Full Report
Online black markets once lurked in the shadows of the dark web. Today, they’ve moved onto public platforms like Telegram—and are racking up historic illicit fortunes.
Analysis Summary
# Threat Actor: Chinese Crypto Scammer Ecosystems (Marketplace Operators)
## Attribution & Identity
The primary actors are Chinese-speaking crypto scammers operating black markets predominantly hosted on the Telegram messaging platform.
**Known Aliases and Associated Groups/Markets:**
* **Tudou Guarantee:** Current top Telegram market.
* **Xinbi Guarantee:** Current top Telegram market.
* **Huione Guarantee:** Previously the largest market; banned by Telegram in early 2025 after being named by the US Treasury’s Financial Crimes Enforcement Network (FinCEN).
* **Haowang Guarantee:** Rebrand of Huione Guarantee before being banned.
* *Note: Tudou Guarantee holds a stake in Haowang Guarantee, indicating continuity between these operations.*
## Activity Summary
These actors operate public, large-scale online black markets on Telegram, shifting away from traditional dark web infrastructure (like Tor). They facilitate massive illicit fortunes, dwarfing previous darknet markets in transaction volume.
* **Scale:** The two current top markets (Tudou and Xinbi) facilitate close to **$2 billion a month** in total transactions.
* **Huione Guarantee** facilitated an estimated **$27 billion in transactions** between 2021 and 2025, making it the largest illicit online marketplace in history by volume tracked.
* These markets sell various illicit goods and services, often functioning as critical support infrastructure for larger scam operations, specifically "pig butchering" scams.
## Tactics, Techniques & Procedures
The primary TTPs revolve around leveraging mainstream public communication platforms for market operation and utilizing specific scam methodologies.
- **Platform Migration:** Operating large-scale black markets directly on the public messaging service Telegram.
- **Market Sustainability:** Demonstrating persistence by relaunching channels and accounts after occasional bans by the platform.
- **Scam Tool Sales:** Selling scam kits, including fake investment websites and AI deepfake tools.
- **Money Laundering Services:** Providing services to launder cryptocurrency proceeds for cybercriminals.
- **Pig Butchering Operations:** Utilizing thousands of human trafficking victims, often housed in compounds in Southeast Asia, to conduct romance and investment scams ("pig butchering").
## Targeting
The markets themselves target a broad range of illicit trade facilitators, while the underlying scams they support have specific financial victims.
- **Sectors (Supported Operations):** Financial services (via money laundering), Cybercrime (selling tools), Drug Trafficking, Weapons Sales, Human Trafficking (including surrogacy and prostitution services).
- **Geography (Victims of Pig Butchering):** Victims are primarily implied to be US-based, as the FBI estimates these scams pull in around **$10 billion annually from US victims alone**.
- **Geography (Operational Base):** Scam compounds are frequently reported in **Southeast Asia**.
- **Victims:**
- Cryptocurrency thieves and ransomware groups (using money laundering services).
- Individuals targeted by "pig butchering" romance/investment scams.
## Tools & Infrastructure
- **Malware Families Used:** AI deepfake tools (implied in scam toolkit sales).
- **Infrastructure:** The primary infrastructure is the **Telegram messaging platform**. The markets function as centralized trading hubs for illicit services.
- **Defanged URLs/IPs:** None explicitly mentioned other than referring to Telegram.
## Implications
The shift of major black markets to public, widely accessible platforms like Telegram represents a significant evolution in cybercrime. This architecture allows for unprecedented scale, evidenced by the $27 billion turnover by Huione, making these operations larger than historical darknet predecessors like Hydra and AlphaBay. The deep integration with financially devastating "pig butchering" scams creates a massive vector for global financial crime and human exploitation.
## Mitigations
- Heightened financial monitoring for large-scale crypto flows associated with known scam hubs.
- Increased tracing and analysis of cryptocurrency transactions linked to Southeast Asian scam compounds.
- Collaboration with messaging platform providers (like Telegram) to identify and disrupt persistent criminal ecosystems operating via verified public channels.
- Public awareness campaigns targeting the specific tactics associated with "pig butchering" scams.