Sovereignty as the last firewall: why the world's cybercrime crisis is now a governance crisis

Something fundamental has shifted in how criminal enterprises operate in the digital age, and the world's institutions have not caught up. What is unfolding in Sri Lanka — beach resorts and apartment blocks converted into industrial fraud factories, foreign nationals running scam operations on tourist visas, billions in illicit proceeds flowing through informal transfer networks — is not a law enforcement failure unique to one island nation. It is a symptom of a structural condition that now afflicts dozens of countries across the Indo-Pacific, West Africa, Eastern Europe and Latin America.

The condition has a name: sovereignty arbitrage. Criminal networks have learned to treat national borders not as obstacles but as instruments. They move when pressure rises. They embed where governance is thin. They exploit the gap between a country's formal legal commitments and its actual enforcement capacity. And they do it faster than any international body has yet managed to respond.

The UN had its chance. It did not take it.

The industry that outgrew its geography

To understand where we are, it helps to understand what these operations actually are. Scam compounds — the term that emerged from Cambodia, Myanmar and Laos — are not loosely organised gangs. They are enterprises. They have org charts, HR functions, quotas, scripts, shift systems and customer relationship management software. They traffic workers across borders and force them to run romance scams, fake investment platforms and crypto fraud operations against victims in the United States, Europe, India, China and beyond.

The UN Office on Drugs and Crime estimated in 2023 that these operations generate between $27 billion and $37 billion annually in Southeast Asia alone. That figure almost certainly understates the global picture, and it almost certainly has grown.

When Cambodia — under significant international and domestic pressure — began cracking down on the most visible compounds, the industry did not collapse. It decentralised. Myanmar's border regions absorbed some of it. The Philippines saw an influx. And now Sri Lanka, where a devastating economic crisis left buildings empty, regulatory bandwidth stretched and a population economically desperate enough to look the other way, has become the latest host environment.

More than 1,000 arrests in Sri Lanka in the first half of 2026 alone. Beach resorts on the west coast. A multistory apartment block near Colombo. One hundred and fifty foreign nationals in a single property. These are not anomalies. They are data points in a pattern of jurisdictional migration that is accelerating.

"In Sri Lanka there are issues with implementing our laws — they simply use tourist visas." — Dilrukshi Handunnetti, Director, Centre for Investigative Reporting Sri Lanka

The UN's structural failure

It is worth being precise about where the multilateral system has failed, because vague criticism of international institutions is easy and rarely useful.

The UN Convention Against Transnational Organized Crime — the Palermo Convention — has been in force for more than two decades. It provides a legal framework for cooperation on exactly this category of crime. It has not produced coordinated enforcement action against scam compound networks at anything approaching the speed or scale required.

The UN Convention Against Cybercrime, finalised in 2024 after years of negotiation, was heralded as a landmark. It may yet prove useful. But its negotiation was so heavily shaped by competing geopolitical interests — with authoritarian states using the process to embed surveillance legitimacy — that civil society organisations raised serious concerns about what had actually been agreed. And conventions, in any case, are instruments of aspiration. They establish norms. They do not deploy investigators, freeze assets, disrupt operations or protect victims.

What the UN system has produced, consistently, is projects. Capacity-building workshops. Technical assistance frameworks. Awareness campaigns. Reports with alarming statistics followed by recommendations that are noted, filed and insufficiently acted upon. The UNODC has done genuinely important documentary work on scam compound operations. That work has not translated into the kind of operational disruption that changes criminal calculus.

The gap between what the multilateral system can document and what it can actually do has become the single most exploited space in transnational crime. Criminal networks operate in real time. The UN operates on programme cycles.

Meanwhile, states that could act bilaterally — the United States, the United Kingdom, the European Union, Australia — have largely treated this as someone else's regional problem until the financial losses to their own citizens became impossible to ignore. Even then, the response has been reactive, fragmented and underresourced relative to the scale of what it is attempting to address.

Sovereignty: from vulnerability to weapon

Here is the paradox at the centre of this crisis: the same sovereignty that criminal networks exploit — the fact that no external actor can simply reach inside Sri Lanka, or Cambodia, or Myanmar and enforce law — is also the only instrument that can actually stop them.

International frameworks do not arrest people. National police forces do. International conventions do not raid apartment blocks. Domestic enforcement agencies do. The Budapest Convention on Cybercrime is only as effective as the willingness and capacity of its signatories to implement it within their own legal systems.

This reframes the problem in a way that has practical consequences. Cyber resilience is not primarily a technical challenge. It is a governance challenge. A country with strong institutions, credible rule of law, functional interagency coordination and political will to enforce against powerful criminal interests is inherently more cyber resilient than one with better technology but weaker governance. The firewall that matters most is not digital. It is institutional.

Fiji has demonstrated this logic in the Pacific context. The Cybercrime Act 2021, accession to the Budapest Convention, the National Cybersecurity and Resilience Strategy 2026–2031 — these are not just compliance exercises. They represent a deliberate choice to make sovereignty itself a mechanism of resistance. To say: this jurisdiction will not be arbitraged. The legal and enforcement cost of operating here is too high.

Sri Lanka is attempting the same turn, belatedly. The new cybercrimes unit, the interagency task force bringing together police, immigration and the central bank, the mass arrest operations — these are the architecture of a state asserting its sovereignty against criminal colonisation of its territory. Whether that assertion proves durable depends on whether it is sustained beyond the current moment of international scrutiny.

The attrition model — and why it changes everything

What makes this phase of the crisis qualitatively different from what came before is that criminal networks have now adopted what amounts to an attrition strategy against state enforcement capacity.

They do not need to defeat enforcement. They only need to outlast it. Move faster than arrest cycles. Relocate before raids are coordinated. Rebuild in new jurisdictions before the previous one has processed its caseload. The operational cost of moving is low. The operational cost of building new enforcement capacity in each new host country is high. As long as that asymmetry persists, the industry grows.

Sri Lanka is not the endpoint of this migration. It is a waypoint. Investigators are already tracking signs of operational presence in parts of South Asia, East Africa and the Western Balkans — jurisdictions with varying combinations of the factors that make a country attractive: connectivity, available space, informal finance networks, governance gaps, economic stress and limited international enforcement attention.

The attrition model also applies to victims. Every year, hundreds of thousands of people globally lose savings, businesses and in some cases their lives to these operations. The psychological and financial damage is cumulative and largely uncompensated. There is no meaningful international victim restitution framework. There is no global early-warning system that reaches ordinary people in the languages and formats they use before they are defrauded. The gap between the sophistication of the criminal operation and the sophistication of the protective infrastructure around potential victims has, if anything, widened.

What the business and investment community cannot afford to ignore

For the private sector, the migration of scam infrastructure into new jurisdictions is not a distant policy concern. It is an immediate operational and reputational risk.

Financial institutions face correspondent banking exposure in every jurisdiction where hawala networks are actively moving fraud proceeds. Transaction monitoring calibrated to previous risk environments will miss flows that have shifted to new corridors. Sri Lanka's well-established informal money transfer infrastructure, noted by investigators as a key attraction for criminal operators, means that the island's banking sector is now a potential vector for proceeds flowing in multiple directions.

Technology companies whose platforms are used for recruitment, communication and victim targeting — and that means most major social media, messaging and dating applications — are facing a scaling problem. The operational sophistication of scam networks has outpaced the content moderation and fraud detection architectures built to counter them. AI-generated personas, deepfake video calls, multilingual scripting and automated relationship management have raised the quality floor of fraud to the point where ordinary users cannot reliably distinguish criminal contact from legitimate human interaction.

Companies with regional operations or supply chains face a due diligence environment where the physical infrastructure of fraud — office space, connectivity, payment processing — is indistinguishable on paper from legitimate business services. The reputational cost of inadvertent proximity to these operations is non-trivial and, in some regulatory environments, legally material.

Investors conducting country risk assessments on Sri Lanka, or any other emerging host jurisdiction, need to price in the governance trajectory, not just the current enforcement snapshot. A country conducting mass arrests under international pressure is not the same as a country that has institutionally resolved the conditions that made it attractive to criminal operators in the first place.

A new architecture is needed — and states must build it

The honest conclusion is that the existing international architecture is not adequate to the problem. This is not a reason for despair. It is a specification for what needs to be built.

Effective response requires moving from project-based international assistance to operational partnership — real-time intelligence sharing, joint asset recovery mechanisms, coordinated disruption operations that impose genuine cost on criminal networks rather than simply displacing them to the next jurisdiction.

It requires making sovereignty legible as a security asset. Countries that demonstrate credible enforcement capacity — that genuinely close the gap between legal commitment and operational reality — should receive preferential access to correspondent banking relationships, investment frameworks and diplomatic partnerships. Sovereignty exercised as cyber resilience should be rewarded, not just applauded.

It requires honest reckoning with the UN's limitations. The Convention Against Cybercrime framework should be used where it is useful and supplemented aggressively where it is not. Regional bodies — the Colombo Security Conclave, ASEAN, the Pacific Islands Forum, the African Union's cybersecurity mechanisms — may prove more operationally nimble than global instruments and should be resourced accordingly.

And it requires the private sector to stop waiting. Financial institutions, technology platforms and major corporations have more real-time visibility into the flows and patterns of these operations than most governments. The choice to treat that intelligence as a compliance matter rather than a public safety matter is a choice — and increasingly an indefensible one.

The window is narrowing

Sri Lanka is at an inflection point. So, in a different way, is the international system. The scam compound industry has demonstrated that it can absorb enforcement pressure, adapt its geography and continue scaling. The question is not whether the response needs to change. It is whether the institutions capable of changing it will move before the industry moves again.

Criminal networks do not wait for the next funding cycle. They do not wait for conventions to be ratified or capacity-building programmes to be evaluated. They are already in the next jurisdiction, running the next operation, building the next compound.

The last line of defence — and in many cases, the only line that has actually worked — is a state that decides its sovereignty means something, and acts accordingly. The task for the international community is to make that decision easier, faster and more durable for every country that faces this pressure.

That is not a project. It is a mission. And it is overdue.

Analysis draws on reporting from Sri Lankan law enforcement, the Centre for Investigative Reporting Sri Lanka, UNODC estimates on Southeast Asian scam operations, the Budapest Convention implementation record, and open-source intelligence on scam compound migration patterns across the Indo-Pacific and beyond.