Full Report
Chinese-language, Telegram-based “guarantee” marketplaces are increasingly popular among Chinese-speaking criminal groups despite the widely publicized shutdown of Huione Guarantee in 2025.
Analysis Summary
# Threat Actor: Dabai Guarantee (大白担保)
## Attribution & Identity
* **Actor Type:** Telegram-based Chinese-language "guarantee" (escrow) marketplace and criminal facilitator.
* **Aliases:** Dabai, "Big White" Guarantee.
* **Associations:** Operates as a successor or alternative to the now-defunct **Huione Guarantee**. It hosts multiple independent Chinese-speaking syndicates and "sweeping teams."
* **Structure:** Organized via "Public Groups" (公群) led by a "Group Boss" (群老板) who stakes cryptocurrency to operate under the Dabai banner.
## Activity Summary
Dabai Guarantee facilitates global fraud and cyber campaigns by providing a trusted mediation platform for Chinese-speaking criminals. Recent activity (notably Public Group 301) focuses on coordinating "sweeping" operations. These operations involve utilizing illicit financial data or "ghost-tapping" to purchase high-value, easily transportable physical goods at retail locations or conducting illegal ATM withdrawals.
## Tactics, Techniques & Procedures
* **Escrow/Mediation:** Handles all cryptocurrency transactions (primarily USDT) between parties to prevent "exit scams" and internal theft.
* **"Sweeping" (扫货):** Coordination of "runners" to use stolen payment credentials or ghost-tapping techniques at physical retailers and ATMs.
* **Ghost-Tapping:** Exploiting contactless payment vulnerabilities to conduct unauthorized transactions.
* **Information Siloing:** Operations are partitioned into specific public and private channels to restrict information sharing and hinder law enforcement tracking.
* **Bot-Driven Recruitment:** Uses searchable Telegram bots to match criminals with specific active campaigns or "Public Groups."
* **Financial Laundering:** Bypasses Chinese capital controls and banking scrutiny using stablecoins.
## Targeting
* **Sectors:** Retail, Banking, Contactless Payment Providers, and Insurance.
* **Geography:** Primarily **Japan** and **South Korea** (for physical operations), with a global footprint for financial fraud.
* **Victims:** Major retailers (specifically businesses selling cosmetics and tobacco), ATM operators, and individual cardholders/scam victims.
## Tools & Infrastructure
* **Primary Platform:** Telegram (public and private channels).
* **Malware/Tech:** Ghost-tapping hardware/software, wallet monitoring tools.
* **Cryptocurrency:** Tether (USDT) on various chains.
* **Infrastructure:**
* `@DBTM301` (Dabai Guarantee Public Group 301)
* `@dabai` (Staff/Verification account)
* Automated search bots for marketplace navigation.
## Implications
The rise of Dabai Guarantee demonstrates the resilience of the Chinese cybercrime ecosystem. Despite the shutdown of Huione Guarantee, these marketplaces have migrated to decentralized Telegram structures that are harder to dismantle. By lowering the "barrier to entry" for low-skill criminals and providing a reliable mediation layer, Dabai enables decentralized syndicates to conduct high-volume, physical fraud operations across international borders with minimal friction.
## Mitigations
* **Payment Security:** Retailers in Japan and South Korea should implement stricter verification for contactless payments and monitor for "ghost-tapping" signature behaviors.
* **ATM Monitoring:** Banks should enhance anomaly detection for multiple high-value withdrawals using international or digital-wallet-linked cards.
* **Threat Intelligence:** Financial institutions should monitor Telegram marketplace metadata to identify emerging "Public Groups" targeting specific regional banking BINs.
* **Blockchain Analysis:** Monitor the "Staking Addresses" and transaction patterns associated with Dabai staff accounts to identify downstream money laundering nodes.