◀ Back to AVA

AVA · Academy · How to spot the work of a scam syndicate

Lesson · 4 min read · Seed lesson · expanding soon

How to spot the work of a scam syndicate

Organised fraud at scale. Hundreds of domains, dozens of wallets, coordinated playbooks. Your single suspicious link is often the visible tip of a much larger operation.

What a scam syndicate is

A scam syndicate is a coordinated group of scam operators sharing infrastructure (hosting, domains, wallets), tools (phishing kits, bot networks, AI deepfake services), and playbooks (romance scripts, crypto pump schedules, mule recruitment templates). One syndicate can run 50 or more active phishing domains, hundreds of social-media impersonator accounts, dozens of crypto wallets, and a steady pipeline of fresh victims.

The major syndicates operate from regions where extradition is hard (Southeast Asia, parts of West Africa, Eastern Europe). Their compounds often hold trafficked workers forced to run the scams. The fraud is industrialised; you are not dealing with a lone bad actor.

The five signals that point to a syndicate

  1. Many domains registered in the same week from the same registrar with the same WHOIS contact. A single phishing campaign rarely uses one domain; it uses 50 with rotating subdomains.
  2. Multiple domains pointing to the same hosting IP block. Look up the IP of a suspect domain on urlscan.io and see what else lives there.
  3. Many crypto wallets funded from a single source wallet. All deploying contracts with identical bytecode. The contracts are templates, the wallets are sock-puppets.
  4. Social-media accounts with identical bio templates and overlapping follower lists. The 'community' that supports a scam token is often 200 ghost accounts, not 200 humans.
  5. Coordinated timing. Multiple scams launching within the same hour. Phishing links posted across Telegram channels in the same minute. A single human can't coordinate this; a syndicate's bot infrastructure can.

Why syndicates are harder to fight than lone scammers

Take down one of their domains, they have ten more. Block one wallet, the funds are already moving through a mixer. Report one social account, the next one is spinning up. The right response is not playing whack-a-mole on individual entities; it's mapping the cluster and going after the shared infrastructure.

This is why aggregated intelligence matters. A single phishing report is a data point. A thousand reports against a coordinated syndicate, cross-referenced by IP, WHOIS, wallet, and behavioural pattern, is enough to convince a registrar to mass-suspend domains, a hosting provider to terminate the IP block, or a regulator to issue a cross-border takedown order.

Where AVA fits

For any entity you can paste in (domain, wallet, social handle), AVA produces a 0-to-100 trust score with explainable reasoning, and where applicable shows related entities AVA has seen elsewhere. See the public how-it-works summary for our methodology overview.

What to do

If you encounter what looks like a single scam, report it to AVA. Even one domain, one wallet, or one social handle is enough for AVA to start mapping the cluster behind it. You're contributing to dismantling the infrastructure, not just blocking one page.