Full Report
A Chinese-language, Telegram-based marketplace called Xinbi Guarantee has facilitated no less than $8.4 billion in transactions since 2022, making it the second major black market to be exposed after HuiOne Guarantee. According to a report published by blockchain analytics firm Elliptic, merchants on the marketplace have been found to peddle technology, personal data, and money laundering
Analysis Summary
# Threat Actor: Xinbi Guarantee (Black Market/Criminal Bazaar)
## Attribution & Identity
The entity is a Chinese-language, Telegram-based marketplace named **Xinbi Guarantee**. It presents itself as an "investment and capital-guarantee group company" allegedly registered in Colorado, USA by an individual named Mohd Shahrulnizam Bin Abd Manap (filed August 2022, marked as "Delinquent"). It operates similarly to the previously exposed HuiOne Guarantee.
## Activity Summary
Xinbi Guarantee has facilitated at least **$8.4 billion in transactions** since 2022, with Q4 2024 being the first quarter to see over $1 billion in inflows. It markets itself as a one-stop shop for scammers, particularly those running romance scams (formerly "pig butchering"). Furthermore, some of its transactions have been linked to funds stolen by North Korean actors, including $220,000 in USDT sent from the WazirX hack cleanup (November 2024). Telegram has shut down thousands of channels related to Xinbi and HuiOne, disrupting their operations.
## Tactics, Techniques & Procedures
- Facilitation of industrial-scale online fraud schemes.
- Provision of technological tools for criminal enterprises.
- Offering of money laundering services.
- Data brokering (selling databases of stolen personal information).
- Facilitation of intimidation tactics against targets within China.
- Provision of services for illegal activities including egg donation, surrogacy facilitation, and sex trafficking.
## Targeting
- **Sectors:** Operators involved in lucrative cybercrime, specifically romance scams ("pig butchering"). Also supports various illicit activities beyond cybercrime.
- **Geography:** Merchants primarily operate within the context of Chinese-language criminal ecosystems, with services offered to scammers in Southeast Asia. Some services explicitly target individuals within China (e.g., stalking/intimidation).
- **Victims:** Potential victims of romance scams, cryptocurrency victims (linked to North Korea), and individuals targeted for stalking/intimidation.
## Tools & Infrastructure
- **Malware families used:** Not explicitly named, but technology/tools for fraud are peddled.
- **Infrastructure (C2, domains, IPs):** Operated entirely via **Telegram**. A purported official URL is mentioned: hxxps://xinbi[.]com/. Stolen funds were primarily transacted using the **USDT stablecoin**.
## Implications
Xinbi represents the industrialization and scaling of cyber fraud, dwarfing previous Tor-based darknet markets in transaction volume ($8.4B on Xinbi alone, $35B combined with HuiOne). Its Telegram-native structure facilitates massive, centralized illicit service provision. Its established link to North Korea indicates its role in laundering state-sponsored cyber theft proceeds.
## Mitigations
- Monitor and investigate activity on secure messaging platforms like Telegram, especially Chinese-language channels related to guarantee/escrow services.
- Enhanced transaction monitoring for USDT flows linked to known illicit marketplaces or North Korean activity.
- Increased scrutiny of funds associated with romance scam remediation.