What a scam syndicate is
A scam syndicate is a coordinated group of scam operators sharing infrastructure (hosting, domains, wallets), tools (phishing kits, bot networks, AI deepfake services), and playbooks (romance scripts, crypto pump schedules, mule recruitment templates). One syndicate can run 50 or more active phishing domains, hundreds of social-media impersonator accounts, dozens of crypto wallets, and a steady pipeline of fresh victims.
The major syndicates operate from regions where extradition is hard (Southeast Asia, parts of West Africa, Eastern Europe). Their compounds often hold trafficked workers forced to run the scams. The fraud is industrialised; you are not dealing with a lone bad actor.
What it looks like from where you're standing
You will almost never see the whole network. What reaches you is one piece: a single message, one too-good investment, one familiar brand that feels slightly off. The piece in front of you is rarely the whole story.
A few things that should raise your guard:
- The same pitch, wording, or layout turning up in more than one place, or from accounts that all look freshly made.
- A "community" or following that feels manufactured: lots of near-identical or brand-new accounts all boosting the same thing.
- A sudden wave of similar scams or messages arriving close together, more like a coordinated push than an organic trend.
- Polish and persistence beyond what one person could keep up alone.
You do not need to untangle the operation behind it, and you should not try to. If one piece feels wrong, treat the whole thing as suspect, do not engage, and check it before you act.
Why syndicates are harder to fight than lone scammers
Take down one of their domains, they have ten more. Block one wallet, the funds are already moving through a mixer. Report one social account, the next one is spinning up. The right response is not playing whack-a-mole on individual entities; it's mapping the cluster and going after the shared infrastructure.
This is why aggregated intelligence matters. A single phishing report is a data point. A thousand reports against a coordinated syndicate, cross-referenced into a single picture, is enough to convince a registrar to mass-suspend domains, a hosting provider to terminate the infrastructure, or a regulator to issue a cross-border takedown order.
Where AVA fits
For any entity you can paste in (domain, wallet, social handle), AVA produces a 0-to-100 trust score with explainable reasoning, and where applicable shows related entities AVA has seen elsewhere. See the public how-it-works summary for our methodology overview.
What to do
If you encounter what looks like a single scam, report it to AVA. Even one domain, one wallet, or one social handle is enough for AVA to start mapping the cluster behind it. You're contributing to dismantling the infrastructure, not just blocking one page.