Full Report
Following a WIRED inquiry, Telegram banned thousands of accounts used for crypto scam money laundering, including those of Haowang Guarantee, a black market that enabled over $27 billion in transactions.
Analysis Summary
# Incident Report: Shutdown of Major Crypto Black Market (Haowang Guarantee)
## Executive Summary
A significant, long-running Chinese-language black market for crypto scammers and money launderers, known primarily as Huione Guarantee (and later Haowang Guarantee), abruptly ceased operations following intense scrutiny from crypto crime researchers and subsequent action by Telegram. The platform had reportedly facilitated over $27 billion in illicit transactions, largely involving money laundering services using Tether. The shutdown was triggered specifically by Telegram banning the network's core infrastructure accounts.
## Incident Details
- Discovery Date: May 13th - 14th, 2025 (When Telegram's ban action was taken/reported)
- Incident Date: May 13th, 2025 (Date of platform infrastructure ban)
- Affected Organization: Haowang Guarantee / Huione Guarantee (A decentralized crypto crime marketplace)
- Sector: Cybercrime/Financial Crime Facilitation
- Geography: Operated primarily using Chinese-language networks, with infrastructure hosted on Telegram; parent company linked to Cambodia.
## Timeline of Events
### Initial Access
- Date/Time: N/A (The marketplace operated openly for years on Telegram)
- Vector: Use of the Telegram messaging service as the primary platform for advertising and transaction guarantee services.
- Details: Third-party vendors utilized Telegram channels, groups, and NFT usernames to offer services like money laundering and various components necessary for crypto scams.
### Lateral Movement
- Details: Not explicitly detailed, but the operation involved a sprawling network using "deposit and escrow systems" managed by vendors over Telegram to coordinate illicit fund movements (primarily via Tether).
### Data Exfiltration/Impact
- Details: Facilitation of over $27 billion in illicit transactions through money laundering and scam operations. The direct transactional scope implies massive financial fraud impacting numerous victims globally, although specific victim data is not mentioned.
### Detection & Response
- How it was discovered: Scrutiny by a team of crypto crime researchers, followed by a direct inquiry/report to Telegram.
- Response actions taken: Telegram banned thousands of related accounts and usernames (NFTs, Channels, Groups) on May 13th, 2025, effectively dismantling the marketplace infrastructure. Haowang Guarantee subsequently announced its shutdown.
## Attack Methodology
- Initial Access: Platform exploitation (Using Telegram as an unregulated marketplace).
- Persistence: Utilizing Telegram's structure for account maintenance and employing escrow/guarantee mechanisms to build trust among illicit participants.
- Privilege Escalation: N/A (Not a targeted organizational hack, but a crime facilitation service).
- Defense Evasion: Operating openly on a platform known for lax moderation regarding criminal activity.
- Credential Access: N/A (Focus was on facilitating service transactions, not stealing endpoint credentials).
- Discovery: Reconnaissance/Investigation by specialized crypto crime researchers.
- Lateral Movement: Coordination between vendors and scammers across Telegram infrastructure.
- Collection: Offering services that aided in the collection phase of crypto scams (e.g., money laundering/cashing out).
- Exfiltration: Facilitation of value exfiltration via cryptocurrency (Tether).
- Impact: Massive financial facilitation for organized theft rings.
## Impact Assessment
- Financial: Facilitated over $27 billion in illicit transactions.
- Data Breach: Not a traditional data breach; the impact was financial crime enablement.
- Operational: Immediate cessation of operations for the Haowang Guarantee market following infrastructure removal.
- Reputational: Negative exposure for Telegram regarding its role in hosting large-scale organized crime infrastructure.
## Indicators of Compromise
* **Network indicators:** N/A (Focus was platform-based communications, not malware command/control).
* **File indicators:** N/A
* **Behavioral indicators:** Mass account/channel creation and high-volume illicit financial transactions routed through Tether managed via escrow services on Telegram.
## Response Actions
- Containment measures: Telegram banned thousands of accounts and usernames serving as the operational infrastructure for the black market.
- Eradication steps: The platform's service hubs (Channels, groups) were removed from Telegram.
- Recovery actions: The criminal marketplace entity announced its self-liquidation/shutdown.
## Lessons Learned
- The scale of criminal finance that can be conducted via encrypted messaging platforms when proper moderation oversight is lacking.
- The dependency of large-scale criminal enterprises on centralized, trusted communication and transaction validation services (even if illicitly provided).
## Recommendations
- For messaging platforms: Implement more proactive mechanisms for identifying and banning large-scale criminal networks masquerading as service providers.
- For researchers/Law Enforcement: Continue specialized tracking of large offshore crypto crime operators and leverage platform accountability through media scrutiny when necessary.