Cybercriminals Use Chinese-Language Guarantee Marketplaces to Trade Stolen Credentials

Chinese-language guarantee marketplaces have become a major financial and logistics layer for global cybercrime. These platforms use escrow-style payments to help criminals buy and sell stolen credentials, fake identity documents, money-laundering services, phishing tools, and fraud infrastructure.

A new Flare report says the model has expanded from Southeast Asian scam ecosystems into a broader cybercrime marketplace structure that Western security teams can no longer ignore.

The biggest example is Huione Guarantee, later known as Haowang Guarantee. Flare says Huione processed more than $27 billion in cryptocurrency between 2021 and 2025, while Xinbi Guarantee handled at least $8.4 billion. Both operated mainly through Telegram before a major takedown in May 2025.

How Guarantee Marketplaces Work

Guarantee marketplaces use an escrow model. A buyer sends funds to the platform or group administrator, the seller delivers the product or service, and the marketplace releases the payment only after the buyer confirms delivery.

This model resembles legitimate Chinese e-commerce and second-hand trading platforms where escrow reduces fraud between strangers. Criminal platforms copied the trust mechanism and applied it to stolen data, fraud kits, money movement, fake documents, and scam support services.

Vendors usually pay deposits in USDT to operate under the marketplace brand. If a seller scams a buyer, the marketplace can seize the deposit. That structure gives buyers confidence and helps the platform attract more criminal vendors.

Marketplace feature	How criminals use it
Escrow payments	Hold buyer funds until stolen data, fraud tools, or services are delivered
Vendor deposits	Give the platform leverage over sellers and reduce direct fraud between criminals
Telegram groups and bots	Automate customer service, listings, dispute handling, and promotions
USDT settlement	Move value quickly through stablecoin wallets
Public branding	Make criminal services look more reliable and professional

Huione and Xinbi Show the Scale of the Market

Huione Guarantee became the most visible example of the model. The FinCEN action against Cambodia-based Huione Group said the network offered services ranging from marketplace activity tied to cyber scams to payment services and a stablecoin.

FinCEN said Huione Group laundered at least $4 billion in illicit proceeds between August 2021 and January 2025. The agency said the funds included proceeds connected to cyber heists, online scams, and fraud operations.

Xinbi Guarantee operated in the same ecosystem. Elliptic research described Xinbi as a Chinese-language Telegram marketplace serving fraudsters in Southeast Asia, with merchants selling personal data, money laundering services, technology, and other scam-enabling tools.

Platform	Reported scale	Role in cybercrime
Huione / Haowang Guarantee	More than $27 billion processed between 2021 and 2025	Marketplace and laundering hub for scam-related services
Xinbi Guarantee	At least $8.4 billion in transactions reported by Elliptic in 2025	Marketplace for laundering, stolen data, fake documents, and scam tooling
Tudou Guarantee	Rapid growth after enforcement pressure on larger markets	Successor marketplace absorbing displaced vendors and buyers
Smaller successor markets	More than 30 similar marketplaces tracked after Telegram bans	Fragmented replacement infrastructure for criminal trade

Telegram Bans Did Not End the Ecosystem

Telegram blocked channels linked to Huione and Xinbi in May 2025 after public reporting and pressure from researchers. The disruption was significant, but it did not remove the marketplace model.

TRM Labs later reported that Xinbi continued adapting after enforcement pressure by moving operations away from Telegram, using alternate platforms and launching affiliated payment infrastructure.

That shift matters because it shows the marketplaces are not just Telegram groups. They are business-like criminal networks with customer service, vendor management, advertising, payments, dispute resolution, and continuity planning.

• Some vendors moved to successor guarantee marketplaces.
• Some operators tested proprietary messaging platforms.
• Payment services and wallet infrastructure continued to support the ecosystem.
• USDT remained a major settlement tool for listings and deposits.
• Stolen credentials and identity data continued circulating after takedowns.

What Criminals Sell on Guarantee Marketplaces

The marketplaces support many parts of the cybercrime supply chain. Listings can include stolen corporate credentials, employee personal information, phishing sites, fake identity documents, SIM cards, mule accounts, laundering services, and tools for impersonation.

The second Flare analysis reference says these platforms should matter to enterprise defenders because they provide access to assets that can be used against Western companies, not only regional scam victims.

Stolen corporate logins can support account takeover. Employee identity data can help attackers pass verification checks. Brand impersonation assets can help criminals build more convincing phishing, fake support, and business email compromise campaigns.

Marketplace listing type	Enterprise risk
Stolen employee credentials	Account takeover, VPN access, cloud access, email compromise
Employee PII	Social engineering, identity verification bypass, targeted fraud
Fake identity documents	KYC bypass, mule account creation, financial fraud
SIM cards and telecom tools	SMS interception, account recovery abuse, phone-based scams
Phishing and impersonation kits	Credential theft, brand abuse, customer scams
Laundering and cash-out services	Movement of stolen funds and scam proceeds

Pig-Butchering Scams Feed the Market

Guarantee marketplaces sit close to the financial flows of pig-butchering and cryptocurrency investment scams. Victims are groomed online, pushed into fake investments, and then persuaded to transfer cryptocurrency to wallets controlled by scam operators.

The U.S. Department of Justice cited the FBI’s 2024 Internet Crime Report when it said cryptocurrency investment fraud caused more than $5.8 billion in reported losses in 2024 alone.

Those funds can move through stablecoin-based laundering channels, vendor services, and scam infrastructure providers. This is why guarantee marketplaces matter beyond underground forums. They help turn victim money into payroll, tools, credentials, fake identities, and the next wave of fraud.

• Scam centers steal funds from victims through fake investment platforms.
• Funds often move through USDT wallets and laundering providers.
• Marketplace vendors sell fake IDs, stolen accounts, and cybercrime tools.
• Operators use the proceeds to recruit staff, buy data, and run new campaigns.
• Enterprise credentials and PII can enter the same trading channels.

Why Western Security Teams Should Pay Attention

Many Western threat intelligence programs focus on English-language forums, Russian-language cybercrime spaces, ransomware leak sites, and open-web credential dumps. Chinese-language guarantee marketplaces often receive less attention, even though they trade assets that can directly affect global companies.

The risk is operational. If a marketplace lists employee credentials, payroll records, executive identity data, internal documents, or brand impersonation kits, the organization may face an account takeover or fraud campaign before conventional monitoring tools detect it.

The second Elliptic report reference also shows how these markets connect fraud, laundering, stolen data, and scam infrastructure in one place. That mix makes them useful to criminals who need several services to complete one campaign.

Threat intelligence gap	Why it matters
Language barrier	Listings, slang, and vendor reputation signals often appear in Chinese
Platform fragmentation	Activity moves across Telegram, private apps, bots, and backup groups
Escrow trust model	Vendors can scale faster because buyers trust marketplace guarantees
Stablecoin settlement	USDT makes cross-border payment and laundering easier
Enterprise targeting	Credentials, PII, and impersonation assets can target corporate networks

Enforcement Pressure Is Reshaping the Market

FinCEN’s second Huione Group announcement reference shows how regulators are targeting the financial layer behind scam ecosystems, not only individual scam operators.

The challenge is resilience. When a large marketplace disappears, vendors and buyers can move to smaller guarantee platforms, affiliated payment services, or private messaging systems. That fragmentation can make visibility harder for defenders and investigators.

The second TRM Labs analysis reference says Xinbi’s restructuring illustrates how Chinese-language guarantee services are evolving under pressure by distributing operations across multiple platforms.

• Track marketplace names, aliases, and rebrands.
• Monitor Telegram and off-Telegram migration signals.
• Watch for new escrow bots and customer service channels.
• Correlate wallet activity with known marketplace infrastructure.
• Translate and analyze Chinese-language listings for corporate exposure.

How Organizations Should Respond

Security teams should treat guarantee marketplaces as a direct source of credential, identity, and brand risk. Monitoring should not stop at dark web forums or ransomware leak sites.

Organizations should look for mentions of their domains, executive names, employee emails, authentication portals, customer support brands, and cloud tenants in Chinese-language cybercrime spaces. They should also monitor for fake identity documents or business registration materials tied to the company.

The second DOJ crypto scam seizure reference reinforces the scale of the fraud economy behind these markets. The same scam ecosystem that steals from individuals can also generate corporate compromise, insider pressure, and laundering exposure.

Defensive priority	Recommended action
Credential exposure	Monitor for employee email, VPN, cloud, and SSO credentials in Chinese-language markets
Brand abuse	Search for fake support pages, phishing kits, logos, and impersonation assets
Employee PII	Watch for HR, payroll, identity, or contact data being traded
Fraud awareness	Train employees on pig-butchering, romance-investment scams, and coercion risks
Incident response	Reset exposed accounts quickly and investigate access logs for prior misuse
Threat intelligence	Add Chinese-language marketplace monitoring to collection requirements

Guarantee Markets Are Now Core Cybercrime Infrastructure

Chinese-language guarantee marketplaces show how professionalized the cybercrime economy has become. They do not only host stolen data. They provide trust, payments, customer support, advertising, and dispute handling for criminal vendors.

That business model makes cybercrime faster and easier to scale. A fraud operator can buy identity documents, rent laundering services, purchase stolen credentials, and hire technical support without building every capability alone.

For enterprises, the takeaway is clear. These marketplaces are not remote regional curiosities. They are part of the infrastructure that can expose employee accounts, customer brands, and corporate systems to fraud and intrusion.

FAQ