A California man ordered to pay almost $27 million in restitution. This announcement comes on the heels of a federal court order issued in connection with a long-running, multi-level cryptocurrency fraud scheme that victimized thousands. Shengsheng He, 39, was sentenced to six years in prison. His role was central to a broader plan to defraud American investors of approximately $37 million. This fraudulent operation spanned an international enterprise of scam centers operating out of Cambodia, with He and his eight co-conspirators based out of one of these centers.
The scheme guaranteed lucrative returns on digital asset investments, enticing potential investors with an offer they couldn’t refuse. Beal employed advanced techniques to transfer stolen funds through dozens of cryptocurrency wallets. Ultimately, he rolled it all into one wallet and set up an account at Stake.com, an online betting site. The court’s opinion highlights the increasing need to recognize the effect of these cybercrimes on American citizens and our economy.
Criminal Network Exposed
So he wasn’t acting alone. He was the lowest in a much wider network linked to some of the worst ransomware criminals, including JSWORM, Karma, Nokoyawa and Nemty. Group-IB uncovered these ties in an investigation carried out in early 2023. The group’s activities have incurred damages estimated at $18 billion, pushing French authorities to place He on Europe’s Most Wanted fugitives list.
Besides He, eight other co-conspirators—most notably, Daren Li and Lu Zhang—have pleaded guilty. Their combined efforts shine a light on the vastness of the criminal enterprise that targeted American citizens.
His operation pushed the envelope with progressive techniques. He used a simple address matching approach based on Levenshtein distance to choose visually similar addresses, rendering many fraudulent transactions completely undetectable. Additionally, the crew used automated scripts to create 50,000 counterfeit downloads—providing social proof and further legitimizing their scam.
“These sanctions protect Americans from the pervasive threat of online scam operations by disrupting the ability of criminal networks to perpetuate industrial-scale fraud.” – U.S. Secretary of State Marco Rubio
Cybercrime Sanctions Implemented
We applaud the U.S. Treasury Department for acting against this growing, duplicitous cyber scam threat. They’ve frozen the assets of financial institutions supporting these illegal trades. The sanctions target nine individuals and businesses connected with Shwe Kokko, an area in Myanmar long considered a center of scam operations. Four people and six companies have been penalized for their role for running forced labor camps in Cambodia.
Together, these sanctions seek to dismantle the infrastructure that enables cybercriminals to exploit the American investing public. By severing their funding pipeline, government officials and consumer advocates alike are looking to make these scams less lucrative and less common.
That ruling against He — the first court sanction against such activity in the U.S. — should send a clear message to researchers performing similar activities. Law enforcement agencies are increasing their focus on financial crime and cybercrime—both at home and abroad.
A Growing Threat
Digital crime is a space that is continually innovating. From malware to social engineering, attackers are employing multiple tactics to exploit the intricate networks that companies rely on. Most recently, that same report pointed to an extremely large DDoS attack on September 1 of this year. Qrator detected and blocked what was described as “the largest L7 DDoS botnet observed to date,” compromising 5.76 million IP addresses.
This botnet has been in operation since March 26, 2025, illustrating the long-term threats that are affecting organizations around the globe today. As criminal tactics continue to progress, enterprises need to proactively protect themselves from these ever-changing threats.
“Depending on the victim, they may pursue a variety of goals: demanding ransom to decrypt data or causing irreparable damage.” – Kaspersky