This forensic report provides an in-depth look at the AK Scam Group infrastructure and the associated Milton Group networks.
Last Updated: March 3, 2026
Lead Investigator: Scamreader Investigations Team
Subject: Technical mapping of the AK Scam Group and associated “Boiler Room” networks.
| Stage | Scam Process | What Happens |
| 1 | Fake Ad / News Site | Victims encounter fake news articles or online advertisements promoting a supposedly profitable automated trading opportunity. |
| 2. | Contact Details Captured | The victim submits their name, email, and phone number through a sign-up form, unknowingly entering the scam network’s lead database. |
| 3 | Fake Broker Website | The victim is directed to a professional-looking trading platform designed to imitate legitimate financial institutions and regulated brokers. |
| 4. | High-Pressure Calls | A “financial manager” contacts the victim and uses persuasive, high-pressure tactics to encourage an initial investment. |
| 5 | Small Deposit ($250) | The victim is asked to make a small starting deposit, typically around $250, to activate their trading account. |
| 6 | Fake Profits Displayed | The platform is manipulated to show fabricated trading gains, creating the impression that the investment is performing extremely well. |
| 7 | Trust-Building Withdrawal | To increase confidence, the victim is encouraged to withdraw a portion of the apparent profits while leaving some funds in the trading account. This withdrawal is processed successfully, and money is sent to the victim’s bank account, reinforcing the illusion that the platform is legitimate. |
| 8 | Large Deposits ($10K–$20K+) | Encouraged by the apparent success, the victim is persuaded to deposit much larger amounts in order to “maximize profits.” |
| 9 | Withdrawal Blocked | When the victim later attempts to withdraw larger sums, the platform suddenly prevents the transaction. |
| 10 | Fake Fees & “Taxes” | The victim is told that withdrawals require additional payments such as taxes, liquidity fees, or processing charges. Even after paying, the funds remain inaccessible. |
| 11 | Recovery Scam | Once suspicion arises, the victim’s details may be passed to a questionable “recovery service,” such as CNC Intelligence(cncintel.com). The company demands an upfront payment but ultimately does not recover any funds. |
Our Investigation Methodology: Cyber Forensics, IP Clustering & DNS Mapping
This report is the result of a multi-month forensic investigation conducted on behalf of several affected Australian citizens alongside a Dutch national. Unlike generic review sites, our data is pulled from direct IP cluster analysis, forensic source code analysis, and DNS history tracking.
We have mapped the transition from “bait-and-switch funnels” to “broker platforms” or “crypto exchange platforms” to provide a definitive blueprint of how these syndicates operate in 2026.
1. The Anatomy of the Scam: A Three-Tiered System
In 2026, online trading fraud is no longer a single website; it is an integrated ecosystem comprising multiple domains. To protect your capital, you must understand the three layers of the trap:
- The Funnels (The Bait): High-traffic “news” sites using tactics such as deepfakes (Elon Musk, Mark Rutte) to capture your contact details.
- The Clones (The Mask): Sites that look identical to regulated brokers, banks, and other financial institutions to build immediate trust.
- The Boiler Rooms (The Kill): Finally, the dubious platforms rely on aggressive, high-pressure phone tactics to convince victims to deposit money. In most cases, they begin by asking for a relatively small amount (for example, around $250).
After the initial deposit, they manipulate the trading platform to display fake profits. To build trust, they may even allow a small withdrawal to go through successfully. When you see money arrive in your bank account, it creates confidence and encourages you to continue.
At this stage, the so-called “financial advisor” will urge you to invest more so you can “earn even greater profits.” Victims are often encouraged to deposit much larger sums, sometimes $20,000 or more. Although the platform will continue showing profits, withdrawing the funds will no longer be as simple as before.
Instead, you will be told that you must first pay various charges such as “taxes,” “processing fees,” or other fabricated costs. Even after paying these fees, access to your funds never materializes.
Dubious Recovery Agencies
Once the scammers realize that you have begun to suspect the fraud, they may pass your details to a questionable entity that poses as a “recovery agency”. CNC Intelligence (cncintel.com) is a good example of such disreputable firms
These entities typically request an upfront payment to recover the lost funds, but after the fee is paid, no recovery ever takes place, leaving victims further out of pocket.
2. 2026 Master Scam Intelligence Database
1. Executive Summary
The questionable entities together with their domains listed below represent a unified, industrial-scale Scam-as-a-Service (SaaS) ecosystem. Our analysis confirms that these firms are not isolated fraudulent actors but are interconnected nodes within the A.K. Group
infrastructure (frequently associated with the massive Milton Group/Morgan Limited/Gekko scam empires).
The architecture is designed for high-velocity deployment, utilizing “Funnels” to harvest data, “Clones” to establish false trust, and “Boiler Rooms” to execute financial extraction.
AK Infrastructure: Mapping Funnels, Boiler Rooms, and Shared IP Clusters
Use Ctrl+Fto search for specific entities or domains. This list is updated weekly as new mirrors emerge.
| Category | Known Fraudulent Domains | Primary Red Flags |
| Scam crypto-trading platform | bchworld.com, bchworldue.net, bchworldex.com. | High-pressure call tactics. Insisted that victims install AnyDesk or TeamViewer on their computers or phones. AbyDesk and TeamViewer gave the scammers total control over your device, allowing them to see your bank login details, bypass Two-Factor Authentication (2FA), and transfer money out of your accounts while you watch. |
| Fake trading platform | sbglobal.io, sb-global.net, stonebridgeventures.com, stonebridgeventures.net | Tricking victims to install AnyDesk or TeamViewer, allowing scammers to see their bank login screens and bypass security to drain their accounts. The use of fake celebrity endorsements is another red flag. |
| High-Activity Funnel | immediate-edge.io, quantumai.pro | Deepfake video ads; “v3” iterations targeting EU citizens. |
| High-Activity Funnel | yuanpaygroup.com, digital-yuan.org | Exploits “Digital Yuan” CBDC rumors to lure investors. |
| Malicious Clone | gemini2.co, gemniai.com, hiring-gemini.com | Phishing: Mimics the US exchange to drain crypto wallets. |
| Malicious Clone | dukasbanc.com, duksp.com, dukascopychn.com | Impersonates the Swiss Dukascopy Bank; unregulated. |
| Malicious Clone | fxsadmiral.com, admiral-fx.com, admiralsfx.org | Uses the real license number of Admiral Markets (Admirals). |
| Malicious Clone | ubsinvesting.com, ubs-am-uk.com, ubs-tradingdesk.com | Offers fake “Fixed Rate Bonds” using UBS Group AG branding. |
| Fake Brand | hancockwealth.org, loophole-to-riches.com | Uses Gina Rinehart deepfakes to sell non-existent shares. |
| Boiler Room | finzilo.com, finxocap.com, finxo-cap.io | MAA Scams: Uses “Managed Account Agreements” to zero out balances. |
| Boiler Room | axetradecapital.com, axecapital.systems | Affinity Fraud: Uses the show Billions for false prestige. |
| Boiler Room | bprotrade.co, trading.bprotrade.io | Remote Access: Demands AnyDesk to “assist” with transfers. |
| Boiler Room | quantrixcapital.net, finomarkets.com | Simulated Gains: Displays fake profits that don’t exist on the market. |
PumaTS
Many used a backend software called PumaTS, which allowed scammers to manipulate the graphs victims saw on their screens. This made it look like they were winning when the money had already been stolen. Airsoft is another trading software that was common with these fake platforms.
The Lead Generation Layer: High-Activity Funnels
The operation began with High-Activity Funnels, such as YuanPay Group(yuanpaygroup.com, digital-yuan.org), Quantum AI(quantumai.pro) and Immediate Edge(immediate-edge.io & immediateedge.net), and Stone Bridge Ventures(sbglobal.io).
These websites falsely posed as legitimate investment advice platforms, trading platforms, or exchanges. Watch out as some of these platforms are still actively targeting people. These include Immediate Edge(immediateedge.net), BProFX (bprofx.com), and Milton Markets (miltonmarkets.com)
These sites were strategically engineered as “feeder” systems designed to harvest Personally Identifiable Information (PII) from potential targets. On the surface, they offered investment advice, trading solutions, or crypto exchange services. In reality, they functioned as funnels directing victims into the scam ecosystem.
While they utilized Cloudflare to mask their true points of origin, deeper historical DNS tracking reveals frequent backend leaks to specific IP ranges in Cyprus(91.235.128.0/22 and 185.225.112.0/22) and Ukraine(194.44.0.0/16 and 193.239.0.0/18). This infrastructure confirms their role as the primary data-collection arm for AK LTD call centers, funneling high-intent leads directly into the scam ecosystem.
The Deception Layer: Malicious Clones
Once a lead was captured, the network utilized Malicious Clones to establish a veneer of legitimacy. Impersonating trusted brands like Gemini, Dukaskopy, or UBS, these fake domains relied on a shared development pipeline.
Our forensic source code analysis showed a recurring use of common JavaScript obfuscation techniques and, more tellingly, identical API endpoints. These endpoints were hard-coded to integrate with specific CRM(PumaTS/the Puma Trading System)and communication systems like Voiso and SquareTalk.
The Extraction Layer: Boiler Room Support
The final and most aggressive stage of the operation was managed through Boiler Room Support sites, including Finzilo (finzilo.com), Axe Capital (axecapital.systems or axecapital.it), Aura-Solutions (aura-solutions.co), and Gann Markets (gannmarkets.com).
These served as the “Direct Operations” where the actual financial theft occurred.
To evade Western law enforcement, these sites were typically hosted on offshore servers in St. Vincent and the Grenadines or Mauritius.
Technically, they are characterized by high-rotation VOIP configurations and the integration of remote-access backdoors (like AnyDesk prompts). These platforms hosted the simulated trading dashboards that displayed fake profits, serving as the psychological engine used to extort “taxes” or “release fees” from victims.
The Escalation Loop: Clients requesting a withdrawal were transferred from an ‘Account Manager’ to a ‘Compliance Officer,’ who would stall the process for months until the platform was eventually shuttered.
3. Technical “Tells” & Infrastructure Warnings
Our forensic tracking has identified three recurring technical patterns used by the AK Scam Group:
- IP Clustering: Many domains resolve to the same hidden IP ranges behind Cloudflare.
- Aged Domains: Scammers preferred purchasing existing, older domains rather than registering new ones to bypass modern email spam filters. Most of the above domains were registered in the late 90s and early 2000s.
4. Frequently Asked Questions (FAQ)
Q: Can I get my money back from a “Withdrawal Wall”?
A: No. If a broker asks for a “tax” or “activation fee” to release your funds, it is a 100% indicator of fraud. Paying this fee will only lead to further demands.
Q: Why does the site show I am making profits?
A: Most of these platforms use “Simulated Dashboards.” The numbers you see are manually entered by the scammer to encourage larger deposits. They are not tied to real market data.
Take Action: Protect Your Assets
- Verify via Regulators: Always cross-check a broker’s credentials with the relevant financial regulator.
- Never Grant Remote Access: Legitimate firms will never ask you to download and install a remote desktop software such as AnyDesk, TeamViewer, or ZoHo Assist.
- Report the Fraud: If you have been targeted, contact your local cybercrime unit and your bank’s fraud department immediately.
NOTE: This report is part of an ongoing investigation. If you have information regarding new domains or entities, please contact our lead investigator(scamread@scamreader.info) or go to our Reporting Page and fill out the form.