Valentine’s Day 2026: Inside the Industrial-Scale Romance Scam Economy

The $1.3 Billion Valentine’s Day Threat You Haven’t Seen Coming

As Valentine’s Day approaches, millions of Americans will turn to dating apps looking for love. Many will find something else entirely: an encounter with one of over 630,000 cybercriminals actively operating romance scams at industrial scale.

This isn’t hyperbole. SpyCloud’s investigations team analyzed years of cybercrime telemetry from infostealer malware infections and identified more than 630,000 unique threat actors whose digital footprint spans three telltale categories: cybercrime forums, dating and social platforms, and cryptocurrency exchanges. That operational signature — learning criminal tradecraft, targeting victims on dating apps, and laundering proceeds through crypto — is the fingerprint of romance scam operators.

Even more striking: over 10,000 actors showed activity across all five infrastructure categories we track, including VPN/proxy services for anonymization and identity theft resources for building fake personas. These aren’t opportunistic catfishers. They’re professionals.

Romance scams are now the fastest-growing fraud category globally, with U.S. losses exceeding $1.3 billion annually according to the FTC — and that figure dramatically understates reality, since most victims never report their losses. The FBI reports average losses between $10,000 and $50,000 per victim, with some losing their entire life savings.

What changed? Everything.

From Catfishing to Call Centers: The Industrialization of Heartbreak

The romance scams of a decade ago were cottage operations — individual fraudsters running one or two personas from internet cafes. Today’s operations look more like enterprise sales departments, complete with CRM systems, shift work, quotas, and quality assurance reviews.

SpyCloud’s analysis of the criminal ecosystem reveals a highly interconnected network. Our domain correlation data shows:

• Network density of 0.73 across 140 key criminal infrastructure domains — meaning actors don’t silo into single platforms; cross-platform activity is the norm
• 4.7 million shared actors between Facebook and PayPal alone — the pipeline from victim contact to money extraction
• Strong correlation between dating platforms and cryptocurrency exchanges, confirming that crypto is the preferred extraction method

These operations run like professional call centers. Workers operate in shifts to provide 24/7 coverage across time zones. Different specialists handle different phases of the scam — initial contact, relationship building, the financial ask, and money movement. Supervisors review conversation logs and provide coaching to maximize extraction.

The compound model is well-documented. The October 2025 DOJ indictment of Chen Zhi, chairman of Prince Group, described “prison-like compounds” in Cambodia where trafficked workers operated “phone farms with thousands of phones and millions of mobile numbers.” Ledgers tracked profits by room and scheme. The $15 billion Bitcoin forfeiture in that case — the largest in DOJ history — offers a glimpse at the scale we’re dealing with.

The Six-Phase Playbook: How Romance Scams Actually Work

Understanding the attack chain is the first step to defending against it. Modern romance scams follow a remarkably consistent six-phase playbook:

Phase 1: Initial Contact

Scammers cast wide nets across dating apps (Tinder, Bumble, Hinge, Match), social media (Instagram, Facebook, LinkedIn), and direct channels like SMS and WhatsApp. The “wrong number” text has become a signature move — a low-commitment opener that can lead anywhere.

First messages are warm, light and non-threatening. The goal is simply to get a response.

Phase 2: Love Bombing

Once contact is established, scammers move fast to create emotional dependency. They express intense feelings within days or weeks, shower victims with constant attention, and create a sense of profound connection.

“I’ve never felt this way before.”
“You’re different from everyone else.”
“I feel like we were meant to meet.”

This rapid intimacy isn’t natural — it’s engineered. And increasingly, it’s AI-assisted.

Phase 3: Trust Building

Over weeks or months, scammers establish credibility through daily check-ins, shared “personal” stories, and discussions of future plans together. They mirror the victim’s values, interests and communication style with uncanny precision.

This is where stolen data becomes weaponized. Sophisticated operations research targets before first contact, building dossiers from social media, public records, and data broker information. They know your income range, your recent divorce, your travel interests, your communication style. The “coincidental” alignment of values isn’t coincidence.

Phase 4: Isolation

As trust deepens, scammers encourage secrecy.

“They won’t understand our connection.”

“Let’s keep this between us for now.”

Communication moves to encrypted apps like WhatsApp or Telegram — platforms with less moderation and fewer safety features.

The goal is to remove external reality checks. Friends and family who might spot red flags are systematically excluded from the relationship.

Phase 5: The Financial Ask

This is the pivot point. Requests typically take one of two forms:

Emergency-based: A medical crisis, legal trouble, being stranded overseas, customs fees for gifts being shipped. The emotional hook is established; now comes the extraction.

Investment-based (Pig Butchering): Rather than emergency requests, the scammer introduces “investment opportunities” — typically cryptocurrency trading platforms showing fabricated returns. “I’ve been making great money on this platform. Let me teach you.”

Pig butchering (杀猪盘 / shā zhū pán—literally “butchering the pig”) involves “fattening” victims over time before the slaughter. Early investments show gains. Small withdrawals are permitted to build confidence. Then, when the victim commits significant funds, the trap closes.

Phase 6: Extraction and Exit

The endgame varies. Some scammers ghost after receiving funds. Others continue the relationship to extract more. A particularly cruel variation is the “recovery scam”—someone posing as law enforcement or a victim advocate offers to help recover stolen funds, for a fee.

If intimate content was shared, sextortion may follow.

AI Has Changed Everything

The most significant evolution in romance scams is the weaponization of artificial intelligence. Our research identified several distinct AI use cases now common in these operations:

LLM-Powered Conversation Management

Large language models allow a single operator to maintain emotionally intelligent conversations with 50+ victims simultaneously. The AI tracks relationship history, personal details, and emotional triggers. It adapts writing style to mirror each victim’s communication patterns.

TRM Labs documented operations using ChatGPT and Claude APIs integrated with Telegram bots. AI service vendors in scam ecosystems grew 1,900% between 2021-2024.

The result: conversations that feel personally attentive even when they’re industrially scaled. The “script fatigue” that used to expose scammers — repetitive phrasing, context mismatches — is increasingly absent.

Real-Time Deepfake Video Calls

Video calls used to be the ultimate verification. Not anymore.

Platforms like Haotian AI, which has received at least $3.9 million in cryptocurrency payments (nearly half traced to sanctioned scam marketplace Huione Guarantee), offer real-time face-swapping during live video calls. Features include 50+ adjustable facial parameters, integration with WhatsApp and Zoom, and natural handling of blinking, smiling, and talking.

In October 2025, Korean authorities arrested a couple operating from Cambodia who defrauded over 100 victims of $8.8 million using deepfake video calls.

The implications are profound: seeing is no longer believing.

OSINT Automation for Target Selection

Before the first “accidental” wrong number text, sophisticated operations run automated reconnaissance. They scrape LinkedIn for income signals, Instagram for lifestyle and relationship status, public records for property ownership and divorce filings, even obituaries to identify recent widows and widowers.

AI processes this data into target dossiers: estimated net worth, emotional state, interests to mirror, communication style to match, optimal approach vector. The “coincidence” of a new contact who shares your exact values and has experienced similar loss is no coincidence at all.

The Infrastructure Behind the Scams

Romance scams don’t operate in isolation. SpyCloud’s research reveals a sophisticated support ecosystem:

Telegram Marketplaces

Guarantee services on Telegram function as criminal shopping malls. Huione Guarantee processed $24-27 billion in transactions before being banned in May 2025 — the largest illicit marketplace ever documented. Services included victim personal data, money laundering, deepfake tools, and even GPS-tracking shackles for trafficking victims working in compounds.

After the ban, volume migrated to alternatives like Tudou Guarantee (now ~289,000 users) and Xinbi Guarantee. The ecosystem adapts faster than enforcement can follow.

Bulletproof Hosting

The fake trading platforms used in pig butchering scams require infrastructure. Funnull Technology, sanctioned by OFAC in May 2025, hosts the “majority of virtual currency investment scam websites reported to FBI.” The company practices “infrastructure laundering” — purchasing legitimate IP addresses from AWS and Microsoft, then reselling to criminals.

Identity Resources

Our analysis identified 23 identity-theft related domains in the scammer infrastructure network, including SSN lookup services and people-search sites. These resources enable the creation of synthetic personas with realistic-seeming backgrounds and the targeting of high-value victims.

The Human Cost

Statistics obscure individual tragedy. Behind every data point is a person who trusted someone who didn’t exist.

Victims span all demographics, but certain groups are disproportionately targeted:

• Ages 55-64 show the highest median losses ($9,000+)
• Recently widowed individuals are specifically targeted, often identified through obituary monitoring
• Divorced individuals seeking fresh starts
• Socially isolated individuals with limited external reality checks

The psychological devastation often exceeds the financial loss. Victims lose not just money but their belief in their own judgment. Many never report, embarrassed to admit they were deceived. Those who do often face skepticism — the false assumption that “smart people” don’t fall for these scams.

The truth: these operations employ professional psychological manipulation. Anyone can be targeted, and the sophisticated use of AI makes detection increasingly difficult.

Defending Yourself and Your Organization

Individual Red Flags

Communication patterns:

• Refuses video calls or has persistent “technical issues” (even as deepfakes improve, this remains a tell)
• Pushes to move off dating apps to encrypted messaging quickly
• Expresses intense feelings unusually fast
• Always has excuses for not meeting in person
• Stories that don’t quite add up or change over time
• Agrees with everything you say — too perfect

Financial warning signs:

• Any request for money, regardless of the reason or relationship length
• Mentions of crypto investments or trading platforms
• Requests for gift cards, wire transfers, or cryptocurrency
• “Emergencies” requiring immediate funds
• Screenshots showing investment returns

Identity indicators:

• Photos that look too professional or model-quality
• Limited photo variety (same outfits, similar poses)
• Reverse image search returns hits elsewhere
• Social media profiles that are new or sparse

Verification Steps That Still Work

1. Reverse image search all photos shared — use Google Images, TinEye and Yandex
2. Challenge deepfakes by asking for specific real-time actions: wave hand slowly in front of face, move to different lighting, write something specific on paper and show it, interact with a physical object
3. Verify independently: call their claimed employer, search professional registrations, use military verification services for claimed service members
4. Involve trusted others: share relationship details with friends and family early; don’t keep the relationship secret

Organizational Implications

For enterprises, romance scams present several risks:

Employee targeting: Executives and employees with access to financial systems may be specifically targeted. The emotional compromise of an individual can become a business compromise.

Money mule recruitment: Employees may unwittingly participate in money laundering, moving funds for romantic partners who are actually scam operations.

Data exposure: Employee personal information in breached data or available through data brokers can be weaponized for targeting.

SpyCloud’s research shows strong correlation between credentials appearing in infostealer logs and subsequent use in scam operations. Monitoring for employee exposure — and providing education about romance scam tactics — should be part of enterprise security programs.

The Bigger Picture

Romance scams are a symptom of larger trends: the industrialization of cybercrime, the weaponization of AI for social engineering, and the persistent gap between criminal innovation and defensive capability.

The 630,000+ actors we identified aren’t going away. The infrastructure supporting them — Telegram marketplaces, bulletproof hosting, deepfake services, identity theft resources — continues to evolve. And the human vulnerabilities these scams exploit — loneliness, the desire for connection, the willingness to trust — are constants.

What can change is awareness. Understanding how these operations work — their scale, their sophistication, their tactics — is the first step toward defense. Not just individual defense, but collective awareness that protects the people we care about.

This Valentine’s Day, the most romantic thing you might do is have a frank conversation with someone you love about the realities of online dating fraud. It’s not about distrust. It’s about protection.

Because in 2026, love bombing isn’t romance. It’s reconnaissance.