Feds seize website used in massive crypto scheme

• Key insight: The DOJ seized a domain used by a Myanmar-based syndicate, marking the first major victory for the new Scam Center Strike Force.
• Expert quote: "American consumers are under attack from sophisticated criminal networks ... to the tune of over $12 billion per year," says BPI's Heather Hogsett.
• What's at stake: While the DOJ can secure warrants to seize domains, banks face legal hurdles and "bulletproof" hosts that make private takedowns nearly impossible.

Overview bullets generated by AI with editorial review

Federal authorities have seized a website domain used by a transnational organized crime syndicate to launder victim funds through a massive cryptocurrency investment fraud scheme, marking the first major victory for a newly formed Department of Justice task force.

The operation, which targeted a scam compound in Myanmar known as "Tai Chang," highlights the evolving pig butchering schemes that compliance officers must monitor while simultaneously underscoring the legal and logistical hurdles banks face when attempting to disrupt fraudulent infrastructure.

The seized domain, tickmilleas.com (which now displays a notice from the FBI and Department of Justice), was part of a sophisticated scheme designed to appear to be a legitimate brokerage firm, according to a Tuesday press release from the U.S. Attorney's Office for the District of Columbia.

The perpetrators, operating out of the Tai Chang compound in Kyaukhat, Myanmar — an area controlled by the armed group Democratic Karen Benevolent Army — utilized a "long con" approach known as pig butchering.

Scammers contact victims on dating sites or social media and groom them over weeks to build trust, a tactic fraudsters refer to as "fattening" the pig before the slaughter.

In this case, once trust was established, the scammers directed victims to the fraudulent tickmilleas.com site or mobile applications available on the Google and Apple app stores, such as BTNEmax and ReviseMate, which have since been removed, according to a redacted affidavit filed by prosecutors seeking a seizure warrant.

For financial institutions monitoring transaction flows, the money laundering methodology detailed by investigators is notable. Victims were instructed to convert fiat currency into cryptocurrency at U.S.-based exchanges and transfer the assets to specific wallets controlled by the syndicate.

The site displayed fictitious returns to encourage further investment. Behind the scenes, the funds were rapidly moved through multiple wallets and commingled in "consolidation wallets" to obfuscate the source and complicate tracing, according to the affidavit.

A consolidated government effort against scams

The seizure was spearheaded by the new Scam Center Strike Force, an interagency effort led by the U.S. Attorney for the District of Columbia involving the FBI, Secret Service and Homeland Security investigations.

The initiative aims to dismantle the infrastructure of scams that the FBI estimates cost Americans more than $16 billion last year.

Banking trade groups rallied behind the initiative after it was announced last month. The groups view the task force as a necessary federal escalation to complement private sector fraud prevention.

"[The American Bankers Association] has long called for a whole-of-government approach to combating the global challenge, and today's announcement marks an important step forward in that effort," said Rob Nichols, president and CEO of the American Bankers Association, in a press release.

Similarly, the Bank Policy Institute emphasized the financial scale of the threat. "American consumers are under attack from sophisticated criminal networks and hostile nation-states to the tune of over $12 billion per year," said Heather Hogsett, executive vice president and head of the tech policy arm of the Bank Policy Institute.

Warrants and registrar friction

While the strike force's action against tickmilleas.com was successful, it illustrates the high legal bar often required to take down malicious infrastructure.

The seizure required a federal warrant issued by the U.S. District Court for the District of Columbia, directing the domain registry, Verisign, to redirect the URL to a law enforcement splash page.

For banks attempting to mitigate brand abuse or phishing attacks against their own customers, the process is rarely this definitive. Domain registrars — the entities that sell domain names — often refuse to take down websites without a court order, citing liability concerns or a lack of authority to adjudicate fraud.

According to a guide on abuse reporting practices from the Registrar Stakeholder Group, a group of accredited domain registrars, "The surest way to get a satisfactory response from a registrar regarding abuse is to provide the registrar with a court or administrative order."

While registrars may act on clear technical abuse such as malware, they often view fraud or trademark infringement on a website as content disputes best resolved through the courts or arbitration.

Furthermore, legal mechanisms such as the Digital Millennium Copyright Act, or DMCA, allow for the swift takedown of copyright-infringing material but do not explicitly cover general fraud or trademark violations unless there is overlapping copyright infringement, according to a 2020 analysis by attorneys Joshua Reisberg and Angelina Whitfield.

The 'bulletproof' challenge

The tickmilleas.com seizure involved Verisign, a well-known, U.S.-based registry that appears to have fully cooperated with the court order to revoke the domain registration.

However, financial institutions increasingly face more secretive, noncooperative registrars and so-called "bulletproof" hosting providers, which specifically shield criminal actors from takedowns.

These providers market an assurance to fraudsters that they will refuse to engage in good faith with legal processes such as subpoenas or court orders, according to guidance issued last month by the Cybersecurity and Infrastructure Security Agency, or CISA.

Even when they do engage, some bulletproof providers "impose onerous documentation requirements before accommodating a third-party (i.e., law enforcement) takedown request," effectively stalling disrupting efforts while the fraud continues, according to the CISA guidance.

For bank information security teams, the challenge is compounded by the technical agility of these providers. Bulletproof infrastructure is often integrated into legitimate networks to mask its nature. When defenders do manage to block a specific network pathway, the providers adapt rapidly.

To cope with these uncooperative vendors, CISA recommends that network defenders curate lists of "high confidence" malicious internet resources to filter out traffic.

However, because bulletproof infrastructure often sits alongside legitimate traffic, banks must apply a "nuanced approach" to filtering to avoid disrupting valid customer transactions, according to the guidance.

Other potential strategies include:

• Upstream pressure: contacting the upstream network providers or data centers hosting the bulletproof servers.
• Reputation filtering: submitting the malicious domain to threat intelligence platforms (such as VirusTotal or Google Safe Browsing) to ensure browsers flag the site as dangerous, effectively cutting off victim traffic even if the site remains live.
• Payment blocking: monitoring for transactions directed toward known high-risk crypto wallets or exchanges associated with these scams.

As the Scam Center Strike Force ramps up operations, the banking industry can expect more federal seizures of crypto-fraud domains.

However, save for changes to the laws that govern internet infrastructure, financial institutions will likely remain the first line of defense in identifying and blocking the payments that fuel these compounds.