Full Report
Last month, Telegram banned black markets that sold tens of billions of dollars in crypto scam-related services. Now, as those markets rebrand and bounce back, it’s done nothing to stop them.
Analysis Summary
# Incident Report: Mass Crypto Scam Market Operation on Telegram
## Executive Summary
Telegram initially took action against major Chinese-language crypto scam black markets, banning channels associated with them after they facilitated an estimated \$35 billion in transactions, often linked to investment scams originating from Southeast Asia. However, the markets quickly rebranded and rebuilt on the platform, indicating that the initial enforcement action was temporary, allowing illicit operations to resume business as usual.
## Incident Details
- Discovery Date: May/June 2025 (Reporting based on data analysis following the May 13th ban)
- Incident Date: Major ban occurred on May 13, 2025. Resurgence noted shortly thereafter.
- Affected Organization: Telegram (as the platform hosting the illicit activity). Victims are participants in crypto investment scams.
- Sector: Financial Technology (Cryptocurrency), Cybercrime Ecosystem
- Geography: Operations linked to Southeast Asia (Cambodia, Myanmar, Laos); victims globally (implied Western victims).
## Timeline of Events
### Initial Access
- Date/Time: Pre-May 13, 2025 (Ongoing operation)
- Vector: Use of Telegram messaging platform channels/groups.
- Details: Scammers utilized large, organized black markets (e.g., Haowang Guarantee and Xinbi Guarantee) on Telegram to facilitate illicit transactions.
### Lateral Movement
- **Not Applicable in Traditional Sense:** This incident focuses on platform usage and illicit commerce rather than typical network intrusion. The "movement" was the migration of criminal infrastructure to new/rebranded channels post-ban.
### Data Exfiltration/Impact
- **Impact:** These banned markets facilitated approximately **\$35 billion in transactions**. This revenue primarily supported large-scale "pig butchering" investment scams, which relied on these platforms for money laundering and service provision.
### Detection & Response
- **Detection:** Crypto tracing firm Elliptic identified the resurgence of these markets (e.g., Tudou Guarantee filling the void).
- **Response Actions (Telegram):** On May 13, 2025, Telegram banned the channels and usernames associated with the two most popular marketplaces (Haowang Guarantee and Xinbi Guarantee).
- **Post-Response:** Telegram "watched impassively" as the markets rebranded and returned, indicating no sustained enforcement.
## Attack Methodology
- **Initial Access:** Utilizing Telegram as a dedicated, encrypted platform for advertising and coordinating illicit financial services (money laundering, data sales).
- **Persistence:** Criminal groups rapidly rebranded and shifted operations to new channels (e.g., Tudou Guarantee, linked to the parent company of a defunct market) on the same platform after initial bans.
- **Privilege Escalation:** Not applicable.
- **Defense Evasion:** Exploitation of Telegram's limited enforcement mechanisms, allowing rapid migration and continuation of services despite official bans.
- **Credential Access:** Not applicable to this platform-based commerce ecosystem.
- **Discovery:** Criminal infrastructure was discovered via tracking by crypto analysis firms.
- **Lateral Movement:** Rapid deployment of successor markets leveraging the existing scam buyer/seller base.
- **Collection:** Offering services for stolen data and facilitating money laundering for scam proceeds.
- **Exfiltration:** Money laundering/transfer of billions in cryptocurrency proceeds derived from scams.
- **Impact:** Financial enablement of massive investment fraud operations forcing labor in Southeast Asia.
## Impact Assessment
- Financial: Staggering \$35 billion in transactions facilitated through the original two markets alone. New markets continue to process billions annually.
- Data Breach: Sale of stolen data facilitated, though specific details not provided.
- Operational: Significant operational support provided to large-scale, forced-labor scam compounds.
- Reputational: Damage to Telegram's reputation for failing to maintain effective enforcement against known, massive criminal enterprises after initial public action.
## Indicators of Compromise
*Note: As this involves platform market activity rather than network intrusion, IOCs are behavioral/structural.*
- **Network indicators:** *None provided/Applicable in traditional format.*
- **File indicators:** *None provided/Applicable in traditional format.*
- **Behavioral indicators:** Rapid rebranding of black market channels following platform moderation (e.g., the emergence/growth of Tudou Guarantee post-May 13 ban).
## Response Actions
- **Containment:** Telegram performed an initial, short-term containment by banning the main channels/usernames of Haowang Guarantee and Xinbi Guarantee on May 13, 2025.
- **Eradication:** Failed; the ecosystem quickly reconstituted itself around new market entities.
- **Recovery:** The recovery is ongoing, as the illicit services remain operational on the platform.
## Lessons Learned
- Platform moderation actions (like Telegram's initial purge) can be easily circumvented by sophisticated criminal groups through superficial rebranding if underlying platform access is not permanently revoked.
- The failure to sustain enforcement allows criminal economic activity, measured in billions of dollars, to immediately resume.
## Recommendations
- Implement continuous monitoring and automated detection for successor entities associated with previously banned high-volume criminal syndicates.
- Develop and enforce policies that target the entire business ecosystem (including related parent companies or overlapping ownership, such as Huione Group) rather than just individual channel names or unique URLs.
- Increase transparency and cooperation with crypto tracing firms to track migration patterns post-enforcement.