Starlink: An Internet Lifeline for Scam Compounds

Editor's Note: This newsletter is part of a collaboration between Lawfare and Risky Business. You can find the full version of the Seriously Risky Business newsletter and previous editions on news.risky.biz.

Starlink: An Internet Lifeline for Scam Compounds

Starlink is being used to keep forced labor scam compounds in Myanmar online after their internet access was cut by Thai authorities, according to a report in Wired. 

We'd love Starlink's parent company, SpaceX, to do something about this, but we're not holding our breath.

In Southeast Asia, hundreds of thousands of people are forced by organized criminal gangs to carry out so-called "pig butchering" scams. These modern slavery compounds cause immense human suffering and generate billions of dollars in annual revenue. 

In an effort to disrupt scam compounds in Myanmar near the Thai border, the Thai government has been cutting their electricity and internet access in cooperation with telecommunication providers. In response, the syndicates have installed Starlink terminals. Per Wired: 

Reports of the use of Starlink at [the] Tai Chang [scam compound] are not a one-off—criminals running multibillion-dollar empires across Southeast Asia appear to be widely using the satellite internet network. At least eight scam compounds based around the Myanmar-Thailand border region are using Starlink devices, according to mobile phone connection data reviewed by WIRED. …

The eight compounds, spread around the Myawaddy region of war-torn Myanmar, likely have installed multiple Starlink devices. Photos of Tai Chang reviewed by WIRED appear to show dozens of white Starlink satellite dishes on a single rooftop, while human rights watchdogs and other experts say that Starlink use at the scam compounds has increased in the past year.

Last May, Thai authorities seized 134 Starlink receivers they believed were destined for scam compounds. 

Wired reported that requests from both a U.S. district attorney and a Thai politician for SpaceX to voluntarily disable Starlink internet access to specific scam compounds has, so far, amounted to nought. 

Starlink is not available for purchase in Thailand or Myanmar. Its availability map says service in Thailand is "pending regulatory approval." Myanmar's service date is "unknown at this time."

While Starlink has historically worked in countries where the company is not authorized by telecoms regulators to do business, that seems to be changing … gradually. In April 2024, Starlink warned customers in Africa that it would shut down service in regions where the service wasn't allowed. Per Techpoint Africa: 

In the email, the company explained that it intended its regional and global roaming plans for temporary use by customers who are travelling and in transit, not for permanent use in locations in unauthorised areas.

Starlink gave subscribers a two-month grace period to either update their subscription to a new location or return their terminals to their authorized home countries. 

But enforcement after Starlink's deadline passed was haphazard. A majority of Starlink users in unauthorized regions were still able to access the service. 

Starlink has also failed to selectively restrict access to its service during the war in Ukraine. Early in the invasion, Starlink provided a clear advantage to Ukraine as it was not available to Russian forces.

However, in October 2024, the Washington Post reported SpaceX was not cracking down on Russian forces' use of Starlink in Ukraine. The Post described "a burgeoning black market" that sourced terminals for Russian forces as "an important factor in Russia's recent [military] gains."

Cleanly blocking Russian use of Starlink is difficult for a couple of reasons. Starlink can disable terminals either based on their unique identifiers or by "geofencing," where it denies service to specific areas.

The front line is fluid, and there needs to be some wiggle room to allow Ukrainian forces to advance, so a geofence that meets Ukrainian needs will also allow at least some Russian use. It's also hard to assign particular terminals at the front line to one side or the other based solely on their location. 

Per the Washington Post: 

One person familiar with Starlink said that the company is technically capable of identifying the location of active terminals based on their pings up to satellites, but that it can be challenging to discern the user in the "forward edge of the battle area," where Ukrainian and Russian troops are operating.

The point here is that even with a strong incentive, SpaceX didn't restrict Russian forces' use of Starlink. Beyond the moral imperative to assist defenders facing an unjust invasion, these incentives included a $537 million contract to provide services to Ukraine's military, the Biden administration’s making representations to SpaceX on behalf of Ukraine, and the potential for military contracts worth billions more.

To us, the overall picture here is of a company that lacks the willingness and the internal processes to limit its service to the regions it is allowed to operate in, and to enforce terms-of-service abuse. (And yes, running a modern slavery compound is against Starlink's Acceptable Use Policy.)

We can see how this might have unfolded as Starlink grew. Why would a startup devote time and effort to block subscribers when that would suppress growth? Rigorously limiting Starlink's use to authorized countries would also undercut its marketing as a global telecommunications solution. 

The upshot here is that dealing with terms-of-service violations isn't SpaceX's forté. What levers will get the company to pay attention here? And what will it take for SpaceX to regularly identify and boot off harmful customers like scam compounds?

Taking known scam compounds offline would be good, but having an ongoing process to identify and remove the most abusive users of Starlink would be even better. 

The Thai government also has some leverage here, as regulatory approval for Starlink to operate in the country is still pending. From a Thai point of view it would seem counterproductive if Starlink terminals are sold in your country and immediately shipped across the border to be used in compounds that are damaging Thailand's reputation and national security. 

It's not clear how high a priority international problems like scam syndicates will be for the Trump administration. And SpaceX CEO Elon Musk's closeness to President Trump also feels like a wild card. 

Ultimately, nobody wins if these scam compounds continue operating. Except the crime syndicates, and maybe a small bump to SpaceX's bottom line.

Trump-Putin Bromance Raises Five Eyebrows 

Five Eyes countries are likely to at least reassess some of their intelligence sharing practices given recent policy changes made by the Trump administration that are favorable to Russia. 

Let’s look at the list so far:

• President Trump's blow-up with Ukraine's President Volodymyr Zelenskyy. 
• Halting military aid to Ukraine. 
• Pausing U.S. Cyber Command operations against Russia. 
• Deprioritizing Russian cyber threats at the Cybersecurity & Infrastructure Security Agency (CISA).
• Attorney General Pam Bondi’s disbanding of the FBI's Foreign Influence Task Force and a task force targeting Russian oligarchs close to the Kremlin.
• Placing CISA officials who had worked on election-related disinformation on administrative leave.

The administration has denied that U.S. Cyber Command paused Russian operations or that there has been a change in priorities at CISA. Risky Business News and Kim Zetter's Zero Day both have excellent coverage breaking down the separate reports. This is covered more later in the newsletter. 

Speaking on the Deep State Radio podcast, Marc Polymeropoulos, a former CIA Senior Intelligence Service officer, said he was "absolutely convinced" the administration's actions will result in less intelligence sharing, particularly from British human intelligence (HUMINT) sources who collect information about Russia. 

Polymeropoulos said that Trump's actions, coupled with Director of National Intelligence Tulsi Gabbard's "very sympathetic" views on Russia, will mean that other Five Eyes countries' intelligence services will decide that "you can't trust the U.S." 

This is particularly important for HUMINT agencies, where keeping sources (as in, agents) safe is a prerequisite for long-term success. Screwing up and getting agents killed or arrested drastically limits the agency’s ability to recruit sources down the line.

"You have a sacred bond with your agent. If you're at the British Secret Intelligence Service and you can't trust the United States … they're going to incrementally stop sharing," Polymeropoulos said.

Another former HUMINT officer wasn’t so sure. Speaking to Seriously Risky Business, he described Polymeropoulos's conclusion as a "slightly long bow to draw." He noted that the agencies had a decades-long history of relatively successful collaboration. If he were at the helm, he said, he wouldn't be taking any immediate action. 

Still, he thought there "was a lot to be concerned about" and that "you'd be nuts not to think about it." 

The officer highlighted the summary firing of people in the intelligence community and the arbitrary nature of White House behavior as giving the overall impression that "nothing is off limits" and that "alliances are just marriages of convenience." He also noted that, from an Australian perspective, all that "coercive stuff," like withdrawing military aid from Ukraine and imposing tariffs on friendly nations, is "not that different from tactics that we've called out [dealing with Chinese state behavior]."

Although he wouldn't take any immediate action if he were in charge, he'd "ostensibly invest in housekeeping" and strengthen security practices. 

All this may not cause an immediate change to intelligence sharing, but the warning lights are flashing red. 

The "Logic" of U.S. Cyber Command's Russia Stand-Down, Which Either Did Happen or Didn't Happen

Several contested reports have claimed that the U.S. secretary of defense, Pete Hegseth, ordered U.S. Cyber Command to halt current cyber operations targeting Russia. Although this was interpreted by some as "throwing away leverage," there is an internal logic to the decision. 

Jason Kitka, a former Cyber Command official, told Zero Day that:

[H]alting offensive cyber operations and information operations against a country during negotiations with that country is normal. "Not exactly standard, but common enough," he said.

Additionally, if you are going to halt anything, offensive Cyber Command operations are as good a choice as any. In the current environment, where the U.S. would like to avoid direct escalation with Russia, these are likely to be irritants rather than operations that would lead directly to a decisive strategic advantage. 

It is, in other words, throwing Russia a bone. 

The stand-down was originally reported by the Record, then confirmed the next day by the Washington Post and later by the Associated Press, which wrote that "a U.S. official, speaking on condition of anonymity to discuss sensitive operations, on Monday confirmed the pause" (emphasis added).

Shortly after the AP report, the Department of Defense (DoD) denied the operational pause. 

Kim Zetter's Zero Day has excellent reporting covering the response from Ellen Nakashima, the Washington Post's intelligence and national security reporter, who stands by her initial reporting. Per Zero Day: 

Nakashima believes the DoD denial was aimed at the public's perception that they were standing down much bigger Russian ops that would, if halted, put the U.S. at a big security disadvantage. But they weren't engaging in these types of operations against Russia anyway, she noted.

Three Reasons to Be Cheerful This Week:

1. California enforces data broker rules: The California Privacy Protection Agency (CPPA) announced that it reached a settlement with data broker Background Alert, which agreed to shut down its operations for three years. Background Alert had failed to register its business with the CPPA. The Record has further coverage. 

2. Cross-platform Passkeys get easier: Ars Technica describes how to use Google Password Manager (GPM) to enable cross-platform syncing if you use Chrome on iOS. This helps to address the issue of passkeys created on Windows unable to be synched to Apple's ecosystem and vice versa. Ars Technica reports that GPM even works with standalone iOS apps including eBay and LinkedIn. 

3. Hacker "Desorden" arrested in Thailand: A Singaporean hacker, known as Desorden, ALTDOS, GHOSTR, and 0mid16B, has been arrested in Thailand. He is alleged to be responsible for the hacking of more than 50 firms internationally. DataBreaches.Net has more coverage.

Risky Biz Talks

In our latest "Between Two Nerds" discussion, Tom Uren and The Grugq take a deep dive into incident response reports from Chinese cybersecurity firms that attribute the hack of one of the country's top seven defense universities to the U.S. National Security Agency.

From Risky Biz News:

nRootTag turns any Bluetooth device into an AirTag: A team of academics has found a way to remotely turn any Bluetooth-capable device into an AirTag tracker.

The technique is named nRootTag and abuses how Apple's FindMy network indexes AirTags and searches for tracked or lost devices.

In normal circumstances, when a user pairs an AirTag to their account, Apple takes the AirTag's Bluetooth signal and generates a cryptographic private-public key pair. When the user wants to find the AirTag's location, the FindMy network queries for the public key associated with that Bluetooth signal and then notifies the owner of its location.

The nRootTag technique works by using cloud computing power to infer what would be the private key of any public Bluetooth signal.

This allows attackers to take any device's Bluetooth signal, compute a possible private key, feed it to Apple's FindMy servers, and then get back that device's location.

[more on Risky Business News]

Cellebrite bans bad boy Serbia: Israeli hacking tools maker Cellebrite has banned the Serbian government from using its products, citing misuse of its technology.

The company's decision comes after an Amnesty International report last December accused Serbian law enforcement of using Cellebrite tools to unlock phones and install spyware on the devices of anti-government dissidents and journalists.

Amnesty says this usually happened while victims were being interrogated by police. Their phones were taken away and then returned to them with spyware installed.

[more on Risky Business News]