Bank of Thailand Freezes 3m Accounts, Sets Daily Transfer Limits to Curb Fraud
Posted4 months agoActive4 months ago
thaienquirer.comOtherstoryHigh profile
skepticalmixed
Debate
80/100
Banking RegulationsFraud PreventionFinancial Security
Key topics
Banking Regulations
Fraud Prevention
Financial Security
The Bank of Thailand has frozen 3 million bank accounts and imposed daily transfer limits to curb fraud, sparking debate about the measure's effectiveness and potential impact on the economy.
Snapshot generated from the HN discussion
Discussion Activity
Very active discussionFirst comment
35m
Peak period
123
0-6h
Avg / period
20
Comment distribution160 data points
Loading chart...
Based on 160 loaded comments
Key moments
- 01Story posted
Sep 14, 2025 at 11:05 AM EDT
4 months ago
Step 01 - 02First comment
Sep 14, 2025 at 11:40 AM EDT
35m after posting
Step 02 - 03Peak activity
123 comments in 0-6h
Hottest window of the conversation
Step 03 - 04Latest activity
Sep 16, 2025 at 9:05 PM EDT
4 months ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
ID: 45240304Type: storyLast synced: 11/20/2025, 8:56:45 PM
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
Its sad that these scams are so widespread today that a heavy handed approach like this is necessary. Unfortunately doing these attacks is incredibly cheap :(
It’s also a different kind of enemy. The biggest crime organization in Brazil has switched their primary focus from drug running to financial scams. They invest millions and set up legitimate companies with hundreds of employees to facilitate these schemes.
1. Banks need to own the risk, not the customer 2. Banks need to spend to defend 3. Laws need to make organized fraud catastrophically criminal.
There is a reason Singapore does not have this problem.
> It hit a record high last year, with $190.9 million stolen in such scams, more than five times the $36.9 million lost in 2019.
Can't find more recent concrete figures in a minute or two but their police are busting balls through international collaboration in 2025 so they must have a big problem still: https://therecord.media/asia-scam-center-takedowns-singapore...
I've seen bank defending people before with my own eyes. I was at a local branch doing some business and there was an old lady wanting to withdraw something like $50k to "pay a mortgage" or something, it was obvious she was scammed, the bank blocked her transaction and the teller was explaining to her she was scammed, and the old lady was shouting at the teller saying it was her money and they had no right to stop her. That's the thing, a lot of scam victims really don't believe they're scam victims until it's too late, and "it's their money, the bank has no right to stop them".
They can certainly try. I’ve had a handful of legit fraud instances on my accounts, banks detecting before I do has been close to a coin flip. On the other hand, I’ve had at least an order of magnitude more false positive detections of fraud.
The final solution was disabling the ATM network durimg night, except the ones located in safe places. Showing you are drawing money in a hurry in a lone hut in the night was a bad idea, anyways.
Unfortunately, whenever governments try to solve the wrench attack, they do so by removing the end user's control over their own stuff.
Why did they visit multiple ATMs?
To be honest, in my country I can also transfer all my liquid money (not countings stocks etc) with just my phone. The difference is that i'm not afraid of being kidnapped (it's safe here). And anyway, how much does normal person hold in the cash account? People living month-to-month don't have much anyway, while people with savings usually keep them in stocks/bonds/etc.
High value transfers should be subject to additional scrutiny to confirm it’s legitimate.
The hard part is making sure you balance that well enough so that you’re protecting against malaise without the bank then becoming a consumer problem themselves.
It will be interesting to see how well this works.
Couldn't find anything that indicated there was a mass freezing of legitimate accounts, or a singular complaint of an incident of that happening.
* Can't copy paste...is the article an image!?
I can't check right now, but I'm guessing they set `user-select: none` in CSS.
A browser is a 'User agent', as in it is supposed to act on MY behalf, and things in my intent and benefit. Similar agents are real estate agents, or attorneys as my agent.
So... For something that is MY agent, why are browsers creating, and instituting anti-agent choices against my will?
Barring excuses of "following the spec", I should be able to easily disable my user-agent's execution of said onerous code.
(I'm ignoring this for Google chrome. They're an adtech company, and they won in court as a monopoly. Fuck them.)
It's supposed to implement the spec. Why are you and many other people on this site so attached over the wording of "user agent"? It is supposed to mean the software making the request, it doesn't mean anything more than that.
As it happens, the relevant standard actually includes a response to this argument (https://www.w3.org/TR/css-ui-4/#valdef-user-select-none):
"As user-select is a UI convenience mechanism, not a copy protection mechanism, the UA may provide an alternative way for the user to explicitly select the text even when user-select is none.
Note: none is not a copy protection mechanism, and using it as such is ineffective: User Agents are allowed to provide ways to bypass it, it will have no effect on legacy User Agents that do not support it, and the user can disable it through the user style sheet or equivalent mechanisms on UAs that do anyway. Instead, none is meant to make it easier for the user to select the content they want, by letting the author disable selection on UI elements that are not useful to select. Tools such as CSS validators, linters or in-browser developer tools are encouraged to use heuristics to detect and warn against incorrect or abusive usage that would hamper usability or violate common user expectations."
Not neccessarily. For example, piracy is so harmful that it could still outway the cost to a user even with a multiplier given to the user's cost. For example the user's cost is 10 and the author's cost is 100. Even with a 5x priority for the user, the needs of the author outweigh it.
In fact the last thing you want to do is give criminals warning that you’re going to freeze their accounts. I’d imagine that would be extremely counterproductive for everyone bar those criminals.
But that doesn’t mean that freezing an account suspected of fraud isn’t the right course of action.
Yeah there’s going to be false positives. However that’s precisely why you freeze the account: to allow you time to follow due process and investigation. If you assumed the process was infallible then you wouldn’t need to freeze the account; you would just skip straight to the punishment and remediation stages ;)
> However that’s precisely why you freeze the account: to allow you time to follow due process
Due process comes before the actions.
But that would just mean they are very biased, since they are kind of defending their own money. Right now they are a bit more impartial.
If two people accounts were unjustly frozen (and they have to do some work to unlock them), and at the same time two hundred people life savings were saved, would that be OK with you?
I don't know about them, but there are plenty of ways for law enforcement to get mule account numbers. After all that's the whole point - actual criminals don't have to reveal their own identity, instead they convince a "mule" to (knowingly or not) participate in a crime.
They did a crackdown where if the name associated with the phone number on the account didn't match the name on the bank account then they froze it
Also they froze most accounts owned by foreigners with specific visas
It really had nothing at all to do with mule activity, they were using blanket heuristics
Mr Bob Smith is married to Mrs Alice Smith. The bank has their status as married, which they have been given copies of marriage certificates over and over and over for many years.
Bob works, and Alice is dependant based on Bob's visa.
Bob has an account, Alice has an account, and they also both have credit cards under their own names. Bob and Alice also have joint accounts, where most of the money is, and it is a lot of money, enough that Alice and Bob have "VIP" status at the bank, and they've been good customers for about a decade.
Alice and Bob have recently updated all FATCA, CRS, and whatever other insane bullshit has been asked of them by the bank. Alice and Bob have Thai tax IDs, which the bank also has.
Alice and Bob have cell phones of course, and naturally, the family phones are in the account "Bob Smith"
The bank freezes Alice account.
Alice goes to the bank in person. The bank doesn't unfreeze the account, they demand she change her phone account to be in her name.
Yeah, for real.
Bob isn't happy. He thinks Thais shouldn't rely on these banks and should use cash as much as possible and avoid QR payments as much as possible.
That’s mostly annoying for inter accounts movement if you move money around a bit but I think you would get higher capacity if you are concerned.
Which to me seems entirely reasonable limit. Such transactions are relatively rare.
That means unusual payments like home purchases can be approved. But fraud is significantly harder…at least in theory.
So many questions...
Update: my Thai friend just wrote me this:
"Not in trouble, it's the Chinese and Russians money laundering. Every Russian has had their accounts suspended, this was about half a year ago, now they are slowly doing the Chinese and Brits too. Vietnam is not much better, also suspending all foreigners accounts until you can prove you have a trc here."
Update2: just saw this on IG… https://www.instagram.com/p/DOZM0ZOkUAy/
Fraud has always been around, but I think a few recent developments have exacerbated the problem. KYC has been relaxed a lot since Covid, so you can open a whole bunch of accounts with just an image of an ID card. Lots of elderly people now have access to mobile banking, so they don't have to visit a physical branch where a clerk can flag suspicious transfer requests.
Bank accounts in South Korea now start with a daily transfer limit of 1 million won (about $700), even lower than the 50k bhat limit that the Thai government has instituted.
China's Silk Road ends in Sihanoukville Cambodia. If you've ever been there, you've seen the eco-devastation and utter disregard for human life along the entire road.
They pay a low-income/no-income person a small fee (possibly monthly) to let them borrow their account. Sadly, people who would fall into this are not hard to find in Thailand.
> What sort of KYC was going on?
There are accounts that are grandfathered in and don’t require KYC but have been able to access online banking, etc. Mine is such, and my bank (BAY) is discontinuing that particular loophole at the end of this month. (I'm in Thailand right now to do this KYC, despite having not come back here for the last 6 years.)
(ETA: HN title has been re-edited, previously didn't have the "to curb fraud" clause.)
If you have a better suggestion for an abridged headline then you could share and hopefully the submitter can still update this submission.
Even if the anti-fraud motif is genuine, that’s a pretty extreme amount of control. Not that it’s in any way strange coming from Thailand. Foreign exchange and capital inflow and outflow are already controlled.
> Assistant [Bank of Thailand] Governor.. acknowledged that current procedures for identifying and freezing suspected “mule accounts” need refinement to prevent harming innocent customers. Many account holders have taken to social media to express frustration...
The $10,000 figure originated with the 1970 Bank Secrecy Act[1]. Back then, that was a lot of money.
If it had kept up with plain old vanilla government-reported inflation, the number would be closer to $83,000 today[2].
---
[1] https://www.fincen.gov/resources/statutes-and-regulations/ba...
[2] https://www.dollartimes.com/inflation/inflation.php?amount=1...
> Bank of Thailand (BOT) will meet with commercial banks and the Anti-Online Scam Operations Centre (AOC) on Monday to address growing complaints about the wrongful freezing of bank accounts.. after small retailers and individuals reported being abruptly cut off from their funds without warning or recourse.. Assistant BOT Governor.. acknowledged that current procedures for identifying and freezing suspected “mule accounts” need refinement to prevent harming innocent customers. Many account holders have taken to social media to express frustration over being unable to access their money or conduct business after transfers from unknown sources triggered automated freezes.
Good name for an AI agent orchestration framework.
Thailand doesn't want foreigners holding accounts. They've cranked up the requirements over time. It used to be possible to open an account as a tourist and now you're lucky to be able to get one on any visa that isn't attached to a work permit or PR.
As emergency measures usually are.
The Wikipedia on long and short scales[1][2] for the root of the problem.
[0] https://xkcd.com/927/
[1] https://en.wikipedia.org/wiki/Long_and_short_scales
[2] https://grammarhow.com/m-vs-mm-million/
[0] Goharshady, A. K. (2021). Irrationality, Extortion, or Trusted Third-parties: Why it is Impossible to Buy and Sell Physical Goods Securely on the Blockchain (arXiv:2110.09857). http://arxiv.org/abs/2110.09857
Also kinda pointless though.
> Transactions that are computationally impractical to reverse would protect sellers from fraud, and routine escrow mechanisms could easily be implemented to protect buyers.
Emphasis added.
It is conceptually possible to create a crypto "credit card". But given that existing transactions are already slow, expensive, and complicated to integrate - I can't see it being attractive.
There's also the issue of trust. Escrow merchants need to be highly-trusted by both sides. They also need regulation and insurance. Those things are all in short-supply in cryptoland.
Credit cards have a 3% charge on everything. That is a LOT of money but we allow it partially because of the insurance attached to it.
We pay for title companies for property exchanging partially because of the insurance.
We pay for insurance for the insurance.
It is a very confusing way to write the number and no explanation seems to fit, other than "There is a second 'M' to avoid clash with the company name '3M'.". Is that the explanation?
But "mille" means 1000. Specifically, it was the distance covered by 1000 paces from a marching Roman soldier. It's more consistent to measure paces than steps in the face of left/right asymmetries, so it's the unit implied when you just say you're marching 1000.
It still kind of reasons that if the idea for MM is to be more precise/clear than M, they’ve not done a very good job picking a clearer abbreviation.
"Thousand" is always "k" or "K". "Million" is "M", "MM", "m", "mn", or "mln".
But if you pay attention to GPS jam maps and news sources, they are currently also under significant unrest.
https://thediplomat.com/2025/09/indonesias-unrest-revives-fe...
> Over the past two weeks, Indonesia has been rocked by some of the most widespread unrest in recent memory, with mass demonstrations erupting across Jakarta and other major cities. The protests are the result of long-running economic strain, political discontent, and public outrage at perceived elite entitlement.
Its basically a worldwide proletariat uprising against the elite. And the current article hits people in the pocketbooks. And any protestors who are gaining popularity will undoubtedly be in those 3 million accounts blocked.
It's gotten worse for me lately, where I keep mixing up train stations and locations with similar names or characteristics, so I can totally imagine hearing Thailand and thinking about Indonesia instead.
A scam network takes over phones, tricks people on friends lists to follow directions so their phone can be remotely controlled (Apple and Android). Then the cycle repeats and they try to drain bank accounts in the process.
Thailand is placing 50k maximums for digital transfers then adjusting over time based on … 50k baht = $1,575 USD
https://support.apple.com/guide/iphone/request-give-remote-c...
The hook was that you pre-pay some amount, do some trival work, then get like 500% return on your "investment". So they filter+train their mark by having them sign up for whatever financial transfer workflow, and figure out how gullable they are by giving them some payouts. A big part of this is some chat-group where lots of other fake-workers post comments saying how nervious/risky it seems and how sometimes the payment is delayed but they all eventually get paid. Eventually they let the mark sign up for some high-value amount, like equivalent of a few thousand USD. When the mark doesn't get paid, they contact the "technical support" team that then tries to social engineer the victim to loose even more money transferring funds the wrong direction (the scammers picked financial apps that make this mistake easiest).
I kind of find it unbelievable that people fall for this stuff, but the obvious proof is that enough people do :(
Also the initial "tasks" the mark performs are worth only like a few USD. not worth anybody's time except for certain types of vulnerable people who not-coincidentally make good victims.
I remember reading a headline that being poor is equivalent to losing about 5 IQ points. Don’t know how true that is, but my intuition tells me that most people financially struggle, spend a lot of extra time worrying about money, and in general act a little more desperate and would be a little more aware/skeptical if their stress + financial situation allowed it.
After a few years working in cybersecurity, I viewed EVERYTHING through the lens of “is someone lying to me?”. Emails, text messages, downloading software from a website/App Store, job offers, investment opportunities, etc.the surface area is limitless. There’s exactly zero chance that even an experienced professional with excellent eyesight, who reads up on the newest scams, who doesn’t have lots of family / social events to care for, etc will never get hacked/scammed.
Even in the cybersecurity industry, almost all companies have abandoned the idea that there will never be a breach, and have moved towards thinking about resiliency, where any breaches that do happen are minimized or closed quickly/automatically.
That’s a lot of words to say: even though I thought I would never get scammed, once I spent more time educating myself about how it happens, it seems obvious to me that scams work a percentage of the time and the scale of attempts is enormous.
I generally look at risk as a two-dimensional graph, with the axes being Probability and Severity, and the action strategies as being Prevention, Mitigation, and Remedy.
If we get realistic about likelihood and impact, we can figure out how to reduce the damage.
One trick a wealthy friend of mine uses, is keeping a small checking account, that he fills with just enough cash from his brokerage, so that even if his cards/accounts get pwned, he can't lose that much.
[0] https://littlegreenviper.com/risky-business/
I just received a monitor at no-cost because the first one I bought had a hardware defect - the company didn’t respond to my attempt to contact them, so I returned it to amazon and left an accurate review. The seller followed up and sent me a non-broken one. If I’d ignored this, not only would I be down a monitor, I’d have just assumed the entire product category - of which there seems to be only a single supplier (16” 2880x1800 AMOLED monitors that match up perfectly to 27” 5K monitors when placed in portrait mode) simply wasn’t workable with my setup for whatever reason.
My dentist recently called to reschedule an appointment. I could have insisted that I call them back, but that just wastes everyone’s time for a conversation that has no real scam potential.
But ultimately, it’s a heuristic and is imperfect.
One example thing which bypasses weakness to this heuristic: when you import a programming language library or a “curl pipe bash”: how much research do you do to verify the authenticity of the library, the security of the package and contributors, that you didn’t typo and accidentally install a lookalike malware, etc? And then every time you take an action which updates the same thing, are you equally as rigorous and vigilant as the first time?
(I have had a few fraudulent charges on my credit cards but I don't really consider those to be scams and they're easy to resolve.)
For example, we're insanely good at pattern matching, but the flip side to that is we're not effective at spotting the rare subtle difference.
Human cognition has evolved to be very good at some things but is terrible at others. We're great at spotting patterns, and terrible at spotting the rare subtle exception.
If you haven't fallen for anything, great, but that's because no one has ever cared enough to target you personally.
And incredibly, someone usually is. Most software download sites have so many UI elements saying "Download", on their downloads page, but only one of them is the legit software you want, and others are some random software that paid money to the website to be there to... probably try to get themselves installed and scam you some more.
I just checked the Google "play" store: searching for "Temu" (I know, dumb, but there was an ad on the main screen of the store), in the page of search results, the first install button is for the sponsored Alibaba app...
Even billion dollar businesses are... trying to scam you. "Don't be evil" no more indeed.
PS "full self-driving", also a scam..
1. https://en.wikipedia.org/wiki/3M
this wasn't a swift action overnight
they could be blocking this many accounts on a yearly basis just from scam reports at the police station
or more which seems to be the case recently, but not overnight
this is bad article
34 more comments available on Hacker News