Full Report
Capable of creating “nearly perfect” face swaps during live video chats, Hoatian has made millions, mainly via Telegram. But its main channel vanished after WIRED's inquiry into scammers using the app.
Analysis Summary
# Threat Actor: Haotian (Implied Actor/Tool Operator)
## Attribution & Identity
* **Identification:** The threat activity revolves around the Chinese-language artificial intelligence app/platform named **Haotian**.
* **Aliases/Associations:** The service is associated with making millions primarily via **Telegram**. The activity is linked to scammers utilizing the app for sophisticated fraud schemes, specifically "pig butchering" scams.
## Activity Summary
* **Primary Activity:** Selling highly effective, ultra-realistic AI face-swapping technology capable of creating “nearly perfect” face swaps during live video chats.
* **Recent Campaigns:** The platform has been used commercially by scammers, resulting in millions of dollars in illicit profits, mainly distributed through **Telegram** channels.
* **Current Status:** The main channel associated with selling the service reportedly **vanished** following an inquiry by WIRED regarding its use by scammers.
* **Associated Crime:** The technology is explicitly cited as being marketed to those involved in **"pig butchering"** romance or investment scams.
## Tactics, Techniques & Procedures
* **Real-time Deepfakes:** Capability to create “nearly perfect” face swaps during **live video chats**.
* **Customization:** Users can tweak up to **50 settings** (e.g., adjusting cheekbone size, eye position) to mimic a target's face effectively.
* **Integration:** The service integrates easily with popular messaging platforms, specifically mentioning **WhatsApp and WeChat**. (No specific MITRE ATT&CK IDs are available based on the text provided).
## Targeting
* **Sectors:** Financial fraud (specifically romance/investment scams, categorized here as **Fraud/Scams**).
* **Geography:** Operations appear to be handled via the **Chinese-language** internet ecosystem, with distribution via **Telegram**. Geographic targeting of victims is not explicitly detailed but implies victims targeted by 'pig butchering' scams.
* **Victims:** Victims are implied to be those targeted by **romance/investment scams** facilitated by the use of convincing deepfake video identities during live communications.
## Tools & Infrastructure
* **Tools:** **Haotian** (AI face-swapping platform/application).
* **Infrastructure:** Primary sales channel was a **Telegram** channel.
* **URLs/IPs:** None explicitly mentioned in a context requiring defanging, aside from links to *wired.com* and associated privacy/platform pages.
## Implications
The existence of a commercial, highly convincing, and customizable real-time deepfake tool like Haotian significantly lowers the barrier to entry for sophisticated social engineering and fraud, particularly in already prevalent schemes like "pig butchering." The effectiveness in live video presents a major challenge for identity verification and anti-fraud systems relying on passive visual authentication.
## Mitigations
* **Enhanced Biometric Verification:** Implement multi-factor authentication and/or liveness checks during high-value interactions that combine passive verification with active response testing (e.g., asking the user to perform a specific, random action).
* **Awareness Training:** Increase awareness among the public and corporate entities regarding advanced, real-time deepfake capabilities being used in social engineering attacks.
* **Platform Monitoring:** Monitor channels like Telegram for the distribution and sale of highly advanced real-time evasion tools.