Full Report
A Telegram-based guarantee marketplace known for advertising a broad range of illicit services appears to be winding down its operations, according to new findings from Elliptic. The blockchain intelligence company said Tudou Guarantee has effectively ceased transactions through its public Telegram groups following a period of significant growth. The marketplace is estimated to have processed
Analysis Summary
# Incident Report: Cessation of Illicit Marketplace Operations
## Executive Summary
The Telegram-based illicit services marketplace, Tudou Guarantee, has effectively ceased public transaction activities following a period of significant growth, processing an estimated **$12 billion** in transactions. This winding down appears highly correlated with recent international law enforcement actions, specifically the arrest and extradition of Chen Zhi, CEO of Prince Group, implicated in large-scale romance baiting scams. While the core marketplace has paused, affiliated gambling operations reportedly remain active, suggesting a potential pivot rather than a complete shutdown.
## Incident Details
- **Discovery Date:** January 20, 2026 (Based on Elliptic findings reporting the cessation)
- **Incident Date:** Activity drop detected shortly after early January 2026 law enforcement actions.
- **Affected Organization:** Tudou Guarantee (Illicit Marketplace)
- **Sector:** Illicit Services/Cyber Fraud Facilitation
- **Geography:** Global operations facilitated via Telegram; transactions noted on blockchain.
## Timeline of Events
### Initial Access
- **Date/Time:** Predating Elliptic's January 2026 findings. The marketplace was functioning and growing.
- **Vector:** Telegram platform leveraged for marketplace communication and operation.
- **Details:** Tudou Guarantee served as a primary fallback for vendors migrating from the previously shuttered HuiOne Guarantee after Telegram intervened against it.
### Lateral Movement
*Not Applicable. This describes the cessation/shutdown of an illicit service rather than a traditional network intrusion.*
### Data Exfiltration/Impact
- **Impact:** Facilitation of massive B2B illicit services, including stolen personal data, money laundering, scam infrastructure (phishing/investment platforms), and sophisticated impersonation tools (deepfakes, voice cloning).
- **Scope:** Estimated $12 billion in processed transactions, marking it as the third-largest illicit marketplace of all time.
### Detection & Response
- **Detection:** Elliptic conducted ongoing blockchain intelligence monitoring and observed a sudden drop in activity associated with Tudou's central administrative wallets.
- **Response Actions:** No external response actions are reported against the marketplace itself; the cessation appears to be a self-initiated response, possibly due to external regulatory/law enforcement pressure related to the Prince Group arrests. Telegram remains inactive in shutting down surviving markets.
## Attack Methodology
*Note: As this incident concerns the *cessation* of an illicit operation traced to external pressure, the attack methodology section below details the **services offered by the marketplace** rather than an intrusion sequence against a specific victim organization.*
- **Initial Access (to Market):** Telegram groups facilitated the initial connection between buyers and sellers.
- **Persistence (of Market):** High transaction volume ($12B) and acquisition of migrating vendors from HuiOne Guarantee ensured sustained operation.
- **Privilege Escalation (of Scam Operations):** Use of AI services (1,900% CAGR) enabled scammers to forge convincing identities (face swapping, voice cloning) to scale operations.
- **Defense Evasion:** Operating within the Telegram infrastructure, which seemed permissive after initial crackdowns on HuiOne.
- **Credential Access:** Marketplace offered stolen personal data.
- **Discovery:** Vendors utilized the platform to source necessary materials for "pig butchering" and investment scams.
- **Lateral Movement (of Fraud):** Vendors migrated from HuiOne to Tudou following Telegram intervention against the former.
- **Collection:** Offering services for data theft and creation of scam infrastructure.
- **Exfiltration:** Facilitation of money laundering services linked to illicit gains.
- **Impact (to Victims):** Financial fraud, identity compromise, and potential involvement in schemes related to forced labor and romance baiting scams.
## Impact Assessment
- **Financial:** Over $12 billion processed through the marketplace. Indirect victim financial losses are substantial, tied to scams facilitated by the tools sold.
- **Data Breach:** Marketplace was known to sell stolen personal data.
- **Operational:** Cessation of public transactions on the Tudou Guarantee platform limits the immediate, formal market for illicit services advertised there. Related gambling operations continue.
- **Reputational:** The collapse is linked to high-profile international enforcement actions against major figures like Chen Zhi of Prince Group.
## Indicators of Compromise
*No specific network or file IoCs are provided as the context details the operational status of a criminal entity, not a specific malware infection.*
- **Behavioral Indicators:** Sudden, sharp drop in transactional activity on designated Tudou Guarantee administrative wallets in early January 2026.
## Response Actions
- **Containment Measures:** Elliptic monitored wallet activity in real-time to track financial flows.
- **Eradication Steps:** Not reported as external actors successfully eradicated the platform; cessation attributed to external pressure.
- **Recovery Actions:** The article suggests that other markets remain operational, and Xinbi Guarantee has recovered/grown, indicating resilience in the ecosystem.
## Lessons Learned
- **Ecosystem Resilience:** Illicit marketplaces quickly migrate and fill voids left by enforcement actions (e.g., vendors moving from HuiOne to Tudou).
- **Law Enforcement Correlation:** High-profile arrests of key figures can directly and immediately impact the operational viability of linked illicit infrastructure (seen via wallet activity drop post-Chen Zhi arrest).
- **Platform Inertia:** Messaging platforms like Telegram may become less proactive in shutting down successor markets once visible enforcement actions have been temporarily satisfied.
- **AI Role in Fraud:** The exponential growth in AI service vendors demonstrates how technological advances are rapidly escalating the sophistication and scale of fraud schemes.
## Recommendations
- **Proactive Blockchain Monitoring:** Continued and expanded surveillance of major illicit transaction hubs to detect shifts in market dominance or sudden closures.
- **Coordination with Law Enforcement:** Maintain synergy between financial intelligence and global enforcement agencies targeting key individuals and their financial backbones.
- **Mitigation Against AI-Enabled Scams:** Develop defenses specifically tailored to counter highly realistic deepfake and voice cloning impersonation utilized in high-value scams.
- **Platform Accountability:** Pressure must be maintained on communication platforms (Telegram) to enforce terms of service consistently against emerging market leaders following previous crackdowns.