Chinese Guarantee Marketplaces: A Growing Nexus for Criminal Activities
In recent years, Chinese-language “guarantee” marketplaces, predominantly hosted on platforms like Telegram, have emerged as pivotal channels for various illicit activities, including the buying, selling, and laundering of stolen credentials and a spectrum of criminal services. These marketplaces have seen a rise in popularity due to their structured approach, borrowing elements from legitimate consumer escrow systems, such as Alipay’s 担保交易 (dānbǎo jiāoyì). Operating as third-party guarantors, the marketplace operators hold buyer funds in escrow. They only release these funds once delivery is confirmed and also have systems in place to adjudicate disputes.
This familiar escrow structure has facilitated the rapid evolution from simple, bilateral brokers to fully industrialized marketplaces. This transformation underpins a variety of scams, money-laundering operations, and fraud schemes that span across Southeast Asia. Notably, the Huione Guarantee platform stands out as a prominent actor, processing over $27 billion in cryptocurrency transactions between 2021 and 2025. Such figures illustrate the staggering scale of operations these marketplaces have reached.
Primarily functioning via Telegram channels and utilizing bot-managed workflows, Huione Guarantee and similar platforms have developed intricate systems to streamline operations. These include collecting vendor deposits in stablecoin like USDT, charging fees for listings and disputes, and employing automated bots for tracking orders and resolving conflicts. This architecture not only standardizes operations but also introduces enduring incentives for vendors who are required to post substantial security deposits. In cases of fraud, these deposits are forfeited, thereby reducing the risk of so-called "exit scams." The long-term nature of this model helps ensure that the operator’s brand and recurring revenue are prioritized over short-term theft.
According to reports from various cybersecurity firms, including findings shared by flare.io, the largest illicit online marketplace ever recorded processed a staggering $27 billion in cryptocurrency from 2021 to 2025. This efficiency is bolstered by the use of stablecoins like USDT for settlements, which further simplifies high-volume transfers and complicates tracing efforts by authorities.
The range of products available on these guarantee marketplaces is expansive and extends far beyond stolen credentials. Operators openly advertise an assortment of services, including fraud kits, tools for corporate impersonation, SIM cards, SMS verification bypass services, and fake identity documents. A review of the Ouyi public group navigation channel reveals the array of products and services on offer, which includes escrow payment processing and cryptocurrency-to-fiat exchange mechanisms.
These criminal offerings directly facilitate a variety of scams, including "pig-butchering" schemes and other investment fraud operations being conducted from scam facilities in Cambodia, Myanmar, and Laos. These scam compounds depend heavily on these marketplaces to source supplies, recruit operators, and launder illicit proceeds.
Government interventions in 2025, particularly actions taken by the United States Treasury’s Section 311 against the Huione Group and coordinated takedowns targeting key Telegram operators, have significantly disrupted the largest actors in this space. However, the underlying model has proven resilient, with an emergence of more than 30 successor marketplaces quickly filling the void left by Huione and similar platforms. Notable examples include the rebranded Xianyu (闲鱼, “Idle Fish”), which launched as Alibaba’s consumer-to-consumer marketplace and has seen substantial inflows following bans.
In response to enforcement efforts, operators of these marketplaces have demonstrated adaptability. They have begun pre-positioning backup channels, utilizing NFT-linked usernames to maintain anonymity, and developing proprietary messaging applications in a bid to circumvent Telegram’s regulatory oversight. Despite Telegram’s increased cooperation with law enforcement, and sanctions imposed on various operators, the overall volume of illicit transactions has not significantly diminished.
For security teams, the implications of these findings are immediate and multifaceted. Stolen corporate credentials are readily available on these channels, leading to increased risks of account takeovers, fraudulent wire transfers, and impersonation within supply chains. Adjacent services, such as SIM farming, fake KYC processes, and deepfake technology, significantly lower the operational barriers for conducting targeted attacks against organizations and their customers.
In 2024, the FBI’s Internet Crime Complaint Center (IC3) reported cryptocurrency investment fraud losses totaling an alarming $5.8 billion. This figure represents a conservative estimate and underscores the direct connection between the activities on these guarantee marketplaces and broader fraud trends.
To combat these emerging threats, organizations are advised to emphasize credential hygiene, monitor for instances of illicit credential exposure, and engage in proactive threat intelligence efforts that focus specifically on Chinese-language guarantee channels. Implementing detection systems for reused credentials, enforcing multi-factor authentication using phishing-resistant techniques, and collaborating with forensic crypto-tracing partners can help trace and disrupt laundering patterns linked to these sophisticated vendors.
Threat intelligence providers continually track hundreds of thousands of daily messages on these guarantee platforms, providing valuable insights into listings and tools before they can be weaponized. Reports from organizations like Elliptic, TRM Labs, and Flare, along with advisories from law enforcement, offer critical context on specific wallets, channel handles, and vendor aliases.
Ultimately, the strength of the guarantee model arises from its cultural and structural foundations. By leveraging widely accepted escrow practices from mainstream Chinese platforms, it merges seamlessly with Telegram’s extensive reach and automated bot capabilities, creating a durable and adaptable criminal marketplace. Therefore, while enforcement efforts can disrupt individual operators and their infrastructure, sustained, coordinated action across messaging platforms, cryptocurrency settlement channels, and the physical supply chains integral to these scam compounds will be essential to mitigate the ongoing threats posed to enterprises and consumers alike.