal to meet while the US president was in South Korea last week for meetings with world leaders attending the Asia-Pacific Economic Cooperation summit.

Nov. 5 (UPI) — The U.S. Treasury Department announced sanctions against eight individuals and two entities accused of laundering proceeds from North Korean cybercrime and information technology worker fraud schemes that help fund Pyongyang’s weapons programs.

The department’s Office of Foreign Assets Control said Tuesday that North Korea has stolen more than $3 billion over the past three years, using sophisticated techniques such as advanced malware and social engineering to breach financial systems and cryptocurrency platforms.

“North Korean state-sponsored hackers steal and launder money to fund the regime’s nuclear weapons program,” Under Secretary for Terrorism and Financial Intelligence John K. Hurley said in a statement. “By generating revenue for Pyongyang’s weapons development, these actors directly threaten U.S. and global security.”

Hurley added that the Treasury is “identifying and disrupting the facilitators and enablers behind these schemes to cut off the DPRK’s illicit revenue streams.”

The Democratic People’s Republic of Korea is the official name of North Korea.

Among those sanctioned are Jang Kuk Chol and Ho Jong Son, North Korean bankers who allegedly helped manage illicit funds, including $5.3 million in cryptocurrency — some of it linked to ransomware that has previously targeted U.S. victims.

Korea Mangyongdae Computer Technology Co. and its president U Yong Su were also added to the list. The company allegedly operates IT-worker delegations from the Chinese cities of Shenyang and Dandong.

Ryujong Credit Bank, another target, was accused of laundering foreign-currency earnings and moving funds for sanctioned North Korean entities. Six additional individuals were designated for facilitating money transfers.

Under the sanctions, all property and interests in property of the designated individuals and entities within U.S. jurisdiction are blocked, and U.S. persons are generally barred from engaging in transactions with them. Financial institutions dealing with the sanctioned parties may also face enforcement actions.

The move builds on earlier U.S. actions this year against North Korean cyber networks. In July, the State Department sanctioned Song Kum Hyok, a member of the Andariel hacking group, for operating remote IT-worker schemes that funneled wages back to Pyongyang.

The Justice Department also filed criminal charges in 16 states against participants in a campaign that placed North Korean IT workers in U.S. companies.

Tuesday’s OFAC statement cited an October report by the 11-country Multilateral Sanctions Monitoring Team, which described North Korea’s cybercrime apparatus as “a full-spectrum, national program operating at a sophistication approaching the cyber programs of China and Russia.”

The report added that “nearly all the DPRK’s malicious cyber activity, cybercrime, laundering and IT work is carried out under the supervision, direction and for the benefit of entities sanctioned by the United Nations for their role in the DPRK’s unlawful WMD and ballistic missile programs.”

The sanctions follow President Donald Trump‘s recent visit to South Korea, where a much-anticipated meeting with North Korean leader Kim Jong Un failed to materialize.

South Korea’s National Intelligence Service told lawmakers Tuesday that a summit could take place after joint U.S.-South Korean military drills scheduled for March, according to opposition lawmaker Lee Seong-kweun of the People Power Party.

The judge ruled NSO caused ‘irreparable harm’ to Meta, but said an earlier award of $168m in damages was ‘excessive’.

A United States judge has granted an injunction barring Israeli spyware maker the NSO Group from targeting WhatsApp users, saying the firm’s software causes “direct harm” but slashed an earlier damages award of $168m to just $4m.

In a ruling on Friday granting WhatsApp owner Meta an injunction to stop NSO’s spyware from being used in the messaging service, district judge Phyllis Hamilton said the Israeli firm’s “conduct causes irreparable harm”, adding that there was “no dispute that the conduct is ongoing”.

Hamilton said NSO’s conduct “serves to defeat” one of the key purposes of the service offered by WhatsApp: privacy.

“Part of what companies such as WhatsApp are ‘selling’ is informational privacy, and any unauthorised access is an interference with that sale,” she said.

In her ruling, Hamilton said that evidence at trial showed that NSO reverse-engineered WhatsApp code to stealthily install its spyware Pegasus on users’ phones, and repeatedly redesigned it to escape detection and bypass security fixes.

NSO was founded in 2010 and is based in the Israeli seaside tech hub of Herzliya, near Tel Aviv.

Pegasus – a highly invasive software marketed as a tool for law enforcement to fight crime and terrorism – allows operators to remotely embed spyware in devices.

NSO says it only sells the spyware to vetted and legitimate government law enforcement and intelligence agencies. But Meta, which owns WhatsApp, filed a lawsuit in California federal court in late 2019, accusing NSO of exploiting its encrypted messaging service to target journalists, lawyers and human rights activists with its spyware.

Independent experts have also said NSO’s software has been used by nation states, some with poor human rights records, to target critics.

Judge Hamilton said her broad injunction was appropriate given NSO’s “multiple design-arounds” to infect WhatsApp users – including missed phone calls and “zero-click” attacks – as well as the “covert nature” of the firm’s work more generally.

Will Cathcart, the head of WhatsApp, said in a statement that the “ruling bans spyware maker NSO from ever targeting WhatsApp and our global users again”.

“We applaud this decision that comes after six years of litigation to hold NSO accountable for targeting members of civil society. It sets an important precedent that there are serious consequences to attacking an American company,” he said.

Meta had asked Hamilton to extend the injunction to its other products – including Facebook, Instagram and Threads – but the judge ruled there was no way for her to determine if similar harms were being done on the other platforms without more evidence.

Hamilton also ruled that an initial award of $168m against NSO for damages to Meta in May this year was excessive, determining that the court did not have “sufficient basis” to support the jury’s initial calculation.

“There have simply not yet been enough cases involving unlawful electronic surveillance in the smartphone era for the court to be able to conclude that defendants’ conduct was ‘particularly egregious’,” Hamilton wrote.

The judge ruled that the punitive damages ratio should therefore be “capped at 9/1”, reducing the initial sum by about $164m to just $4m.

South Korea has banned citizens from going to parts of Cambodia amid growing concerns over the country’s scam industry.

Dozens of South Korean nationals who had been detained in Cambodia for alleged involvement in cyberscam operations have been returned home and placed under arrest, according to South Korean authorities.

Officers arrested the individuals on board a chartered flight sent to collect them from Cambodia, a South Korean police official told the AFP news agency.

“A total of 64 nationals just arrived at the Incheon international airport on a chartered flight,” the official said on Saturday, adding that all of the individuals have been taken into custody as criminal suspects.

South Korea sent a team to Cambodia earlier this week to investigate dozens of its nationals who were kidnapped into the Southeast Asian nation’s online scam industry.

South Korean National Security Adviser Wi Sung-lac previously said the detained individuals included both “voluntary and involuntary participants” in scam operations.

On Friday, Cambodian Ministry of Interior spokesman Touch Sokhak said the repatriation agreement with South Korea was the “result of good cooperation in suppression of scams between the two countries”.

Online scam operations have proliferated in Cambodia since the COVID-19 pandemic, when the global shutdown saw many Chinese-owned casinos and hotels in the country pivot to illicit operations.

Operating from industrial-scale scam centres, tens of thousands of workers perpetrate online romance scams known as “pig-butchering”, often targeting people in the West in a vastly lucrative industry responsible for the theft of tens of billions of dollars each year.

Pig-butchering – a euphemism for fattening up a victim before they are slaughtered – often involves fraudulent cryptocurrency investment schemes that build trust over time before funds are stolen.

Parallel industries have blossomed in Laos, the Philippines and war-ravaged Myanmar, where accounts of imprisonment and abuse in scam centres are the most severe.

An estimated 200,000 people are working in dozens of large-scale scam operations across Cambodia, with many scam compounds owned by or linked to the country’s wealthy and politically connected. About 1,000 South Korean nationals are believed to be among that figure.

On Tuesday, the United States and United Kingdom announced sweeping sanctions against a Cambodia-based multinational crime network, identified as the Prince Group, for running a chain of “scam centres” across the region.

UK authorities seized 19 London properties worth more than 100 million pounds ($134m) linked to the Prince Group, which markets itself as a legitimate real estate, financial services and consumer businesses firm.

Prosecutors said that at one point, Prince Group’s chair, Chinese-Cambodian tycoon Chen Zhi, bragged that scam operations were pulling in $30m a day.

Chen – who has served as an adviser to Cambodian Prime Minister Hun Manet and his father, long-ruling former Prime Minister Hun Sen – is also wanted on charges of wire fraud and money laundering, according to the UK and US.

Still at large, he faces up to 40 years in prison if convicted.

The move by the UK and US against the Prince Group came as South Korea announced a ban on travel to parts of Cambodia on Wednesday amid growing concerns over its citizens entering the scam industry.

South Korean police have said they will also conduct a joint investigation into the recent death of a college student in Cambodia who was reportedly kidnapped and tortured by a crime ring.

The South Korean student was found dead in a pick-up truck on August 8 in Cambodia’s southern Kampot province, with an autopsy revealing he “died as a result of severe torture, with multiple bruises and injuries across his body”.

Drug gang suspected in torture and murder of two young women, and a 15-year-old girl, in crime that shocks Argentina.

Clashes have erupted between demonstrators and police as thousands protested in Argentina’s capital, Buenos Aires, to demand justice over the torture and killing of two young women and a teenager, which was livestreamed on social media by a purported drug gang.

Thousands of protesters took to the streets on Saturday to denounce the killings that shocked Argentinians after it was revealed that the murders were perpetrated live on the Instagram platform and watched by 45 members of a private account, officials said.

The bodies of Morena Verdi and Brenda del Castillo, cousins aged 20, and 15-year-old Lara Gutierrez were found buried on Wednesday in the yard of a house in a southern suburb of Buenos Aires, five days after they went missing.

Investigators said the victims, thinking they were going to a party, were lured into a van on September 19, allegedly as part of a plan to “punish” them for violating gang code and to serve as a warning to others.

Police discovered a video of the triple murder after a suspect in the disappearance of the three revealed it under questioning, according to Javier Alonso, the security minister for the Buenos Aires province.

In the footage, a gang leader is heard saying: “This is what happens to those who steal drugs from me.”

Argentinian media reported that the torturers cut off fingers, pulled out nails, and beat and suffocated the victims.

While most of the protesters who took part in the demonstration on Saturday marched peacefully, some confronted police who responded by aggressively pushing them away using their batons and shields, according to video clips and images posted by the La Izquierda Diario online news site.

As they marched towards the Argentinian parliament with thousands of supporters, family members of the victims held a banner with their names, “Lara, Brenda, Morena”, and placards with the images of the three.

“Women must be protected more than ever,” Brenda’s father, Leonel del Castillo, was quoted by the AFP news agency as telling reporters at the protest. He had earlier said he had not been able to identify his daughter’s body due to the torture she had endured.

“It was a narco-femicide!” read a sign at the protest. Another declared, “Our lives are not disposable!”

The protesters also banged on drums as they marched and denounced the “inaction” of the administration of President Javier Milei against what they called the growing “narco” influence in the country.

An image posted on social media showed protesters burning an image of Milei and other political allies of his administration.

Antonio del Castillo, the grandfather of the slain 20-year-old cousins, was in tears, calling his granddaughters’ killers “bloodthirsty”.

“You wouldn’t do what they did to them to an animal,” he said.

On Friday, Minister of National Security Patricia Bullrich announced the arrest of a fifth suspect in the case, bringing the total to three men and two women. The fifth suspect, accused of offering logistical support in the killing by providing a vehicle involved in the crime, was arrested in the Bolivian border city of Villazon .

Authorities have also released a photograph of the alleged mastermind, a 20-year-old Peruvian, who remains at large.

Meta, the parent company of Instagram, has disputed that the livestream occurred on its platform, according to the AFP, citing a company spokesperson.

Paraguay is one of just 12 countries that maintains diplomatic ties with Taiwan, not China.

But is Beijing using unofficial channels to extend its influence into the South American nation?

In our three-year undercover investigation, we meet a shadowy Chinese businessman who says he is a proxy for Beijing, a claim that China denies.

Our undercover researchers reveal that the alleged middleman has his own agenda.

He is plotting to build a secret scam compound near the Paraguayan capital, a safe haven for Chinese crime bosses fleeing crackdowns in Southeast Asia.

In a special exclusive report, 101 East investigates China’s Paraguay connection.

You can read the full statements given to 101 East below:

Revolutionary guards say suspects apprehended in northeastern Iran as materials for making weapons are also seized.

Iran has arrested eight people suspected of attempting to transmit the coordinates of sensitive sites and details about senior military figures during the country’s 12-day war with Israel and the United States to the Israeli intelligence agency Mossad, according to its Islamic Revolutionary Guard Corps (IRGC).

The IRGC released a statement on Saturday alleging that the suspects had received specialised training from Mossad via online platforms.

It said they were apprehended in northeastern Iran before carrying out their plans, and that materials for making launchers, bombs, explosives and booby traps had been seized.

The news comes as state media reported earlier this month that Iranian police had arrested as many as 21,000 “suspects” during the June conflict, though they did not say what these people had been suspected of doing.

Following an Israeli military bombardment that began on June 13, killing top military officials and scientists as well as hundreds of civilians, Iran retaliated with barrages of missiles on Israeli military sites, infrastructure and cities.

The US also carried out extensive strikes on Israel’s behalf on Iranian nuclear sites during the conflict, the worst blow to the Islamic republic since its 1980s war with Iraq.

During the 12-day war, Iranian security forces began a campaign of widespread arrests accompanied by an intensified street presence based around checkpoints and “public reports”.

Iranian citizens were called upon to report on any individuals they thought were acting suspiciously during the war that ended in a US and Qatar-brokered ceasefire.

Iran has executed at least eight people in recent months, including nuclear scientist Rouzbeh Vadi, hanged on August 9 for passing information to Israel about another scientist who was killed in Israeli air strikes.

Human rights groups say Iran uses espionage charges and fast-tracked executions as tools for broader political repression.

The Israel-US-Iran conflict has also led to an accelerated rate of deportations for Afghan refugees and migrants believed to be illegally in Iran, with aid agencies reporting that local authorities have also accused some Afghan nationals of spying for Israel.

“Law enforcement rounded up 2,774 illegal migrants and discovered 30 special security cases by examining their phones. [A total of] 261 suspects of espionage and 172 people accused of unauthorised filming were also arrested,” police spokesperson Saeed Montazerolmahdi said earlier this month.

Montazerolmahdi did not specify how many of those arrested had since been released.

He added that Iran’s police handled more than 5,700 cases of cybercrimes such as online fraud and unauthorised withdrawals during the war, which he said had turned “cyberspace into an important battlefront”.

The Shadowserver Foundation and Eye Security would not disclose which firms were affected.

A sweeping cyber espionage operation targeting Microsoft server software has compromised about 100 different organisations over the weekend.

Two of the organisations that helped uncover the attack announced their findings on Monday.

On Saturday, Microsoft issued an alert about “active attacks” on self-hosted SharePoint servers, which are widely used by organisations to share documents and collaborate within others. SharePoint instances run off of Microsoft servers were unaffected.

Dubbed a “zero-day” because it leverages a previously undisclosed digital weakness, the hacks allow spies to penetrate vulnerable servers and potentially drop a backdoor to secure continuous access to victim organisations.

Vaisha Bernard, the chief hacker at Eye Security, a Netherlands-based cybersecurity firm which discovered the hacking campaign targeting one of its clients on Friday, said that an internet scan carried out with the Shadowserver Foundation had uncovered nearly 100 victims altogether – and that was before the technique behind the hack was widely known.

“It’s unambiguous,” Bernard said. “Who knows what other adversaries have done since to place other backdoors.”

He declined to identify the affected organisations, saying that the relevant national authorities had been notified.

The Shadowserver Foundation confirmed the 100 figure and said that most of those affected were in the United States and Germany and that the victims included government organisations.

Another researcher said that, so far, the spying appeared to be the work of a single hacker or set of hackers.

“It’s possible that this will quickly change,” said Rafe Pilling, director of threat intelligence at Sophos, a British cybersecurity firm.

A Microsoft spokesperson said in an emailed statement that it had “provided security updates and encourages customers to install them”.

It was not clear who was behind the ongoing hack. The FBI said on Sunday it was aware of the attacks and was working closely with its federal and private-sector partners, but offered no other details. Britain’s National Cyber Security Centre said in a statement that it was aware of “a limited number” of targets in the United Kingdom. A researcher tracking the hacks said that the campaign appeared initially aimed at a narrow set of government-related organisations.

Potential targets

The pool of potential targets remains vast. According to data from Shodan, a search engine that helps to identify internet-linked equipment, more than 8,000 servers online could theoretically have already been compromised by hackers.

Those servers include major industrial firms, banks, auditors, healthcare companies and several US state-level and international government entities.

“The SharePoint incident appears to have created a broad level of compromise across a range of servers globally,” said Daniel Card of British cybersecurity consultancy, PwnDefend.

“Taking an assumed breach approach is wise, and it’s also important to understand that just applying the patch isn’t all that is required here.”

On Wall Street, Microsoft’s stock is about even with the market open as of 3pm in New York (19:00 GMT), up by only 0.06 percent, and has gone up more than 1.5 percent over the last five days of trading.

Michael Valentino Teofrasto Carturan was renting a luxury New York townhouse for $40,000 a month, enjoying the fruits of his highly lucrative investments in cryptocurrency. But in May, his 17-room Manhattan home became a torture chamber in which he was held by kidnappers for 17 days.

Carturan’s captors, John Woeltz and William Duplessie, who wanted access to his cryptocurrency accounts, used brutal methods in their bid to prise open Carturan’s Bitcoin wallet, purportedly containing some $28m worth of cryptocurrency. Among other torture methods, they hung him from the building’s roof, shocked him with electrical wires and threatened him with a chainsaw.

When all else failed, they forced him to smoke crack cocaine. Ultimately, they were unsuccessful. After more than two gruelling weeks, Carturan managed to escape the townhouse and Woeltz and Duplessie were subsequently arrested and charged with kidnapping and assault.

Carturan’s ordeal was one of the latest in a spate of “wrench attacks”, which include so-called “crypto kidnappings”, combining high-tech cybertheft with old-fashioned thuggery and have been taking place in several countries around the world.

Have arrests for crypto kidnapping attacks been made elsewhere?

Yes. On May 31, 26 people were charged for several attempted kidnappings of a top figure in France’s cryptocurrency world, French prosecutors said.

It was the culmination of a police investigation into an “attempted kidnapping by an organised gang” of the daughter and grandson of the CEO of crypto firm Paymium in Paris on May 13, and “other unsuccessful plans”, a failed attempt on the same targets the day before, and another attempt near the western city of Nantes on June 2.

“Eighteen people have been placed in pre-trial detention, three have requested a deferred hearing, and four have been placed under judicial supervision,” the Paris public prosecutor’s office said, concerning the Paris attack. The suspects are all aged between 16 and 23.

France has been the centre of several attacks on prominent crypto entrepreneurs in recent months. But crypto-linked kidnappings have occurred in other countries, too.

Where else have crypto kidnappings taken place?

In addition to the recent attempted abductions in Paris, a group of criminals kidnapped David Balland, cofounder of the cryptocurrency firm Ledger, and his wife in central France in January.

In a particularly gruesome turn of events, the kidnappers cut off one of Balland’s fingers and sent the video of the mutilation to Ledger. Within two days, however, the French gendarmerie had freed both victims.

Nine suspects are under criminal investigation in that case.

In December 2024, the wife of crypto investor and influencer Stephane Winkel was kidnapped from the couple’s home in Belgium. She was rescued after her kidnapper crashed his car during a dramatic police chase.

Canada and Australia have also witnessed high-profile kidnappings, with crypto executives and traders abducted and forced to pay ransoms ranging from $40,000 to $1m in digital assets.

It is unclear whether the recent spate of crypto kidnappings is connected in any way.

What is cryptocurrency?

Bitcoin, which began trading in January 2009, was the very first cryptocurrency. This form of monetary exchange allows people to bypass central banks and traditional payment methods. It is now a functioning, decentralised monetary system, with hundreds of millions of users worldwide.

Bitcoin was first used in a transaction in 2009, valued at just $0.004 per Bitcoin. Yesterday, Bitcoin’s price closed at nearly $101,576 per Bitcoin – about 53 percent higher than a year ago, and nearly 2.5 trillion percentage points higher than in 2009.

Initially, the digital currency was favoured by internet libertarians who were drawn to the idea that money should be free from government interference. It quickly gained more mainstream popularity, and the price has shot up.

More recently, United States President Donald Trump has taken steps to mint several cryptocurrencies, meaning they would be included in a “Crypto Strategic Reserve”, boosting their price even more in the process.

While cryptocurrency thefts are nothing new, they have historically involved hacking digital accounts holding large sums of the currency. In 2022, for instance, internet thieves stole an estimated $570m from Binance, the world’s largest crypto exchange.

But as Bitcoin and other digital assets continue to climb in value, criminals are shifting their efforts from online hacking to real-world extortion, via kidnappings and torture.

How do criminals target victims in crypto kidnappings?

Victims are not hard to find.

Some crypto tycoons, many of whom are young men, have a habit of flaunting their wealth on social media or by appearing at cryptocurrency conferences, which allows criminals to easily identify targets.

Many have continued to flaunt their wealth in spite of the 2016 Kim Kardashian kidnapping incident. The US reality TV star was tied up in her hotel room in Paris as robbers made off with millions of dollars worth of jewellery. The men – dubbed the “grandpa robbers” because of their ages – were later caught and sentenced to prison by a French court.

That was not a crypto attack, but as more crypto tycoons have appeared, there is little to differentiate them from the fabulously wealthy like the Kardashians.

Even those with large crypto wealth who are more cautious about displaying their wealth on social media and in public have been exposed to criminal activity via data breaches at cryptocurrency exchanges, however.

In May 2025, Coinbase Global announced that hackers had managed to obtain personal information, including the home addresses of almost 70,000 customers in the previous few months, putting thousands at risk of attack or extortion.

Besides hacking the accounts of crypto millionaires for this sort of information, criminals have also bribed insiders at crypto exchanges for customer data. This information is then used to select and find high-value targets for kidnappings or home invasions.

Why are crypto kidnappings on the rise?

It is easier to steal money from a digital wallet than from a traditional bank account, and kidnapping is one way to do this.

Attackers simply need to gain access to someone’s cryptocurrency account password, as there’s no third-party financial institution to protect the funds held in the digital wallet.

Transactions on an open-ledger blockchain – the technology which facilitates cryptocurrencies – are also permanent, meaning transactions are irreversible.

And, unlike cash, jewellery and gold, thieves don’t need to carry away the stolen cryptocurrency with them. With a few clicks, money can simply be moved from one account to another.

Furthermore, cryptocurrency’s ability to skirt traditional law enforcement also means it is much easier to launder, making it popular with internet-based drug dealers.

Therefore, if criminals can force a victim to give up their account, they can gain immediate access to vast wealth – hence the rise in physical attacks and kidnappings.

Can you get insurance against a crypto kidnapping?

Yes, you can. At least three insurance companies which provide services for cryptocurrency investors are in the process of designing policies specifically for abductions, called kidnap and ransom (K&R) policies, according to a report by NBC News.

Becca Rubenfeld, chief operating officer at AnchorWatch – a crypto insurance firm aiming to launch K&R protection later this year – said that fear of violence was a key talking point at this year’s annual Las Vegas Bitcoin Conference, in May.

“They’re [cryptocurrency holders are] tense,” Rubenfeld told NBC. “I’m not saying that because I’m trying to sell insurance, but overall, the mood is a very good environment for me.”

Kidnapping and ransom insurance is not uncommon for high-profile corporate executives.

What else are crypto investors doing to stay safe?

Elsewhere, security experts are urging investors to avoid sharing details of their crypto holdings online, even with friends, and to use pseudonyms and new digital wallet addresses for each transaction.

Increasingly, crypto traders are avoiding making social media posts with geotagged photos, especially any that show themselves with luxury items, or revealing their travel plans.

Bokeo province, Laos – Khobby was living in Dubai last year when he received an intriguing message about a well-paying job working online in a far-flung corner of Southeast Asia.

The salary was good, he was told. He would be working on computers in an office.

The company would even foot the bill for his relocation to join the firm in Laos – a country of 7.6 million people nestled between China, Thailand, Cambodia, Vietnam and Myanmar.

With the company paying for his flights, Khobby decided to take the plunge.

But his landing in Laos was anything but smooth.

Khobby discovered that the promised dream job was rapidly becoming a nightmare when his Ghanaian passport was taken on arrival by his new employers.

With his passport confiscated and threats of physical harm ever present, he endured months working inside a compound which he could not leave.

The 21-year-old had become the latest victim of booming online cyber-scam operations in Southeast Asia – an industry that is believed to have enslaved tens of thousands of workers lured with the promise of decently paid jobs in online sales and the information technology industry.

“When I got there, I saw a lot of Africans in the office, with a lot of phones,” Khobby told Al Jazeera, recounting his arrival in Laos.

“Each person had 10 phones, 15 phones. That was when I realised this was a scamming job,” he said.

The operation Khobby found himself working for was in a remote area in northwest Laos, where a casino city has been carved out of a patch of jungle in the infamous “Golden Triangle” region – the lawless border zone between Myanmar, Laos and Thailand that has long been a centre for global drug production and trafficking.

He said he was forced to work long days and sleep in a dormitory with five other African workers at night during the months he spent at the scam centre in the Golden Triangle Special Economic Zone.

Khobby recounted the original message he received from an acquaintance encouraging him to take the job in Laos.

“My company is hiring new staff”, he said, adding that he was told the salary was $1,200 per month.

“He told me it was data entry.”

Casino city

The Golden Triangle Special Economic Zone (GTSEZ) where Khobby was lured to for work operates as an autonomous territory within Laos.

Leased from Laotian authorities by Chinese national Zhao Wei, whom the US government has designated the leader of a transnational criminal organisation, life in the GTSEZ is monitored by a myriad of security cameras and protected by its own private security force.

Clocks are set to Beijing time. Signage is predominantly in Chinese, and China’s yuan is the dominant and preferred currency.

Central to the GTSEZ city-state is Zhao Wei’s Kings Romans casino, which the United States Treasury also described as a hub for criminal activity such as money laundering, narcotics and wildlife trafficking.

During a recent visit to the zone by Al Jazeera, Rolls Royce limousines ferried gamblers to some of the city’s casinos while workers toiled on the construction of an elaborate and expansive Venice-style waterway just a stone’s throw from the Mekong river.

While luxury construction projects – including the recently completed Bokeo International Airport – speak to the vast amounts of money flowing through this mini casino city, it is inside the grey, nondescript tower blocks dotted around the economic zone where the lucrative online scam trade occurs.

Within these tower blocks, thousands of trafficked workers from all over the world – just like Khobby – are reported to spend up to 17 hours a day working online to dupe unsuspecting “clients” into parting with their money.

The online swindles are as varied as investing money in fake business portfolios to paying false tax bills that appear very real and from trading phoney cryptocurrency to being caught in online romance traps.

Anti-trafficking experts say most of the workers are deceived into leaving their home countries – such are nearby China, Thailand and Indonesia or as far away as Nigeria, Ghana, Uganda and Ethiopia – with the promise of decent salaries.

Online ‘butchering’

Khobby told how his “data entry” job was, in fact, a scam known in the cybercrime underworld as “pig butchering”.

This is where victims are identified, cold-called or messaged directly by phone in a bid to establish a relationship. Trust is built up over time to the point where an initial investment is made by the intended victim. This can be, at first, a small amount of the victim’s money or emotions in the case of fake online relationships.

There are small rewards on the investments, Khobby explained, telling how those in the industry refer to their victims as pigs who are being “fattened” by trust built up with the scammers.

That fattening continues until a substantial monetary investment is made in whatever scam the victim has become part of. Then they are swiftly “butchered”, which is when the scammers get away with the ill-gotten gains taken from their victims.

Once the butchering is done, all communications are cut with the victims and the scammers disappear without leaving a digital trace.

According to experts, cyber-scamming inside the GTSEZ boomed during the 2019 and 2020 COVID lockdowns when restrictions on travel meant international visitors could not access the Kings Romans casino.

In the years since, the cyber-scam industry has burgeoned, physically transcended borders to become one of the dominant profit-making illicit activities in the region, not only in the GTSEZ in Laos but also in neighbouring Cambodia and in conflict-ridden Myanmar.

Though not as elaborate as the GTSEZ, purpose-built cyber-scam “compounds” have proliferated in Myanmar’s border areas with Thailand.

The Center for Strategic and International Studies estimates that cyber-scamming in Southeast Asia generates tens of billions annually, while the United States Institute of Peace equates the threat to that of the destructive fentanyl trade.

“Cyber-scam operations have significantly benefitted from developments in the fintech industry, including cryptocurrencies, with apps being directly developed for use at [cyber-scam] compounds to launder money,” said Kristina Amerhauser, of the Global Initiative against Transnational Organized Crime.

“Victims and perpetrators are spread across different countries, money is laundered offshore, operations are global,” Amerhauser told Al Jazeera, explaining that the sophisticated technology used in cyber-scamming, along with its international reach, has made it extremely difficult to combat.

Complicit victims?

About 260 trafficked scam-centre workers were recently rescued in a cross-border operation between Thailand and Myanmar. Yet, even in rare instances such as this when trafficked workers are freed, they still face complications due to their visa status and their own potential complicity in criminal activity.

Khobby – who is now back in Dubai – told Al Jazeera that while he was coerced into working in the GTSEZ, he did actually receive the promised $1,200 monthly salary, and he had even signed a six-month “contract” with the Chinese bosses who ran the operation.

Richard Horsey, International Crisis Group’s senior adviser on Myanmar, said Khobby’s experience reflected a changing trend in recruitment by the criminal organisations running the scam centres.

“Some of the more sophisticated gangs are getting out of the human trafficking game and starting to trick workers to come,” Horsey said.

“People don’t like to answer an advert for criminal scamming, and it’s hard to advertise that. But once they’re there, it’s like – actually, we will pay you. We may have taken your passport, but there is a route to quite a lucrative opportunity here and we will give you a small part of that,” he said.

The issue of salaries paid to coerced and enslaved workers complicates efforts to repatriate trafficking victims, who may be considered complicit criminals due to their status as “paid” workers in the scam centres, said Eric Heintz, from the US-based anti-trafficking organisation International Justice Mission (IJM).

“We know of individuals being paid for the first few months they were inside, but then it tapers off to the point where they are making little – if any – money,” Heintz said, describing how victims become “trapped in this cycle of abuse unable to leave the compound”.

“This specific aspect was a challenge early on with the victim identity process – when an official would ask if an individual previously in the scam compound was paid, the victim would answer that initially he or she was. That was enough for some officials to not identify them as victims,” Heintz said.

Some workers have also been sold between criminal organisations and moved across borders to other scam centres, he said.

“We have heard of people being moved from a compound in one country to one in another – for example from Myawaddy to the GTSEZ or Cambodia and vice versa,” he said.

Khobby said many of the workers in his “office” had already had experience with scamming in other compounds and in other countries.

“Most of them had experience. They knew the job already,” he said.

“This job is going on in a lot of places – Thailand, Laos, Myanmar. They were OK because they got paid. They had experience and they knew what they were doing,” he added.

‘What are we here for? Money!’

High-school graduate Jojo said she was working as a maid in Kampala, Uganda, when she received a message on the Telegram messaging app about an opportunity in Asia that involved being sponsored to do computer studies as part of a job in IT.

“I was so excited,” Jojo recounted, “I told my mum about the offer.”

Jojo told how she was sent an airline ticket, and described how multiple people met her along the way as she journeyed from Kampala to Laos. Eventually Jojo arrived in the same scam operation as Khobby.

She described an atmosphere similar to a fast-paced sales centre, with Chinese bosses shouting encouragement when a victim had been ‘butchered’ and their money stolen, telling how she witnessed people scammed for as much as $200,000.

“They would shout a lot, in Chinese – ‘What are we here for? Money!’”

On top of adrenaline, the scam operation also ran on fear, Jojo said.

Workers were beaten if they did not meet targets for swindling money. Mostly locked inside the building where she worked and lived; Jojo said she was only able to leave the scam operation once in the four months she was in the GTSEZ, and that was to attend a local hospital after falling ill.

Fear of the Chinese bosses who ran the operation not only permeated their workstations but in the dormitory where they slept.

“They told us ‘Whatever happens in the room, we are listening’,” she said, also telling how her co-workers were beaten when they failed to meet targets.

“They stopped them from working. They stopped them from coming to get food. They were not getting results. They were not bringing in the money they wanted. So they saw them as useless,” she said.

“They were torturing them every day.”

Khobby and Jojo said they were moved to act in case it was their turn next.

When they organised a strike to demand better treatment, their bosses brought in Laotian police and several of the strikers – including Jojo and Khobby – were taken to a police station where they were told they were sacked.

They were also told they would not be paid what was owed in wages and their overseers refused to give their passports back.

Khobby said he was left stranded without a passport and the police refused to help.

“This is not about only the Chinese people,” Khobby said. “Even in Vientiane, they have immigration offices who are involved. They are the ones giving the visas. When I got to Laos, it was the immigration officer who was waiting for me. I didn’t even fill out any form,” he said.

With help from the Ghanaian embassy, Khobby and Jojo were eventually able to retrieve their passports, and with assistance from family and friends, they returned home.

The IJM’s Heintz, said that target countries for scammer recruitment – such as those in Africa – need better awareness of the dangers of trafficking.

“There needs to be better awareness at the source country level of the dangers associated with these jobs,” he said.

Reflecting on what led him to work up the courage to lead a strike in the scam centre, Khobby considered his childhood back in Ghana.

“I was a boy who was raised in a police station. My grandpa was a police commander. So in that aspect, I’m very bold, I have that courage. I like giving things a try and I like taking risks,” he said.

Jojo told Al Jazeera how she continues to chat online with friends who are still trapped in scam centres in Laos, and who have told her that new recruits arrive each day in the GTSEZ.

Her friends want to get out of the scam business and the economic zone in Laos. But it is not so easy to leave, Jojo said.

“They don’t have their passports,” she said.

Disruption from the ‘highly sophisticated and targeted cyber attack’, first reported around Easter weekend, continues.

British retailer Marks & Spencer estimates that a cyberattack that stopped it from processing online orders and left store shelves empty will cost it about 300 million pounds ($403m).

The company said in a business update (PDF) on Wednesday that disruption from the “highly sophisticated and targeted cyber attack,” which was first reported around the Easter weekend, is expected to continue until July.

Online sales of food, home and beauty products have been “heavily impacted” because the company, popularly known as M&S, had to pause online shopping.

The attack on one of the biggest names on the United Kingdom high street forced M&S to resort to pen and paper to move billions of pounds of fresh food, drinks and clothing after it switched off its automated stock systems.

That led to bare food shelves and frustrated customers, denting profits.

A month on, M&S’s large online clothing service remains offline, and the attack has wiped more than a billion pounds off its stock market value.

Chairman Archie Norman said the timing of the attack was unfortunate as M&S, which has been implementing a comprehensive turnaround plan since 2022, had been starting to show its full potential.

“But in business life, just as you think you’re onto a good streak, events have a way of putting you on your backside,” he said.

M&S, which has 65,000 staff and 565 stores, said the hack would cost about 300 million pounds ($403m) in lost operating profit in its year to March 2026, although it hopes to halve that impact through insurance, cost control and other actions.

Chief executive Stuart Machin said the company is focused on recovery and restoring its systems and operations.

“This incident is a bump in the road, and we will come out of this in better shape,” Machin said. He did not provide any details on the attack or who might be behind it.

Earlier this month, the company said customer personal data, which could have included names, emails, addresses and dates of birth, was taken by hackers in the attack.

Two other British retailers, luxury London department store Harrods and supermarket chain Co-op, have also been targeted by cyberattacks at around the same time.