As Valentine’s Day draws near, millions of Americans will flock to dating apps in search of love. Unfortunately, many will instead encounter one of over 630,000 cybercriminals actively engaged in romance scams at an industrial scale.
This assertion is based on solid evidence. SpyCloud’s investigative team has analyzed years of cybercrime telemetry from infostealer malware infections, identifying more than 630,000 unique threat actors. Their digital footprints reveal a troubling pattern across three distinct categories: cybercrime forums, dating and social platforms, and cryptocurrency exchanges. This operational signature learning criminal tradecraft, targeting victims on dating apps, and laundering proceeds through cryptocurrency marks these individuals as romance scam operators.
Even more alarming is that over 10,000 of these actors have shown activity across all five categories of infrastructure we monitor. This includes VPN and proxy services for anonymization, as well as identity theft resources for creating fake personas. These are not amateur catfishers; they are professionals.
Romance scams have become the fastest-growing category of fraud globally, with U.S. losses surpassing $1.3 billion annually according to the Federal Trade Commission. This figure likely underrepresents the reality, as many victims do not report their losses. The FBI reports average losses ranging from $10,000 to $50,000 per victim, with some individuals losing their entire life savings.
What has changed? Everything.
From Catfishing to Call Centers: The Industrialization of Heartbreak
Romance scams a decade ago were typically small-scale operations, with individual fraudsters running one or two personas from internet cafes. Today’s operations resemble corporate sales departments, complete with customer relationship management systems, shift work, quotas, and quality assurance reviews.
SpyCloud’s analysis of the criminal ecosystem reveals a highly interconnected network. Our domain correlation data indicates the following:
- Network density of 0.73 across 140 key criminal infrastructure domains, indicating that actors do not operate on isolated platforms; cross-platform activity is commonplace.
- 4.7 million shared actors between Facebook and PayPal, creating a clear pipeline from victim contact to financial extraction.
- Strong correlation between dating platforms and cryptocurrency exchanges, confirming that cryptocurrency is the preferred method for extracting funds.
These operations function similarly to professional call centers. Workers operate in shifts to provide around-the-clock coverage across various time zones. Different specialists manage specific phases of the scam, including initial contact, relationship building, the financial request, and the movement of money. Supervisors review conversation logs and offer coaching to maximize financial extraction.
The compound model is well documented. An October 2025 indictment from the Department of Justice described “prison-like compounds” in Cambodia, where trafficked workers operated “phone farms” with thousands of devices and millions of mobile numbers. Profit ledgers tracked earnings by room and scheme. The $15 billion forfeiture of Bitcoin in that case the largest in DOJ history offers insight into the scale of this operation.
The Six-Phase Playbook: How Romance Scams Actually Work
Understanding the attack chain is the first step in defending against it. Modern romance scams typically follow a consistent six-phase playbook:
Phase 1: Initial Contact
Scammers cast wide nets across dating apps (such as Tinder, Bumble, Hinge, Match), social media (including Instagram, Facebook, and LinkedIn), and direct channels like SMS and WhatsApp. The “wrong number” text has become a common tactic a low-commitment opener that can lead to further engagement.
Initial messages are warm, light, and non-threatening, aimed solely at eliciting a response.
Phase 2: Love Bombing
Once contact is made, scammers move quickly to create emotional dependency. They express intense feelings within days or weeks, showering victims with attention and fostering a sense of deep connection.
Statements such as: “I’ve never felt this way before.” or “You’re different from everyone else.” are common. This rapid intimacy is not organic; it is engineered, and increasingly, it is assisted by artificial intelligence.
Phase 3: Trust Building
Over the course of weeks or months, scammers work to establish credibility through daily check-ins, shared “personal” stories, and discussions about future plans. They closely mirror the victim’s values, interests, and communication style.
This is where stolen data becomes a weapon. Sophisticated operations often research targets before making contact, building dossiers from social media, public records, and data broker information. They may know your income range, recent relationship status, travel interests, and communication style. The seemingly coincidental alignment of values is anything but.
Phase 4: Isolation
As trust deepens, scammers promote secrecy in the relationship.
Statements like: “They won’t understand our connection.” or “Let’s keep this between us for now.” become prevalent. Communication shifts to encrypted apps like WhatsApp or Telegram platforms with less moderation and fewer safety features.
The aim is to eliminate external reality checks. Friends and family who might notice red flags are systematically excluded from the relationship.
Phase 5: The Financial Ask
This phase marks a crucial turning point. Requests typically take one of two forms:
Emergency-based: Scammers may claim to face a medical crisis, legal trouble, or customs fees for gifts being shipped. The emotional hook is established, paving the way for financial extraction.
Investment-based (Pig Butchering): Instead of emergency requests, scammers introduce investment opportunities, often through fabricated cryptocurrency trading platforms. Victims may hear, “I’ve been making great money on this platform. Let me teach you.”
Pig butchering, which literally means “butchering the pig,” involves gradually “fattening” victims over time before making the final extraction. Initial investments may show gains, and small withdrawals are allowed to build confidence. Eventually, when significant funds are committed, the trap closes.
Phase 6: Extraction and Exit
The endgame can vary. Some scammers may ghost their victims after receiving funds, while others may continue the relationship to extract even more. A particularly cruel variation is the “recovery scam,” where someone posing as law enforcement or a victim advocate offers assistance in recovering stolen funds at a fee.
If intimate content was shared, sextortion may follow.
AI Has Changed Everything
The most significant evolution in romance scams is the use of artificial intelligence. Our research has identified several distinct AI applications that are now common in these operations:
LLM-Powered Conversation Management
Large language models enable a single operator to maintain emotionally intelligent conversations with over 50 victims simultaneously. The AI tracks relationship history, personal details, and emotional triggers, adjusting its writing style to mirror each victim’s communication patterns.
Recent documentation has shown operations utilizing ChatGPT and Claude APIs integrated with Telegram bots. The number of AI service vendors in scam ecosystems surged by 1,900% between 2021 and 2024.
The result is conversations that feel personally engaging, even while being scaled industrially. The “script fatigue” that used to reveal scammers repetitive phrasing and context mismatches is increasingly absent.
Real-Time Deepfake Video Calls
Video calls used to serve as the ultimate verification method, but that is no longer the case.
Platforms like Haotian AI, which has received significant cryptocurrency payments, offer real-time face-swapping during live video calls. Features include over 50 adjustable facial parameters and integration with popular apps like WhatsApp and Zoom, allowing for natural blinking, smiling, and talking.
In October 2025, Korean authorities arrested a couple operating from Cambodia who defrauded over 100 victims of $8.8 million using deepfake video calls.
The implications are profound: seeing is no longer believing.
OSINT Automation for Target Selection
Before the first “accidental” wrong number text, sophisticated operations conduct automated reconnaissance. They scrape LinkedIn for income signals, Instagram for lifestyle insights, public records for property ownership and divorce filings, even obituaries to identify recent widows and widowers.
AI processes this data into target dossiers that include estimated net worth, emotional state, interests to mirror, communication style to match, and optimal approach strategies. The coincidence of a new contact sharing your exact values and experiences is calculated, not random.
The Infrastructure Behind the Scams
Romance scams do not operate in a vacuum. SpyCloud’s research uncovers a sophisticated support ecosystem:
Telegram Marketplaces
Guarantee services on Telegram function as criminal shopping malls. Huione Guarantee processed between $24 billion and $27 billion in transactions before being banned in May 2025, marking it as the largest illicit marketplace ever recorded. Services offered included victim personal data, money laundering, deepfake tools, and even GPS-tracking devices for trafficking victims.
After the ban, activity quickly shifted to alternatives like Tudou Guarantee, which now has approximately 289,000 users, and Xinbi Guarantee. The ecosystem adapts faster than enforcement can keep pace.
Bulletproof Hosting
The fake trading platforms utilized in pig butchering scams require robust infrastructure. Funnull Technology, sanctioned by the Office of Foreign Assets Control in May 2025, hosts the majority of virtual currency investment scam websites reported to the FBI. The company engages in “infrastructure laundering,” purchasing legitimate IP addresses from service providers and then reselling them to criminals.
Identity Resources
Our analysis has identified 23 identity theft-related domains within the scammer infrastructure network, including social security number lookup services and people-search sites. These resources facilitate the creation of synthetic personas with seemingly realistic backgrounds and enable targeting of high-value victims.
The Human Cost
Statistics often obscure individual tragedies. Behind every data point lies a person who placed their trust in someone who does not exist.
Victims encompass all demographics, but certain groups are disproportionately affected:
- Ages 55-64 showcase the highest median losses, exceeding $9,000.
- Recently widowed individuals are particularly targeted, often identified through obituary monitoring.
- Divorced individuals seeking fresh starts also fall victim.
- Socially isolated individuals with limited external reality checks are prime targets.
The psychological toll often surpasses the financial loss. Victims not only lose money but also their faith in their own judgment. Many choose not to report their experiences due to embarrassment over being deceived. Those who do report often encounter skepticism, as there is a false belief that “smart people” do not fall for these scams.
The reality is that these operations employ advanced psychological manipulation techniques. Anyone can become a target, and the sophisticated use of AI makes detection increasingly challenging.
Defending Yourself and Your Organization
Individual Red Flags
Communication patterns:
- Refusal to engage in video calls or persistent “technical issues” even as deepfake technology improves, this remains a red flag.
- Pressure to move off dating apps to encrypted messaging platforms quickly.
- Expressions of intense feelings at an unusually rapid pace.
- Constant excuses for not meeting in person.
- Stories that lack consistency or change over time.
- Excessive agreement with everything you say too perfect.
Financial warning signs:
- Any request for money, regardless of the relationship's duration.
- Mentions of cryptocurrency investments or trading platforms.
- Requests for gift cards, wire transfers, or cryptocurrency.
- Claims of “emergencies” requiring immediate funds.
- Screenshots purportedly showing investment returns.
Identity indicators:
- Photos that appear overly professional or model-like.
- Limited variety in photos (same outfits, similar poses).
- Reverse image searches yielding hits elsewhere.
- New or sparse social media profiles.
Verification Steps That Still Work
- Conduct a reverse image search on all shared photos using tools like Google Images, TinEye, and Yandex.
- Challenge deepfakes by requesting specific real-time actions: wave a hand slowly in front of the face, change lighting, write something specific on paper, and show it, or interact with a physical object.
- Verify independently: contact their claimed employer, search for professional registrations, or use military verification services for individuals claiming military service.
- Involve trusted others: share relationship details with friends and family early; do not keep the relationship secret.
Organizational Implications
For businesses, romance scams pose several risks:
Employee targeting: Executives and employees with access to financial systems may be specifically targeted. The emotional compromise of an individual can lead to a business compromise.
Money mule recruitment: Employees may unknowingly partake in money laundering, transferring funds for romantic partners who are actually part of scam operations.
Data exposure: Employee personal information in breached data or accessible through data brokers can be weaponized for targeting.
SpyCloud’s research indicates a strong correlation between credentials found in infostealer logs and their subsequent use in scam operations. Monitoring for employee exposure and educating staff about romance scam tactics should be integral to enterprise security programs.
The Bigger Picture
Romance scams are symptomatic of broader trends: the industrialization of cybercrime, the weaponization of AI for social engineering, and the ongoing gap between criminal innovation and defense capabilities.
The over 630,000 actors identified are not going anywhere. The infrastructure supporting them Telegram marketplaces, bulletproof hosting, deepfake services, and identity theft resources continues to evolve. Additionally, the human vulnerabilities these scams exploit loneliness, the desire for connection, and the inclination to trust remain constant.
What can change is awareness. Understanding how these operations function, including their scale, sophistication, and tactics, is vital for defense. This understanding is essential not just for individual protection but also for fostering collective awareness that safeguards those we care about.
This Valentine’s Day, consider having an open conversation with someone you love about the realities of online dating fraud. It is not about fostering distrust; it is about ensuring protection.
In 2026, love bombing is no longer a romantic gesture; it has become reconnaissance.
