Full Report
Wired is reporting on Chinese darknet markets on Telegram. The ecosystem of marketplaces for Chinese-speaking crypto scammers hosted on the messaging service Telegram have now grown to be bigger than ever before, according to a new analysis from the crypto tracing firm Elliptic. Despite a brief drop after Telegram banned two of the biggest such markets in early 2025, the two current top markets, known as Tudou Guarantee and Xinbi Guarantee, are together enabling close to $2 billion a month in money-laundering transactions, sales of scam tools like stolen data, fake investment websites, and AI deepfake tools, as well as other black market services as varied as ...
Analysis Summary
# Threat Actor: Chinese Crypto Scammer Ecosystem (Facilitated by Darknet Markets)
## Attribution & Identity
The analysis focuses on marketplaces serving **Chinese-speaking crypto scammers**. Specific actor groups or names are not provided, but the activity points to established criminal economies targeting cryptocurrency users. The activity is facilitated by Telegram-based darknet markets.
## Activity Summary
The ecosystem of Chinese-speaking crypto scam marketplaces on Telegram has grown significantly. The two current top markets, **Tudou Guarantee** and **Xinbi Guarantee**, together facilitate approximately **$2 billion a month** in illicit transactions. This activity surge occurred after Telegram banned two previous major markets in early 2025. These markets support the "pig butchering" romance/investment scams, which reportedly net around $10 billion annually from US victims alone.
## Tactics, Techniques & Procedures
- **Monetization Services:** Selling services related to money laundering for scam operations.
- **Tool/Resource Provision:** Sale of materials necessary for scam execution, including:
- Stolen data
- Fake investment websites
- AI deepfake tools
- **Facilitating Illicit Trade:** Hosting and enabling the transactions for these criminal goods and services.
- **Broader Black Market Services:** Offering services ranging from criminal activities like pregnancy surrogacy and teen prostitution.
## Targeting
- **Sectors:** Financial/Investment (via "pig butchering" scams), though the markets themselves deal in stolen data and general criminal tools.
- **Geography (Victims):** US victims are explicitly mentioned as a significant source of funds ($10 billion annually) for the underlying "pig butchering" scams.
- **Geography (Operators):** The underlying "pig butchering" scams are largely carried out from compounds in **Southeast Asia**.
- **Victims:** Individuals targeted by romance and investment scams ("pig butchering").
## Tools & Infrastructure
- **Infrastructure:** **Telegram** is the primary platform used for hosting these darknet markets.
- **Tools Sold:** Fake investment websites, AI deepfake tools.
## Implications
This shift confirms Telegram's status as a primary, resilient infrastructure layer for large-scale organized cybercrime, particularly those originating from Chinese-speaking criminal enterprises. The sheer volume ($2 billion/month across two markets) indicates the mature scaling and monetization potential of these illicit marketplaces, which directly feed the highly lucrative global "pig butchering" epidemic. The resilience shown after platform bans (Telegram enforcement) suggests high adaptability.
## Mitigations
- Increased monitoring and disruption efforts targeting the **Tudou Guarantee** and **Xinbi Guarantee** marketplaces on Telegram.
- Disruption of the cryptocurrency flows ($2 billion/month volume) identified by tracing firms like Elliptic.
- Collaboration with law enforcement focused on dismantling the operational compounds in Southeast Asia responsible for executing the "pig butchering" scams that utilize these markets for financial services.