Network Scam Hunter

Analysis of Wireless Signals to Identify Suspected Scam Centers in Sihanoukville, Cambodia

Executive Summary

A survey of 112,312 Wi‑Fi, Bluetooth and cellular detections pinpoints an industry that has colonized the city in four distinct formations. Two mega‑hubs dominate the map. One occupies a single downtown hotel‑casino block and radiates ~1,827 unique devices (density 10x higher than any neighboring block). Another spreads across the coastline with ~1.3 thousand devices, half of them concealed behind ~244 hidden SSIDs. North‑east of the city a third formation of 600-800 devices clustered among warehouse‑style buildings within the special‑economic zone. Forty satellite pockets (100-750 devices each) dot residential and commercial streets representing a multilayered ecosystem rather than a single compound.

Inside some hubs the wireless fabric resembles a repurposed hotel network writ large. Catalogued across the surveyed areas are 34,924 Wi‑Fi access points: nearly 500 broadcast no name, 1,100+ are wide‑open, and over 3,100 still advertise WPS (low security protocol). A single building can field 90‑plus routers under one SSID, while default phone hotspots such as “iPhone” or “OPPO A5” indicate possible work arounds. Hardware identifiers converge on Chinese vendors: TP‑Link (15 %), Huawei (8 %), Ruijie (7 %), iKuai, Mercury. There are ~10.7 thousand Bluetooth/BLE devices, the majority unnamed but repeatedly reporting OPPO, Redmi, and Samsung models, implying multiple devices per operator.

Human patterns emerge in the signals’ movement. Roughly 95% of devices never stray beyond a 100‑metre radius. A smaller cadre (about 2% equating to 100+ Bluetooth devices and 700+ Wi‑Fi identifiers) shuttles between downtown, port‑side, and the Special Economic Zone sites and revealing the connective tissue of management. Paired travel events, where two or three devices depart and arrive together, hint at convoy‑style oversight. Even rarer iPhone signatures among a sea of mid‑tier Androids likely mark senior coordinators embedded in the hierarchy.

Collectively, these data points chart a living infrastructure: high‑rise hotels; casino resorts masking thousands of concealed routers; industrial warehouses with oversubscribed hotspots; and a steady pulse of overseer devices. Specific coordinates, vendor footprints, and device behavior provides a baseline for intelligence, law enforcement, or report development.

 

Scam Center Location Identification

Geospatial Analysis

Our team conducted a city-wide survey of wireless emissions and plotted their locations which includes Wi-Fi access points, Bluetooth beacons, BLE devices, and cellular signals. The vast majority of detected devices were sparsely distributed. However, as we moved through the city, we encountered pockets of intense signal density. These pockets were not random; they often corresponded to known commercial complexes (hotels, casinos) suspected to house cyber-scam operations. By clustering device coordinates, we identified a handful of distinct high-density zones:

• Downtown Cluster: The signal composition was roughly 1309 Wi-Fi APs and 500 Bluetooth devices in close proximity, alongside a few cellular base signals. Such a concentration suggests a large building or compound repurposed into a scam center. Indeed, the SSIDs match hotel-casino complexes. Over 200 Wi-Fi networks were hidden (SSID not broadcasted). The devices in this cluster remained largely static in place over days of observation, reinforcing that this is a fixed site. This downtown cluster likely represents a primary scam hub.
• Western Beachfront Cluster: Between 1,200-1,300 devices were detected in this area. The presence of over 1,000 Wi-Fi signals in and around an ostensibly single complex strongly suggests this location is also a scam center, likely occupying a large resort or casino building. Numerous hidden SSIDs (~244) were observed here as well, alongside Bluetooth devices (~217) indicating many personal devices concentrated on-site. The static nature of these signals implies a stable operation base. Given that this area is somewhat separated from downtown, it may represent a second major scam compound. The use of a known casino’s infrastructure hints that criminal groups repurpose existing hospitality facilities. This is a pattern consistent with regional cyber-scam operations utilizing casinos and hotels.
• Northern Industrial/Special Economic Zone (SEZ) Cluster: This cluster encompassed several hundred devices (600–800+) spread across an industrial park or special economic zone. The device density was lower than the Downtown and Western Beachfront clusters but still far above normal. A smaller number of Wi-Fi networks (many hidden) and Bluetooth signals were concentrated in compounds, suggesting one or more mid-sized scam operations operating in warehouse-like or campus facilities. This could correspond to known special economic zones that have been implicated in cybercrime compounds in Cambodia’s recent crackdowns. The signals in this area were again stationary over time, indicating established sites. The slightly more distributed nature of this cluster may mean several adjacent buildings each host separate scam offices or a single large compound with multiple blocks.
• Minor Clusters: There are approximately 40+ smaller clusters throughout the city, each with on the order of 100-300 devices. One cluster of ~750 devices was noted and another cluster of ~500+ devices corresponding to a dense residential/commercial block south of the Downtown cluster.. These secondary clusters underscore that illicit operations are fragmented across multiple city locations. Each cluster is characterized by a high ratio of networks to physical area and many devices from the same few vendors suggesting centralized management. All clusters of interest showed a prevalence of “hidden” networks and device signals that remain in place, which differentiates them from tourist areas where device population is transient.

In summary, the clustering of wireless signals has exposed a geographic blueprint of scam operations in Sihanoukville.These findings align with external reports that highlight cyber-scam syndicates locations allowing decision-makers to move from broad awareness of the problem to a target-specific action plan if desired.

Wireless Infrastructure Profiling

Internal Network Footprint: A detailed technical profile of the wireless infrastructure within each suspected scam compound reveals a sophisticated and extensive setup, akin to a corporate campus or hotel. We found thousands of Wi-Fi access points (APs) spread across the clusters, often organized into enterprise-style networks. Hidden networks are pervasive. Each major cluster there are dozens to hundreds of APs configured with no public SSID indicating private internal networks not intended for guests or outsiders users. The Wi-Fi security is generally enabled (WPA/WPA2), but notably we still found over 1,100 APs set as open (unencrypted) across sites.

In addition to Wi-Fi, the compounds exhibit a heavy presence of Bluetooth devices. Many Bluetooth device names correspond to smartphone models (e.g. OPPO, Redmi) and the sheer count suggests each worker might handle multiple phones consistent with reports of scammers using 10+ phones each. We also identified some rogue or unusual network signatures. Numerous Wi-Fi hotspots named simply “iPhone” or other default names were detected indicating personal hotspots. Cellular signals from Cambodian carriers (e.g. CamGSM/The Royal Group, Smart) blanket all sites, but no unauthorized cell towers were identified.

Overall, the wireless infrastructure points to a well-equipped operation using a mix of commercial networking gear (predominantly Chinese-made routers) and improvised personal networks. The presence of enterprise-grade Wi-Fi systems (with overlapping APs and common SSIDs) suggests that the buildings’ original networks (hotels/casinos) are being repurposed for the scam operations. Meanwhile, the abundance of hidden SSIDs and ad-hoc phone hotspots indicates an attempt to segment or conceal certain communications.

 

Technical Infrastructure Analysis

In this section we break down the wireless infrastructure in each identified cluster, highlighting patterns of the internal organization.

Density and Configuration: The scam compounds run extremely dense Wi-Fi environments. Across all clusters we catalogued 34,924 unique Wi-Fi access points (unique BSSIDs). In a single large compound, it’s common to see 50-100 APs sharing the same network name (SSID) creating a mesh or distributed coverage.

Many other SSIDs correspond to known or purported business names giving clues to the facilities’ original purpose or cover. Multiple venues (casino, KTV bar, hotels) inside the building have their Wi-Fi integrated or that the entire building once hosted those businesses.The co-existence of these networks in one physical cluster implies that scam complexes often occupy former hotels/casinos,using (or at least leaving active) the original Wi-Fi network names. This could be either to avoid drawing suspicion (keeping the facade of a normal hotel Wi-Fi) or simply because they took over the premises with everything left as-is.

Hidden and Rogue SSIDs: A feature of the compounds’ Wi-Fi is the prevalence of hidden networks. In each major cluster, a large fraction of APs broadcast no SSID. We tallied 203 hidden APs in the largest cluster, 140 in the next, and over 500 hidden SSIDs across all suspect sites. These hidden networks are likely the private internal Wi-Fi networks used by the scam operation; kept invisible to casual Wi-Fi users in the vicinity. Regular hotels might have a handful of hidden management networks but on the order of hundreds is abnormal. .

Conversely, we also observed some open, public-facing networks that seem anomalous. Over 1,100 APs (around 3% of total) were running open networks with no encryption (shown as [ESS] authentication). Examples include SSIDs like “FREE WIFI”, personal hotspots named after phones, or default home router names. The personal hotspot SSIDs are a subset of particular interest. We detected at least 55 instances of “iPhone” as an SSID, along with others like “OPPO A5” or “Galaxy Hotspot”. The fact these appear inside the compounds implies that some staff are using cellular data via personal phones to create Wi-Fi hotspots.

Hardware: Wi-Fi AP vendor analysis shows a dominance of Chinese-manufactured equipment. For example, in the downtown cluster the most common access point brands were TP-Link (~203 devices), Huawei (109), Ruijie Networks (90), iKuai (74), and Mercury and ZTE devices in smaller numbers. These are all mainstream networking brands in Asia; notably, Ruijie and iKuai indicate business-grade routers (often used in hotels or enterprises for centrally managed Wi-Fi), while Mercury and TP-Link could be either home-grade or business APs. The mix suggests that the compounds likely utilize the pre-existing hotel Wi-Fi systems and may have been supplemented with cheaper routers (TP-Link, Mercury) to extend coverage or create hidden networks. The presence of Sundray and Yunlink devices was also noted (Chinese WLAN providers).

Bluetooth and BLE Devices: The compounds are also saturated with Bluetooth signals, though these appear to be personal devices rather than infrastructure. We cataloged over 10,700 Bluetooth/BLE detections, corresponding to roughly 7,000 unique devices. The majority of Bluetooth devices had no human-readable name (this is normal). Over 5,500 appear simply as ‘Hidden’ or unnameable, which often means they are either using default chipset IDs or are not in discoverable mode. However, among those named, the patterns are revealing. Common smartphone names like “OPPO A17”, “OPPO F11 Pro”, “OPPO A5s”, “Redmi” and “Samsung Galaxy” appear repeatedly. OPPO (Chinese phone brand) shows up frequently; e.g. multiple devices broadcasting “OPPO Reno6 Z 5G” or “OPPO A53” were present.

There were also a few Bluetooth devices hinting at other equipment. “BT-Car” and “CarKit” devices (car audio systems or Bluetooth adapters in vehicles) were present during the survey. It’s possible security or management personnel on-site have vehicles with Bluetooth. Additionally, one device named “BYD BLE3” was detected ~22 times [Build Your Dreams (BYD) is a Chinese electric vehicle company). While peripheral to the technical infrastructure analysis, it does underscore that vehicles at these sites might be identifiable via their Bluetooth signatures.

Cellular Signals: Our survey also identified cellular base station signals (GSM) around the compounds. All the cell signals detected corresponded to legitimate Cambodian telecom operators, primarily CamGSM (Cellcard) and possibly others like Smart or Metfone. We logged broadcasts from CamGSM / The Royal Group with strong signal (-59 dBm) near the sites. We did not identify any rogue cellular base stations, signal jammers, or femtocells. The presence of normal carrier signals at expected strengths implies that the compounds are within standard network coverage and likely use lots of SIM cards from these carriers in their phones.

Network Security Posture: The authentication modes of the Wi-Fi APs provide insights about security. The majority of APs are running encrypted Wi-Fi protected by WPA or WPA2 showing as [WPA2-PSK-CCMP][RSN-PSK-CCMP]. This is expected for internal networks to prevent unauthorized users from logging in. Over a thousand APs were open indicating negligence or intentional open networks for specific purposes. We also saw some APs advertising WPS enabled, which is a security vulnerability. The presence of WPS on ~3,155 devices suggests devices were using the default settings from consumer-grade routers.

Detailed Signal Tables and Enumerations: To illustrate the above points, here is an example of the downtown cluster’s Wi-Fi networks:

• Total Wi-Fi APs: 1309 (in one compound).
• Unique SSIDs: 643 different network names observed in that compound (mix of legitimate-sounding names and obscure ones)
• SSIDs with multiple APs: 175 of those SSIDs were repeated on 2 or more APs, indicating multi-AP networks. This reflects a structure of one primary hotel network and many smaller or hidden networks coexisting.
• Wi-Fi Security: The vast majority use WPA2-PSK encryption. Open APs in the cluster is 46 open networks (some labeled “Free_WiFi” and phone hotspots).
• AP Vendors: TP-Link (15.5%), Huawei (8.3%), Ruijie (6.9%), with many others. Unknown OUIs (~45%) likely correspond to random MACs from devices in hotspot mode or obscure manufacturers the database didn’t recognize.
• Bluetooth Devices: 500 unique BT devices. Common names are mostly ‘hidden’, but ~50 had names corresponding to OPPO models, a handful to Xiaomi/Redmi, and generic labels like “JK71” (possibly device IDs).
• BLE Beacons: Only 4 BLE devices were uniquely identified (one being a Samsung TV BLE and others unnamed). Most Bluetooth detections were classic BT from phones.
• Cell signals: 14 cell broadcast towers

Each other cluster can be tabulated similarly. They all show a Wi-Fi-heavy environment (80–85% of devices) with the remainder Bluetooth. Wi-Fi access points and routers are stationary infrastructure providing internet to the myriad of phones.  Essentially, the Wi-Fi networks form the backbone of the compound’s internal connectivity for PCs and for linking phones if using VoIP or apps).

Infrastructure Patterns and Anomalies: Two patterns stand out across sites: (1) reuse of infrastructure names and (2) mixture of professional and ad-hoc networks. We did not see the same custom SSIDs reused across different compounds. This suggests each compound retains its local identity or cover. The site managers did not create a homogenized network name across all their sites, instead they blended into whatever that location (hotel, casino). The common thread is the hidden networks which are present everywhere but named generically “Hidden” (which tells us little beyond their existence). For anomaly, the presence of so many personal hotspots is unusual for a supposedly tightly controlled compound. It might indicate that the workers have found ways to get phones in and connect them independently or that site managers allow this to support additional devices.

Finally, it’s worth noting that the volume of devices and networks is far beyond normal for these locations. A typical large hotel might have perhaps 20-50 APs and a few hundred devices at most. Here we see an order of magnitude more. This technical evidence shows that these sites are densely packed with people and electronics. They’ve ensured Wi-Fi coverage for large operational support areas, broadband internet feeding all those APs (likely fiber lines to each building), and backup with mobile data on phones.

 

Persona/Role Identification Through Signal Behavior

Identifying Key Operatives via Device Movements: By analyzing the behavior of individual devices across our datasets, we can infer the human activity patterns within and between the scam compounds. Most devices were stationary and confined to a single location. This is consistent with lower-level staff or victims who live and work on-site. A small but significant number of devices exhibited movement between different clusters, indicating personnel who travel between compounds. These are likely the managers or supervisors. We have identified  100+ mobile devices that were detected in at least two separate compound clusters kilometers apart.

Furthermore, we observed co-location patterns where groups of devices would appear and disappear from a cluster simultaneously, hinting at team movements or shifts (a van of staff moving from one location to another).

To make sense of these findings we categorized devices, and by proxy, personnel, into three profiles:

• Fixed in-place staff – devices only ever seen at one location)
• Site management/supervisors – devices moving within a single general area or adjacent sites
• Cross-site management/supervisors – devices that jump between distant compounds..

Behavioral Signal Analysis

The general finding is that most devices remained within one cluster’s radius, indicating the person carrying or hosting that device did not leave their compound. This is expected in a forced-labor scam center where rank-and-file workers are essentially prisoners. However, exceptions were found:

• Fixed in-place staff: Roughly 95% of detected devices fell into this group. These devices were only ever observed in one location cluster with minimal spatial variance (generally within a ~50–100 m radius). Such a pattern suggests the device (and user) stayed put. In practical terms, these are likely the phones assigned to scammers at a particular building – they never leave that building. We can almost consider them part of the stationary infrastructure, though technically they are personal devices. When a raid happens, we expect to find these devices with the workers on-site. Intelligence value: the sheer count of static devices (~6,800+ Bluetooth and thousands more Wi-Fi hotspots) gives an estimate of manpower per site.
• Site management/supervisors: A smaller subset of devices (a few dozen) showed slightly wider roaming, but still within a limited locale.  We interpret these as possibly supervisors or support staff who have some freedom of movement but generally stay within one broader site. They might move between two buildings in the same complex or run errands just outside the compound.

Cross-site management/supervisors: This is the most critical group from a leadership perspective. We identified ~126 Bluetooth devices and over 700 Wi-Fi devices that moved >1 km between detections, meaning they were picked up in at least two of the major clusters. The persistence of the identifiers and the context suggest these are individuals carrying their personal devices between scam centers. Likely profiles for such individuals include senior managers, technical specialists, or specialized support supervisors who oversee multiple locations.