How many accounts were disabled in Meta's 2026 operation?

Meta disabled over 150,000 Facebook and Instagram accounts linked to scam centers in Southeast Asia during the 2026 operation.

What were the outcomes of the collaboration between Meta and law enforcement?

The collaboration led to the disabling of over 150,000 accounts and the arrest of 21 individuals by the Royal Thai Police.

Meta's 2026 Crackdown on Southeast Asia Scam Networks

In a significant move against online fraud, Meta, in collaboration with global law enforcement, disabled over 150,000 accounts linked to scam centers in Southeast Asia, resulting in 21 arrests.

Published: March 11, 2026

Share this on:

Executive Summary

In March 2026, Meta, in collaboration with international law enforcement agencies, disabled over 150,000 Facebook and Instagram accounts linked to sophisticated scam centers operating in Southeast Asia. This coordinated effort, involving authorities from countries including Thailand, the U.S., the U.K., and Singapore, also led to 21 arrests by the Royal Thai Police. The crackdown targeted criminal networks in countries like Cambodia, Myanmar, and Laos, which have been running large-scale scam operations designed to evade detection and cause significant harm to individuals globally. (about.fb.com)

This operation underscores the escalating threat posed by industrialized online scams and highlights the necessity for continuous collaboration between tech companies and global law enforcement to protect users from increasingly sophisticated fraudulent activities. (about.fb.com)

Why This Matters Now

The proliferation of industrialized online scams poses a significant threat to global digital security, necessitating immediate and coordinated action to protect users and maintain trust in online platforms.

Attack Path Analysis

The attackers initiated the scam by creating fraudulent accounts on social media platforms to impersonate trusted entities. They then escalated their access by manipulating victims into providing sensitive information or financial assets. Subsequently, they expanded their operations by leveraging compromised accounts to reach a broader audience. The attackers maintained control over the compromised accounts to manage and coordinate their fraudulent activities. They exfiltrated funds and personal information from victims through deceptive schemes. Ultimately, the impact was significant financial loss and erosion of trust among users.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

High

Lateral Movement

Medium

Command & Control

Medium

Exfiltration

High

Impact

High

Initial Compromise

Description

Attackers created fraudulent accounts on social media platforms to impersonate trusted entities and initiate contact with potential victims.

Confidence:

High

MITRE ATT&CK® Techniques

Initial Access

T1566

Phishing

Initial Access

T1656

Impersonation

Collection

T1598

Phishing for Information

Reconnaissance

T1593.001

Social Media

Resource Development

T1583.001

Acquire Infrastructure: Domains

Resource Development

T1585.001

Establish Accounts: Social Media Accounts

Resource Development

T1586.001

Compromise Accounts: Social Media Accounts

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Incident Response Plan

Control ID: 12.10.1

The incident highlights the necessity for organizations to have a comprehensive incident response plan to detect, respond to, and recover from security incidents involving unauthorized account activities.

NYDFS 23 NYCRR 500 – Cybersecurity Program

Control ID: 500.02

The large-scale disabling of fraudulent accounts underscores the importance of maintaining a robust cybersecurity program to protect information systems and nonpublic information from unauthorized access.

DORA – ICT Risk Management Framework

Control ID: Article 5

The incident demonstrates the need for financial entities to implement an ICT risk management framework to identify, assess, and mitigate risks associated with information and communication technology.

CISA ZTMM 2.0 – Identity and Access Management

Control ID: Identity and Access Management

The exploitation of social media accounts by scammers emphasizes the need for stringent identity and access management controls to prevent unauthorized access and impersonation.

NIS2 Directive – Cybersecurity Risk Management Measures

Control ID: Article 21

The incident highlights the importance for essential and important entities to adopt appropriate technical and organizational measures to manage cybersecurity risks and ensure the security of network and information systems.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Financial Services

Southeast Asia scam operations targeting financial platforms through sophisticated social engineering require enhanced egress security and zero trust segmentation capabilities.

Telecommunications

Telecom networks face risks from scam-related suspicious device linking and encrypted traffic threats, necessitating advanced anomaly detection and traffic visibility controls.

Internet

Internet platforms require multicloud visibility and threat detection capabilities to combat industrialized scam operations using sophisticated social engineering across multiple regions.

Banking/Mortgage

Banking institutions need enhanced egress filtering and encrypted traffic protection against coordinated scam networks targeting financial accounts and fraudulent transfers.

Sources

Meta Disables 150K Accounts Linked to Southeast Asia Scam Centers in Global Crackdownhttps://thehackernews.com/2026/03/meta-disables-150k-accounts-linked-to.html
Verified

Global Law Enforcement Agencies, With Support From Meta, Disrupt Major Criminal Scam Networks Based in Southeast Asiahttps://about.fb.com/news/2026/03/meta-global-law-enforcement-disrupt-major-southeast-asia-criminal-scam-networks/

Verified

Fighting Scammers and Protecting People with New Technology and Partnershipshttps://about.fb.com/news/2026/03/fighting-scammers-protecting-people-with-new-technology-and-partnerships/

Verified

Frequently Asked Questions

Meta's action was driven by the increasing sophistication and industrialization of online scams originating from Southeast Asia, which have been causing significant harm globally.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to this incident as it could likely reduce the attacker's ability to exploit compromised accounts and limit the spread of fraudulent activities.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: The CNSF may limit unauthorized access by enforcing strict identity verification, potentially reducing the success rate of fraudulent account creation.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: Zero Trust Segmentation would likely restrict unauthorized access to sensitive resources, potentially reducing the impact of compromised credentials.

Lateral Movement

Control: East-West Traffic Security

Mitigation: East-West Traffic Security may limit lateral movement by monitoring and controlling internal communications, potentially reducing the spread of the attack.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: Multicloud Visibility & Control would likely provide real-time monitoring, potentially detecting and limiting unauthorized command and control activities.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: Egress Security & Policy Enforcement may restrict unauthorized data transfers, potentially reducing the success of data exfiltration attempts.

Impact (Mitigations)

Implementing Aviatrix Zero Trust CNSF could likely reduce the overall impact by limiting the attacker's ability to exploit compromised accounts and spread fraudulent activities.

Impact at a Glance

Affected Business Functions

User Account Management
Advertising Operations
Content Moderation
Customer Support

Operational Disruption

Estimated downtime: N/A

Financial Impact

Estimated loss: N/A

Data Exposure

n/a

Recommended Actions

• Implement Zero Trust Segmentation to limit the spread of attacks by enforcing strict access controls.
• Enhance Threat Detection & Anomaly Response capabilities to identify and respond to suspicious activities promptly.
• Utilize Multicloud Visibility & Control to monitor and manage security policies across all platforms.
• Apply Egress Security & Policy Enforcement to prevent unauthorized data exfiltration.
• Deploy Inline IPS (Suricata) to detect and block known exploit patterns and malicious payloads.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

Meta's 2026 Crackdown on Southeast Asia Scam Networks

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

MITRE ATT&CK® Techniques

Phishing

Impersonation

Phishing for Information

Social Media

Acquire Infrastructure: Domains

Establish Accounts: Social Media Accounts

Compromise Accounts: Social Media Accounts

Potential Compliance Exposure

PCI DSS 4.0 – Incident Response Plan

NYDFS 23 NYCRR 500 – Cybersecurity Program

DORA – ICT Risk Management Framework

CISA ZTMM 2.0 – Identity and Access Management

NIS2 Directive – Cybersecurity Risk Management Measures

Sector Implications

Financial Services

Telecommunications

Internet

Banking/Mortgage

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads