Full Report
The Telegram-based online marketplace known as HuiOne Guarantee and its vendors have cumulatively received at least $24 billion in cryptocurrency, dwarfing the now-defunct Hydra to become the largest online illicit marketplace to have ever operated. The figures, released by blockchain analytics firm Elliptic, show that monthly inflows have increased by 51% since July 2024. Huione Guarantee, part
Analysis Summary
# Threat Actor: HuiOne Group (HuiOne Guarantee)
**Note:** The provided context describes a large illicit online marketplace and its associated entities, which functions as an organized criminal operation rather than traditional state-sponsored or financially-motivated malware-based threat actor. The analysis reflects the nature of the organization described.
## Attribution & Identity
* **Primary Entity:** HuiOne Guarantee (an online marketplace), part of the larger HuiOne Group of companies.
* **Known Aliases/Rebranding:** Rebranded as **Haowang Guarantee** following public exposure.
* **Associated Entities:** HuiOne Pay (subsidiary), ChatMe (messaging app), USDH (stablecoin), decentralized crypto exchange.
* **Attribution/Links:** Said to have strong links with Cambodia's ruling Hun family. Identified as a key enabler for transnational organized crime groups.
## Activity Summary
HuiOne Guarantee operates as the largest illicit online marketplace ever recorded, exceeding the volume of the defunct Hydra market.
* **Scale:** Received at least **$24 billion in cryptocurrency** cumulatively, with monthly inflows increasing by 51% since July 2024.
* **Operations:** Focused on advertising and facilitating transactions for money laundering services, stolen data, and illicit goods (including electrified shackles linked to scam compounds).
* **Recent Developments:** Following mid-2024 exposure, the marketplace blocked commerce related to human trafficking, firearms, and terrorism, though overall growth continues.
* **Association with North Korea:** HuiOne Pay received over $150,000 from an anonymous wallet used by the **Lazarus** hacking group between June 2023 and February 2024, linking the operation to the proceeds of cryptocurrency theft.
## Tactics, Techniques & Procedures
The focus is on financial structuring and platform enablement rather than specific hacking techniques:
* Operating as a large-scale Telegram-based online marketplace.
* Utilizing a proprietary Telegram bot for transactions, particularly for online gambling which may constitute money laundering.
* Offering dedicated money laundering services (via HuiOne Pay).
* Developing proprietary ecosystem tools (ChatMe messaging app, USDH stablecoin, decentralized exchange) to reduce deplatforming risk from centralized entities like Tether or Telegram.
## Targeting
* **Sectors:** Facilitating crime across multiple vectors, heavily involved in enabling **romance-baiting scams** and money laundering operations.
* **Geography:** Worldwide victims targeted by transnational organized crime groups using the platform. Vendors have been identified operating from scam compounds in Cambodia (e.g., Golden Fortune Science and Technology Park).
* **Victims:** Victims of romance-baiting scams whose funds are laundered through HuiOne Pay; various organizations/individuals whose data or assets have been stolen and sold on the platform.
## Tools & Infrastructure
* **Malware Families Used:** *Not explicitly detailed in the context of the marketplace itself*, but linked to funds originating from Lazarus thefts.
* **Infrastructure:**
* **Platform:** Telegram (primary marketplace).
* **Payment System:** HuiOne Pay.
* **Crypto:** Facilitation of large-scale cryptocurrency transfers, including the use of the USDH stablecoin.
## Implications
The HuiOne Group represents a persistent and massive financial infrastructure supporting transnational organized crime. Its ability to transact billions of dollars, its alleged ties to ruling political families, and its efforts to build its own crypto ecosystem (USDH, ChatMe) demonstrate a high degree of sophistication and resilience against international sanctions and deplatforming attempts. The connection to Lazarus indicates potential integration with state-sponsored theft operations.
## Mitigations
* **Financial Monitoring:** Enhanced blockchain analytics and tracing, particularly utilizing insights from firms like Elliptic to track the flow of funds through the $24 billion ecosystem.
* **Asset Freezing:** Continued collaboration between stablecoin issuers (like Tether, which froze $29.62 million) and law enforcement to quickly identify and freeze illicit proceeds.
* **Ecosystem Disruption:** Monitoring and targeting successor platforms (like Haowang Guarantee) and associated digital products (USDH, ChatMe) to increase operational friction.
* **Targeting Nexus Points:** Focusing on vendors and known scam compounds linked to the marketplace in Southeast Asia (e.g., Cambodia).