Chinese-language “guarantee” marketplaces hosted mainly on Telegram have become a core conduit for buying, selling, and laundering stolen credentials and a wide range of criminal services.
These platforms modeled explicitly on consumer escrow systems such as Alipay’s 担保交易 (dānbǎo jiāoyì) operate as third-party guarantors: the marketplace operator holds buyer funds in escrow, releases them only after delivery is confirmed, and adjudicates disputes.
That familiar escrow veneer has enabled rapid scaling from bilateral brokers to industrialized marketplaces that now underpin Southeast Asian scam compounds, money-laundering rings, and transnational fraud operations.
Huione Guarantee, which processed more than $27 billion in cryptocurrency from 2021 to 2025, is the most prominent example.
Running primarily through Telegram channels and bot-managed workflows, Huione and its peers collected vendor deposits in USDT, charged listing and dispute fees, and used automated bots for order tracking and arbitration.
This structure introduced durable incentives: vendors post significant security deposits that are forfeited for fraud, reducing exit-scam risk and making the operator’s brand and recurring revenue more valuable than short-term theft.
According to flare, the largest illicit online marketplace ever recorded processed more than $27 billion in cryptocurrency between 2021 and 2025.
Settlement in stablecoins such as USDT (and in some cases operator-issued tokens like USDH) further smoothed high-volume transfers and complicated tracing.
Chinese Guarantee Markets Exploited
The product mix on guarantee marketplaces extends well beyond stolen credential listings. Operators advertise fraud kits, corporate-impersonation tooling, SIM cards, SMS-verification and know-your-customer bypass services, fake identity documents.
A message in the Ouyi public group navigation channel outlining the numerous products and services it provides or enables, such as escrowed payment processing, crypto-to-fiat exchange.
NFC-relay devices, deepfake generation, doxxing-as-a-service, and laundering pipelines that convert victim-controlled wallets into compound payroll.
Those offerings directly support pig-butchering and investment-fraud schemes run from scam compounds across Cambodia, Myanmar, and Laos facilities that rely on these marketplaces to procure supplies, recruit operators and mules, and launder proceeds.
Law-enforcement interventions in 2025 most notably the US Treasury’s Section 311 designation of Huione Group and coordinated takedowns on Telegram disrupted the largest operators but did not eliminate the model.
Xianyu (闲鱼, “Idle Fish”), rebranded internationally as Goofish, launched in 2014 as Alibaba’s consumer-to-consumer secondhand spinoff from Taobao.
Huione and Xinbi were quickly mirrored or replaced; more than 30 successor marketplaces appeared, and platforms like Tudou saw massive inflows after bans.
Operators responded by pre-positioning backup channels, using NFT-linked usernames and resilient wallet infrastructure, and beginning to prototype proprietary messenger apps to escape Telegram’s oversight.
Telegram’s later cooperation with authorities, combined with sanctions on physical operators such as Prince Group and raids on scam compounds, shifted the ecosystem but did not shrink aggregate volume significantly.
For security teams, the threats are immediate and multi-dimensional. Stolen corporate credentials sold on these channels enable account takeover, fraudulent wire transfers, and supply-chain impersonation.
Adjacent services SIM farms, fake KYC, and deepfakes lower the operational friction for targeted attacks against enterprises and customers.
The FBI’s IC3 reported $5.8 billion in cryptocurrency-investment fraud losses in 2024, a conservative lower bound that intersects directly with guarantee-platform activity.
Defensive measures should emphasize credential hygiene, monitoring for illicit credential exposure, and proactive threat intelligence that monitors Chinese-language guarantee channels.
Organizations should deploy detection for reused credentials and anomalous access patterns, enforce multi-factor authentication with phishing-resistant methods, and work with forensic crypto-tracing partners to follow laundering patterns into compound-linked vendors.
Threat intelligence providers track hundreds of thousands of daily messages from these guarantee markets and can surface listings and tooling before they are weaponized; reports from Elliptic, TRM Labs, Flare, and law-enforcement advisories provide further context and indicators on wallets, channel handles, and vendor aliases.
The guarantee model’s strength is cultural and structural: it borrows widely understood escrow norms from China’s mainstream platforms and combines them with Telegram’s reach and bot automation, creating a durable criminal marketplace.
Enforcement can disrupt operators and infrastructure, but without coordinated action across messaging platforms, crypto settlement channels, and the physical supply chains that host scam compounds, the model will continue to evolve and supply new threats to Western enterprises and consumers alike.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
