China may be trying to stem the tide of scams coming out of Southeast Asia, but it seems the country is doing so selectively, focusing primarily on those that affect their citizens but not the ones that target Americans. 

That’s a failing that has “led to a wave of scam center ‘alumni’ setting up shop in China,” according to a report from the U.S.-China Economic and Security Review Commission.    

The commission notes that “in 2024, Chinese authorities prosecuted approximately 78,000 people for online fraud—a 54% increase over the previous year.” 

It’s difficult not to see China’s selective approach as anything but political, and there is some truth to that. The report says as much.  

But it is also true that the flood of scams is too great for the country—or any country—to dam. And despite publishing a list of 100 high-level criminals wanted for scams that targeted Chinese citizens and offering a reward for information, the country is failing to stem the tide. Though the efforts did help China snare notorious scam “kingpin” Chen Zhi, who was indicted by the U.S., after the “most wanted” list and reward were posted, Chinese officials were able to get him extradited from Cambodia. “However, Beijing continues to turn a blind eye to criminal activity targeting foreigners,” the report said. 

That troubles American authorities, who saw American losses from Chinese criminal group-operated industrial-scale scam centers top $10 billion in 2024. So the U.S. government has taken matters into its own hands, sanctioning criminal leaders and creating an Interagency Scam Center Strike Force. But even that can’t pull authorities ahead of the scammers who “are embracing advanced technologies and exploiting cryptocurrency to launder stolen assets across national borders with virtual impunity,” the report said. 

And of course, AI is making it easier for the cybercriminals, who are using it to scale operations, boost the sophistication of scams, and evade tried and true detection methods. These AI-powered scams, the report found, make it difficult for even the most discerning potential victims to distinguish fact from fraud. 

Noting that “Chinese-nexus cyber activity has evolved in four phases over the past two decades,” research from Darktrace shows today it is “defined by scale, operational restraint, and persistence.” 

While “attackers are establishing access, evaluating its strategic value, and maintaining it over time,” the research finds “a broader shift: cyber operations are increasingly integrated into long-term economic and geopolitical strategies. Access to digital environments, specifically those tied to critical national infrastructure, supply chains, and advanced technology, has become a form of strategic leverage for the long-term.”   

Trey Ford, chief strategy and trust officer at Bugcrowd, says China “has built a proof of concept for adversarial industrialization: Scripted social engineering at scale, multilingual workforce expansion, and money laundering infrastructure embedded in legitimate financial systems.”  

And that can’t be stopped by a configuration change. “What stops it is continuous human intelligence, behavioral detection at the transaction layer, and law enforcement cooperation that doesn’t depend on one actor’s domestic political incentives,” he says. 

Nathaniel Jones, vice president, security and AI strategy and field CISO at Darktrace, says the company’s recent research shows that Chinese-nexus activity follows two operational models–“smash and grab” and low and slow. The former “are short-horizon intrusions optimized for speed. Attackers move quickly – often exfiltrating data within 48 hours – and prioritize scale over stealth. The median duration of these compromises is around 10 days. It’s clear they are willing to risk detection for short-term gain,” he says.   

The latter operations were less prevalent in Darktrace’s dataset, “but potentially more consequential,” with attackers prioritizing “persistence, establishing durable access through identity systems and legitimate administrative tools, so they can maintain access undetected for months or even years.” 

The scams most dangerous to U.S. citizens are “pig-butchering (investment fraud layered on manufactured romantic trust) and crypto investment fraud, says Ford. 

But “China isn’t targeting those because the incentive structure doesn’t require it,” he explains.  

“As one U.S.-China Economic and Security Review Commission member put it at a Senate hearing, Beijing has ‘selectively’ cracked down, “largely turning a blind eye to scam centers victimizing foreigners,” with the result that Chinese criminal syndicates have been incentivized to shift toward targeting Americans,” says Ford. “Framed differently: this is not ambivalence, it is a rational enforcement strategy calibrated to domestic political risk.” 

While the U.S. government has taken some action, “what hasn’t happened is sustained diplomatic pressure that changes Beijing’s incentive calculation,” he says, explaining that “targeted sanctions and individual indictments do not alter the underlying governance structure that makes these operations viable.”  

Because the U.S. leverage on China in this domain “is constrained by the same geopolitical dynamics shaping every other bilateral conversation,” Ford says, “organizations should not plan around a near-term diplomatic fix.” 

 Instead, he says, they should: 

• Treat social engineering as an infrastructure problem, not a training problem. Pig-butchering attacks operate over weeks or months, building trust before any financial ask appears. Annual phishing awareness sessions don’t address that threat model. 

• Harden the financial transaction layer specifically. The terminal event in almost every investment fraud scheme is a wire transfer or crypto send that could have been interrupted with verification controls. 

• Brief employees on the specific mechanics: manufactured relationship, engineered urgency and off-platform movement to private apps. The playbook is consistent. Recognizing the pattern is the control. Most corporate trainings don’t go far enough in training how to detect these patterns. 

• For executive and high-net-worth individuals, the personal and professional attack surfaces are no longer separate. These scams increasingly target people in their personal lives to create leverage or access in their professional ones. 

• Consider continuous third-party validation of your organization’s social engineering exposure, not self-assessed controls – there is scale economy in terms of diversity of perspective, keeping content fresh, and making all of this more effective.