Chinese-Language 'Guarantee' Marketplaces on Telegram Fuel Global Cybercrime with $35B+ in Crypto Transactions
Researchers at Flare have uncovered a network of Chinese-language 'guarantee' marketplaces on Telegram that processed over $35 billion in cryptocurrency transactions, using an escrow-based trust model to trade stolen credentials, fraud kits, and deepfake services.
A network of Chinese-language online marketplaces operating on Telegram has quietly become one of the most powerful financial engines behind global cybercrime. These platforms, known as "guarantee" or dānbǎo (担保) marketplaces, use an escrow-based trust model to help criminals buy and sell stolen credentials, fraud kits, and illicit services. The scale is staggering, and the reach now extends well beyond Southeast Asia into Western enterprise environments.
At the heart of this underground economy is a surprisingly familiar system. The guarantee marketplace model mirrors the escrow mechanics used by Alipay and Xianyu, platforms that trained hundreds of millions of Chinese internet users to associate platform-mediated transactions with safety. Criminals took that trusted model and repurposed it for buying and selling stolen data, fake identities, deepfake services, and money laundering tools.
Analysts at Flare identified and tracked these platforms, finding that the largest, Huione Guarantee, processed more than $27 billion in cryptocurrency between 2021 and 2025. Flare said in a report shared with Cyber Security News that Huione became the single largest illicit online marketplace ever recorded, with competitor Xinbi Guarantee handling at least $8.4 billion over a similar period. Both platforms ran on Telegram before being banned in May 2025.
These marketplaces operate like professional businesses. Each platform is managed by a corporate-style operator with public branding, a customer service team, and a tiered vendor program. Operators hold buyers' funds in escrow and only release payment once the buyer confirms delivery. Vendors pay a security deposit in USDT cryptocurrency to list under the platform's name, and if they scam a buyer, that deposit is forfeited, giving the "guarantee" real financial weight.
Even after the May 2025 Telegram takedown and US Treasury sanctions, the ecosystem bounced back quickly. More than thirty successor marketplaces emerged within months, with Tudou Guarantee seeing a near seventyfold surge in daily inflows. Operators are now building proprietary messaging platforms to escape Telegram entirely, a clear signal that this underground economy is adapting faster than enforcement can contain.
The core business of these platforms is the active trade in stolen and fraudulent digital assets. Listings across Telegram-based guarantee marketplaces include stolen corporate credentials, fake identity documents, SIM cards, NFC-relay fraud kits, and corporate impersonation tooling. These products move through bot-automated systems, with escrow held in USDT until the buyer confirms receipt. The FBI logged $5.8 billion in reported cryptocurrency-investment fraud losses in the United States in 2024 alone, the single largest category of cybercrime losses that year.
Security teams need to treat these marketplaces as a direct operational threat, not a distant regional curiosity. Flare recommends monitoring Chinese-language Telegram channels for stolen corporate credentials, employee PII, and brand impersonation assets being actively traded every day. Most Western threat intelligence programs do not collect against this surface, creating a meaningful and exploitable blind spot for organizations. Organizations should also treat investment fraud and pig-butchering scams as an enterprise risk, as employees who fall victim to romance-investment schemes can be coerced into providing corporate access or moving business funds.