Full Report
Before a crackdown by Telegram, Xinbi Guarantee grew into one of the internet’s biggest markets for Chinese-speaking crypto scammers and money laundering. And all registered to a US address.
Analysis Summary
# Incident Report: Massive Illicit Online Marketplace Facilitating Crypto Scams and Money Laundering
## Executive Summary
This incident involves the discovery of Xinbi Guarantee, a large, legally registered (in Colorado) Chinese-language marketplace operating primarily via Telegram, that served as an underground bazaar for illicit activities, most notably facilitating transactions related to crypto investment scams. Xinbi Guarantee, alongside the similar Huione Guarantee, facilitated an estimated combined transaction volume exceeding $32.4 billion, primarily laundering funds from scams. The primary response involved external reporting to Telegram, leading to the removal of central channels utilized by both illicit marketplaces.
## Incident Details
- Discovery Date: Ongoing research detailed in recent Elliptic report (published prior to Telegram's final removal action).
- Incident Date: Marketplace operations noted since at least 2022.
- Affected Organization: Various victims of crypto investment scams globally; operators are linked to a US-registered entity (Xinbi Guarantee).
- Sector: Cryptocurrency/Financial Crime, Illicit Online Services.
- Geography: Operations run via Telegram, linked to Chinese-speaking syndicates, with transactions facilitated globally and including a US registration presence.
## Timeline of Events
### Initial Access
- Date/Time: Since 2022 (for Xinbi Guarantee).
- Vector: Use of the Telegram messaging platform to host the commercial marketplace.
- Details: Attack vector is not a traditional network intrusion but the exploitation of a communication platform (Telegram) to create a centralized hub for criminal services, including cashout services for scammers.
### Lateral Movement
- Not applicable in a traditional network sense. The "movement" was the facilitation of money across different illicit actors/services (scammers, launderers, data brokers).
### Data Exfiltration/Impact
- **Impact:** Facilitation of at least $8.4 billion in transactions through Xinbi Guarantee alone since 2022. The vast majority related to funds stolen from crypto scam victims.
- **Scope:** Transactions also included services for money laundering for North Korean hackers, stolen data sales, targeted harassment-for-hire, and suspected sex/labor trafficking victims.
### Detection & Response
- **Detection:** Identified through forensic tracking and analysis by crypto-tracing firm Elliptic through blockchain tracing and monitoring of Telegram activities.
- **Response Actions:** Elliptic reported findings to WIRED, which subsequently contacted Telegram. Telegram responded by banning many central channels and administrator accounts used by both Xinbi Guarantee and Huione Guarantee. FinCEN also added Huione's parent company to a list of known money laundering operations.
## Attack Methodology
*Note: As this concerns an illicit marketplace rather than a specific organizational intrusion, the methodology describes the marketplace's function.*
- Initial Access: Creation and maintenance of illicit channels/groups on the Telegram platform.
- Persistence: Continual rebuilding of channels/accounts following previous or current bans, leveraging a "guarantee" escrow system to foster trust among criminal vendors.
- Privilege Escalation: Not applicable.
- Defense Evasion: Operating via encrypted messaging platforms (Telegram) and using cryptocurrencies (Tether) to obscure traditional financial paths.
- Credential Access: Not applicable.
- Discovery: Blockchain tracing (Elliptic) used to link marketplace activity to specific scam proceeds.
- Lateral Movement: Facilitation of payment transfer between scammers and launderers/cashout agents using bank accounts in victim countries or cryptocurrency exchanges.
- Collection: Sourcing various forms of illicit services (scam proceeds, stolen data, etc.).
- Exfiltration: Conversion of laundered crypto (via Tether) into fiat currency through their underground banking network.
- Impact: Massive financial loss due to crypto investment scams; facilitation of other serious crimes (trafficking, harassment).
## Impact Assessment
- Financial: At least $8.4 billion facilitated by Xinbi Guarantee; Huione Guarantee facilitated $24 billion, indicating a combined scale of over $32 billion channeled through these two known markets.
- Data Breach: Sale of stolen data mentioned as a service offered on the market.
- Operational: No direct operational disruption to the tracing firm or Telegram mentioned, but significant disruption to the financial operations of criminals when accounts were purged.
- Reputational: Negative impact on the perceived legitimacy of platforms that enabled such activity until forced by external pressure (WIRED/Elliptic).
## Indicators of Compromise
- Network indicators: Primarily traffic/activity associated with known Xinbi Guarantee and Huione Guarantee channel IDs on Telegram (details redacted/de-platformed).
- File indicators: Not specified as a traditional file-based compromise.
- Behavioral indicators: Use of specific Mandarin-language terms for scams ("quick kills," "slow kills," "pig butchering") within classified communication channels; offering of escrow/guarantee services for illicit cryptocurrency transactions.
## Response Actions
- Containment measures: Reporting specific channels and activities to Telegram's trust and safety teams.
- Eradication steps: Telegram banned central channels and administrator accounts associated with both Xinbi Guarantee and Huione Guarantee. FinCEN issued an advisory against Huione Group.
- Recovery actions: Not applicable to the victims mentioned directly in the context; focus was on shutting down the criminal infrastructure on the platform.
## Lessons Learned
- The use of mainstream, high-traffic messaging platforms (like Telegram) is a mature vector for coordinating massive, multi-faceted criminal enterprises operating globally in the crypto space.
- Illicit marketplaces thrive on creating a trust mechanism ("guarantee" model) to onboard numerous vendors, even when operating brazenly in plain sight.
- Enforcement relies heavily on third-party intelligence (Elliptic) and public pressure (WIRED) to force platform moderation, as internal monitoring may be insufficient or reactive against resilient networks.
- Criminal organizations are highly adaptable; prior platform bans (Huione) did not permanently stop them; a new effort may only lead to rebuilding under new branding.
## Recommendations
- Increased monitoring and proactive enforcement by cryptocurrency service providers (like Tether) to freeze/trace funds linked to identified large-scale illicit marketplaces.
- Increased scrutiny of foreign-registered entities attempting to operate business services within sensitive jurisdictions (like the US registration of Xinbi Guarantee).
- Platform providers (Telegram) need enhanced, proactive detection mechanisms specifically targeting known criminal vernacular and high-volume illicit financial coordination activities.