Analysis of Overseas Employment Fraud Patterns and Cyber-Tracking Techniques

Overseas employment fraud schemes resembling human trafficking and targeting Korean nationals have been rapidly re-emerging across various parts of Southeast Asia, particularly Cambodia, Thailand, and Malaysia. A consistent pattern has been identified in which perpetrators lure victims overseas using false job postings, recruitment for travel companions, or offers to serve as couriers for documents or parcels. After arrival, victims are transported to isolated facilities, commonly referred to as “scam compounds,” and are forcibly mobilized to engage in online financial fraud, romance scams, messenger phishing, or extortion activities targeting acquaintances.

In October 2025, the Korean government issued a travel ban (“Code Black”) for specific regions in Cambodia, including Poipet, Bavet, and Bokor Mountain in Kampot Province. The escalation followed officially confirmed reports of multiple detentions and a significant number of missing persons. As a result, the issue has now risen to the level of a major national security and public safety concern.

Severity of Victimization (Korean Nationals)

• In the latter half of 2025, media reports indicated that approximately 60 Korean nationals were being held against their will in Cambodia, with more than 80 individuals reported missing. Evidence of serious human rights violations, including forced labor, physical assault, and unlawful confinement, has been continuously identified.
• Following the case in which a Korean university student was tortured to death inside a scam facility in Cambodia, bilateral cooperation between Korea and Cambodia has been significantly strengthened. Korean diplomatic and law-enforcement authorities have activated dedicated response mechanisms, including the establishment of a local “Korean Desk.”
• INTERPOL has issued an early warning, stating that online fraud centers built on trafficking networks have expanded globally, with 74% of victims being funneled into hub regions across Southeast Asia. This international context helps explain the rising number of Korean victims.
• The United States, the United Kingdom, and other countries have initiated full-scale international cooperation by announcing large-scale sanctions and indictments against networks involved in operating or supporting forced-labor scam compounds in Cambodia.

Status of Human-Trafficking–Related Job Posts

Stealthmole has collected and analyzed more than 100,000 online postings related to overseas recruitment and employment across various platforms, including Telegram, online communities, and illicit websites. A significant portion of these posts were classified as recruitment messages linked to overseas human trafficking, forced labor, and voice-phishing organizations. Key characteristics include the following:

• Use of phrases such as “high income,” “free room and board,” and “no experience required” to attract applicants.
• Actual tasks at the destination are entirely different from those described, often shifting to illegal online fraud operations or forced labor
• Contact methods listed in the posts are almost exclusively limited to encrypted messaging services (e.g., Telegram)
• A spam-network structure was identified, in which identical contact information appears repeatedly across multiple platforms

Based on data gathered and validated through our monitoring system, trafficking-related recruitment posts are actively spreading not only within specific criminal domains but also across the general surface web. Notably, numerous disguised job postings were detected in community forums and Korean association websites.

Distribution Channels for Recruitment Posts

Through direct collection and analysis of major websites where fraudulent recruitment, travel-companion, and courier-type posts circulate, we confirmed that such content is widespread not only on suspicious link domains but also across general online spaces such as public communities, Korean associations, and corporate bulletin boards, where moderation is weak. On some platforms, inadequate screening procedures have allowed fake job postings to remain visible for extended periods.

• Case 1. Korean Association and Expat Community Bulletin Boards

Image:  Fake Job Posting on a Korean Association Website

• Case 2. General Corporate / Institutional Bulletin Boards

Image: Employment Fraud Post on a General Job-Search Website

• Case 3. Posts within General Social Networking Applications

Image:  Lure-Type Posts on Social Media Platforms such as Karrot and Facebook

Category	Primary Distribution Channels	Key Characteristics
Forum-Type Websites	Sections related to employment, travel companions, or errands	Weak account-verification procedures; frequent reuse of identical contact information across posts
General Surface-Web Communities	Boards related to expatriates, travel, or job searching	Inadequate moderation, allowing fake postings to remain visible for extended periods
SNS and Messenger Channels	Telegram, Facebook groups, X (Twitter)	Use of Telegram invitation links to direct users into secondary recruitment channels
Korean Associations / Local Job Sites	Expat communities in Cambodia, Thailand, Laos, etc.	Illegal recruitment posts mixed with legitimate job listings; lack of structured board management

Geographic Distribution of Human-Trafficking Destinations

Among the 100,000 collected posts, approximately 93% referenced countries in Southeast Asia, specifically Cambodia, Thailand, Myanmar, Philippines, and Vietnam. The overall distribution by destination country is illustrated in the following figure:

Figure: Statistics on Destination Countries for Human Trafficking

Cambodia and Thailand together account for more than half (51.4%) of all analyzed posts, aligning with regions where recent real-world victimization, such as confinement, physical assault, and forced labor, has sharply increased. In addition to country codes, numerous geographic identifiers such as Sihanoukville, Poipet, and Chiang Mai were referenced. These patterns indicate that geographic clustering enables the identification of specific criminal hubs.

Image: Behavioral Patterns in Posts Related to Cambodia

• KH (Cambodia): 28,745
• KR (Republic of Korea): 26,688
• CN (China): 16,863
• VN (Vietnam): 11,027
• TH (Thailand): 9,164

Distribution of Contact Method Types

Among a total of 93,169 collected posts, the distribution of posts specifying a contact method is as follows:

Figure: Contact Method Statistics in Human-Trafficking–Related Posts

Telegram IDs accounted for 58,628 cases, and Telegram URLs accounted for 15,504 cases, meaning that Telegram represented an overwhelming 79.6% share of all contact methods. This dominance suggests that post creators rely on Telegram’s anonymity, automation capabilities, and ease of message deletion to conceal criminal activities.

Notably, identical Telegram IDs appeared repeatedly across dozens of posts, indicating the presence of automated bulk-posting through bots or a systematically managed set of organizational accounts.

Image: Behavioral Patterns in Posts Containing Telegram IDs

• Other URLs: 12,327 / Other Domains: 2,334
• KakaoTalk ID: 2,204 / KakaoTalk URL: 294
• Email: 881 / Telephone Number: 765
• WeChat ID: 161 / WeChat URL: 3 / Line ID: 66

Case Studies in Cyber Tracking of Overseas Employment Fraud

Overview

This section presents the results of cyber-tracking analyses conducted using StealthMole’s detection system for identifying human-trafficking–related and fraudulent overseas recruitment posts. The analysis applied actor-identification and post-linkage techniques based on publicly available data, including text, images, and contact information (such as messenger IDs, phone numbers, and URLs). Through this approach, we identified the dissemination pathways and operational patterns of fraudulent job postings. The section summarizes the applied analytical procedures and results, explaining how digital traces can be collected and utilized during investigative and response phases.

Case 1. Tracking Fraudulent Overseas Job Recruitment Posts

This case illustrates the process of tracing a human-trafficking–oriented fraud network using digital evidence. The organization targeted Korean individuals by posting online job advertisements that included phrases such as “high-income guaranteed; work in Southeast Asia.” Victims were then instructed to initiate direct contact via Telegram, reflecting a systematic pattern designed to move targets into encrypted communication channels.

Our human-trafficking post-detection system (Suspect Tracker) identified multiple overseas employment advertisements targeting Southeast Asia. These posts directed users to make inquiries exclusively through Telegram, prompting further analysis. The exposed Telegram ID was used as the initial investigative lead.

Using our Telegram Tracker system, we examined the identified Telegram ID to determine:

• the account’s creation date
• the profile image and nickname currently in use
• the groups and channels the account had joined
• the messages or promotional posts distributed by the account.

The analysis revealed that the account was active in numerous “high-income foreign worker recruitment groups” based in Southeast Asia, and that it repeatedly posted identical recruitment messages across multiple channels using patterns consistent with those of other accounts. This behavior constitutes a key indicator of coordinated or organized operational activity.

In addition, the promotional messages repeatedly included reassuring phrases such as “accommodation provided,” “local pickup available,” and “visa processing support.” The pattern analysis showed that this Telegram account shared multiple channels with other recruitment-related accounts, indicating coordinated and organized management. This behavior reflects a typical trafficking-oriented fraud method in which perpetrators disguise the process as legitimate overseas employment, thereby guiding victims through international travel and eventually leading them into isolation at the destination.

Overall, the analysis clearly revealed a structured inducement pathway consisting of: post creator → intermediary broker → recruitment channels → victim intake.

Case 2. Detailed Profiling of a Chinese Suspect: Li GuangHao(리광호)

This case presents the initial analytical findings on Li GuangHao, an individual suspected of involvement in employment-fraud activities in Cambodia. The subject was identified through postings discovered on the dark web and social media, which indicated potential participation in overseas employment scams targeting Southeast Asian and Korean individuals by a Chinese-affiliated recruitment network.

The StealthMole platform analyzed multiple sources, including Telegram and other digital traces, to compile the subject’s identifiable information, related identification documents, and associated digital footprints. Based on the collected data, this analysis outlines actionable investigative insights and proposes potential directions for further tracking of the suspect.

Case Summary:

Case Name	Cambodia employment fraud - Li GuangHao
Associated Countries	Cambodia, South Korea, China, Thailand
Detected Languages	Korean, Chinese
Primary Modules	Telegram Tracker (TT), Face Finder (FF)
Data Sources	Telegram, social media, dark web
Status	Suspected currently wanted and under active investigation

Primary Findings:

Item	Category	Details (Translated)
1	Telegram Source Search - Related ChannelChannel Name: War on Crime 2 (translated)Channel ID: 2653371447Creation Date: 2025-08-17Channel Address: https://t.me/+KKB-8haHD2swNzll	“Disclosure of Cambodian Korean-Chinese Individual, Li Guanghao”“Beyond the address Unit 603, Building 2, Taiza International Square, Cambodia, Li Guanghao (alias Chenlong), your activities and the harm inflicted on Koreans have already been identified. Authorities in both China and Cambodia have confirmed that you are listed as a red-notice target for drug-related offenses. Continue to await further action…”2) “Administrator Statement”“Hello, this is Cheonma, the administrator of War on Crime 2.Li Guanghao, who has been committing repeated offenses in Cambodia, reportedly operated a voice-phishing office in Hanoi, Vietnam around May–June 2024, then illegally entered Cambodia around July. Since then, he has allegedly been involved in acts including torture, confinement, kidnapping, and forced drug administration linked to voice-phishing operations, continuing to create additional victims.Additional reports are requested. Crime-related or victim reports may be submitted 24/7. @a811926”
1.1	Attachment) Suspected copy of Li Guanghao’s Cambodian Foreign Worker Registration Card
2	Additional Materials from “War on Crime 2”	“Cambodia Murder Case – Li Guanghao”“Hello, this is Cheonma, administrator of War on Crime 2.Regarding the Cambodian homicide case involving a Korean national, while three suspects have already been arrested, the individual primarily responsible for causing the death of the victim, the late Mr. Park, is identified as Li Guanghao.In addition, together with individuals named Kim Cheol and Kim Young, he is linked to a drug-distribution case in Daechi-dong three years ago. His accomplice in that case received a 26-year prison sentence and is currently incarcerated.Criminal history (summary):– Narcotics-related offenses, currently a wanted fugitive– Allegations that since 2024 he collaborated with a person named Liu Yonghao in the Yanbian region to distribute and consume narcotics– Allegations that in 2023 he exported narcotics to KoreaHe is currently a wanted suspect, evading law-enforcement authorities. The confirmed criminal allegations pertain to narcotics…”
2.1	Attachment) Suspected Personal Information of Li Guanghao as Identified in a Chinese Online Population Information Inquiry System
2.2	Identification of Li Guanghao’s Facial Image Through Additional Facial-Recognition Search
2.3	2.2 Additional Retrieved Images Associated With the Identified Photograph	1) Suspected Passport Photograph of Li Guanghao  2) Suspected Resident Identification Card of Li Guanghao
2.4	Additional Telegram Group Identified Through Searches Linked to Li Guanghao’s Resident Identification RecordChannel Name: 东南亚大事件 (Asia News)Channel Creation Date: 2025-09-10Channel ID: 2665855346Channel Address: https://t.me/+KKB-8haHD2swNzllMessage Content and Date: 2025-08-17	#CambodiaBokorMountain #DiscardedBodyCaseSuspect #LiGuanghaoTitle: Public Disclosure of Suspect in Cambodia Bokor Mountain Homicide Incident“관련 뉴스 :“Related news:https://t.me/RAISON777/4369?singlehttps://t.me/RAISON777/4551The victim, Park Se-ho, had already left Korea and entered Cambodia illegally. More than 60 million KRW was stolen from his bank account.The Chinese Korean-Chinese suspect known locally in Cambodia by the nickname ‘Guanghao’ attempted to extort money from the victim’s parents by phone. It was subsequently confirmed that he brutally murdered the victim.”

Necessity of Monitoring Illegal Recruitment Posts and Tracking Suspects

Reframing the Problem

As demonstrated in earlier analyses, online posts disguised as “overseas job opportunities” or “short-term travel companions” function as the preliminary entry point into organized human-trafficking and online fraud operations. Most victims are ordinary citizens: students, job seekers, or individuals pursuing legitimate employment, who are deceived under the pretext of “legal overseas employment” or “short-term part-time work.” After relocation abroad, they are deprived of personal freedom and forcibly mobilized into cybercrime activities.

These crimes highlight the necessity of early detection and continuous monitoring systems grounded in digital traces, specifically posts, messenger activity, and financial transaction records.

Purpose and Scope of Monitoring

Through our intelligence framework, we aim to achieve the following three objectives:

• Early Detection
  • Identify illegal recruitment posts, suspicious domains, and messenger IDs in real time at the moment of posting, preventing the spread of victimization.
  • Scam posts infiltrating legitimate platforms (e.g. Korean community sites, general forums) are automatically assigned risk scores and placed on an alert list.
• Cross-Link Correlation
  • By integrating analyses from ST and TT, we continuously visualize and track relationships between posts created by the same individual or the same organization.
  • The intelligence collected through this process is shared with international law-enforcement bodies and national cyber-response centers as actionable leads on transnational organized crime networks.
• Mitigation & Prevention
  • Identified posts and accounts are swiftly blocked or reported to prevent additional harm.
  • Over the long term, accumulated data is used to anticipate shifts in criminal modus operandi and cross-border movement patterns, contributing to policy development for future prevention.

Risks Associated With Surveillance Gaps

Reactive responses, those activated only after victimization has been confirmed, are inherently limited. A continuous monitoring infrastructure is essential for the following reasons:

1. Speed: Fake job postings attract dozens of potential victims within hours; posts are deleted and reposted frequently.
2. Anonymity: Heavy reliance on encrypted messengers such as Telegram, WeChat, and KakaoTalk neutralizes traditional IP-based tracking methods.
3. Propagation: The same criminal organization disseminates identical posts simultaneously across multiple forums, social networks, and country-specific platforms.

StealthMole’s real-time collection, classification, and network-analysis process addresses this gap, establishing a Preventive Intelligence system rather than a retrospective reporting model.

Social Impact and Humanitarian Significance

These scam networks extend far beyond cybercrime, leading to:

• Human rights violations (Human Trafficking)
• Forced labor and physical abuse
• Severe psychological trauma

Cases in Cambodia, Thailand, Malaysia, and neighboring regions illustrate how a job search that begins with “a single click” can end in trafficking and confinement, a deeply tragic reality.

To fundamentally prevent such harm, legal measures alone are insufficient. Effective prevention requires continuous threat monitoring, active suspect tracking and real-time information-sharing mechanisms among platforms, governments, and investigative agencies.

Conclusion

The analyses presented in this report underscore not only the technical necessity of detection but also the broader societal mission of safeguarding lives and preventing crime. Through its Suspect Tracker (ST) and integrated feature-based analytics, StealthMole aims to achieve:

• early warning at the initial post level
• deep profiling at the suspect level.

This represents more than technological advancement, it reflects the vital role of intelligence in preventing further victims and reducing suffering.

StealthMole will continue contributing to a safer digital ecosystem through persistent monitoring of illegal recruitment activity, data-driven response strategies, and strengthened international cooperation against human-trafficking–oriented scams.