The Prehistory of Chinese-Language Guarantee Marketplaces

By Chris d’Eon, Threat Intelligence Researcher

The largest illicit online marketplace ever recorded processed more than $27 billion in cryptocurrency between 2021 and 2025. It ran on Telegram, settled cryptocurrency transactions, and modeled its trust architecture on the same escrow system that powers Alipay, the payment platform used by over a billion Chinese consumers. The marketplace, Huione Guarantee, is the most prominent example of a model that now dominates the Chinese-language cybercriminal underground: the “guarantee” (担保, dānbǎo) marketplace. 

These marketplaces are third-party escrow services for illicit transactions. This model now dominates the Chinese-language cybercriminal underground, and it lives almost entirely on Telegram. The marketplace operator stands between buyer and seller, holds the buyer’s funds in escrow, releases them to the seller only when the buyer confirms delivery, and adjudicates disputes when something goes wrong. In return, the operator collects deposits from vendors who want to advertise under its brand, fees on transactions, and revenue from paid promotional slots. The underlying trades conducted on these platforms include money laundering, stolen data, fraud kits, fake identity documents, recruitment for scam compounds, retail fraud, deepfake services, and the physical infrastructure of human trafficking and forced-labour compounds. The model exists because these trades are conducted between strangers who do not know or trust each other and cannot use courts or normal payment rails to enforce a deal.

Key Findings About Chinese-Language Guarantee Marketplaces

• The guarantee model is a direct descendant of legitimate Chinese e-commerce. The escrow architecture, trust vocabulary (担保交易), and dispute resolution mechanisms used by Huione and its successors trace directly to Alipay and Xianyu (Alibaba’s C2C secondhand platform), which trained an entire generation of Chinese internet users to associate platform-mediated escrow with safe stranger-to-stranger trading.
• The ecosystem processes tens of billions in illicit volume. Huione Guarantee alone processed over $27 billion between 2021 and 2025. Its competitor Xinbi handled at least $8.4 billion. These platforms serve as the financial and logistical substrate for Southeast Asian scam compounds that generated $5.8 billion in reported losses from US victims in 2024 alone.
• Enforcement has produced fragmentation but not elimination. The May 2025 Telegram takedown, US Treasury designation, and coordinated sanctions displaced Huione’s dominance but did not reduce aggregate volume. More than 30 successor marketplaces emerged within months, and operators are now building proprietary messaging platforms to escape Telegram’s reach entirely.
• The Tor-era Chinese dark web was a structurally flawed predecessor. Chinese-language dark web marketplaces (2013 to 2021) established the escrow-mediated model but suffered from exit-scams, a barrier to entry caused by the Great Firewall, and an inability to scale to the industrial demands of the post-COVID scam compound economy.
• This ecosystem directly threatens Western targets. Pig-butchering scams operated from Southeast Asian compounds target Western retail investors, and the same guarantee platforms that launder stolen funds also broker the SIM cards, fake IDs, deepfake services, NFC-relay fraud kits, and corporate impersonation tooling that appear as adjacent threats in Western enterprise environments.

How the Model Works

Each marketplace is a Telegram-native platform run by a corporate-style operator with public branding, a customer-service team, and a tiered vendor program. 

The marketplace operator stands between buyer and seller, holds the buyer’s funds in escrow, releases them to the seller only when the buyer confirms delivery, and adjudicates disputes when something goes wrong. In return, the operator collects deposits from vendors who want to advertise under its brand, fees on transactions, and revenue from paid promotional slots.

Vendors post a substantial security deposit in the cryptocurrency USDT (Tether) in order to list under the marketplace’s name. The deposit is forfeit if the vendor scams a buyer, which gives the platform’s “guarantee” actual financial weight. Bots automate listings, order tracking, and dispute handling. Escrow funds sit in the marketplace’s own wallets until delivery is confirmed, and almost all settlement is in USDT, chosen for its dollar stability, low fees, and (until recently) limited tracing. The model is a standalone marketplace built around escrow, with the operator functioning as a third-party guarantor for transactions between strangers who have no other basis for trust.

Telegram channel description for Ouyi, a contemporary guarantee marketplace on Telegram, containing links to related channels in the network. Channel names here follow naming conventions typical to guarantee platforms, such as suffixing the channel name with “db” for  担保 (dānbǎo, “guarantee”), or “gq” for 公群 (gōngqún, “public groups”)

A message in the Ouyi public group navigation channel outlining the numerous products and services it provides or enables, such as escrowed payment processing, crypto-to-fiat exchange, money laundering, insider recruiting, money mule recruitment, scam operator recruitment, doxxing-as-a-service, social media account rentals, SMS verification, know-your-customer bypass, bot development, SIM cards, counterfeit phones, lead generation and gambling

The Ouyi customer service bot, with options for vendors to start new groups on Telegram, verify public groups, arbitrate disputes and buy advertisements

Why Security Teams Should Care

Huione Guarantee, founded in 2021 as a service of the Cambodia-based Huione Group, became the single largest illicit online marketplace ever recorded, processing more than $27 billion USD in cryptocurrency between 2021 and 2025. Xinbi Guarantee, a competitor based in the Asia-Pacific Golden Triangle, processed at least $8.4 billion USD over a similar period. When Telegram banned both platforms on May 13, 2025 twelve days after the US Treasury’s Section 311 designation of Huione Group, numerous successors rapidly filled the void. 

Tudou Guarantee, in which Huione held a 30% stake, saw a near 70-fold surge in daily inflows in the weeks after the ban, and more than 30 successor marketplaces appeared within a few months. The scam compounds in Cambodia, Myanmar, and Laos depend on these platforms for laundering, tooling, and supply-chain services.

For Western firms and security teams, this ecosystem is not a distant Asia-Pacific curiosity. Pig-butchering and related cryptocurrency-investment scams run out of compounds located in Southeast Asia employ trafficked workers from neighboring regions and target Western retail investors, typically retirees and middle-aged professionals approached through unsolicited text messages, dating apps, or LinkedIn. The FBI’s Internet Crime Complaint Center logged $5.8 billion USD in reported cryptocurrency-investment fraud losses across 41,557 US complaints in 2024 alone, the largest single category of cybercrime losses that year. That figure is a floor, since most victims do not report or report to other agencies. 

Stolen funds enter the system through victim-controlled wallets, get bridged to USDT, and move through guarantee-vendor laundering services into compound payroll, recruitment, and the next round of scam tooling. The guarantee marketplaces are the financial and logistical substrate that connects Western retail victims to the trafficked workers running the scams. The same Telegram-hosted plumbing that converts the losses to usable proceeds also brokers the SIM cards, fake IDs, deepfake services, NFC-relay fraud kits, stolen credentials, and corporate impersonation tooling that show up as adjacent threats in Western enterprise environments.

Where did this model come from? It did not appear on Telegram in 2021 fully formed. Its trust architecture and naming conventions are inherited from a roughly decade-long lineage of Chinese-language illicit marketplaces on the dark web. Behind those sits a much older piece of Chinese commercial culture, Alipay-style platform escrow.

Alipay and the Origins of Platform Escrow

The contemporary guarantee model descends from the legitimate Chinese consumer-internet trust architecture of two decades earlier. 

Alipay launched in October 2003 as a feature of Taobao, the consumer-facing online marketplace operated by the Chinese e-commerce conglomerate Alibaba. In a country where adult credit-card penetration was under 3%, internet penetration was below 5%, and the major banks had no shared retail-payments infrastructure, no one trusted anyone else enough to send money for goods they had not received. Alibaba’s solution was platform-mediated escrow: the buyer paid Taobao, Taobao notified the seller to ship, and Taobao released the funds to the seller only after the buyer confirmed receipt. Within a year, almost every Taobao seller had adopted the option. Soon afterward, it became mandatory for every transaction on the platform, and the underlying functionality was spun off into Alipay. By the late 2000s, Alipay-style escrow was the default trust mechanism for stranger-to-stranger commerce in China.

Xianyu and the C2C Model

Xianyu (闲鱼, “Idle Fish”), rebranded internationally as Goofish, launched in 2014 as Alibaba’s consumer-to-consumer secondhand spinoff from Taobao. It carried Alipay’s escrow (担保交易, literally “Guarantee Transaction”) into peer-to-peer C2C trading and added a thicker reputation layer on top, including real-name authentication, consumer credit scores, item categories, geographic filtering, and the Xianyu Small Court, a peer-arbitration mechanism that resolves disputes between users by polling other Xianyu accounts. By the late 2010s, Xianyu was one of the most widely used C2C marketplaces in China, and it became the canonical mental model for what platform-mediated peer trade between strangers looked like.

A second-hand product listing on Xianyu / Goofish, including an explanation of Alipay escrow (担保交易)

Xianyu’s explanation of Alipay escrow with English translation

The architecture that Alipay and Xianyu established was escrow plus reputation plus arbitration. The Tor-era Chinese dark web operators would later copy it, and Huione would eventually port it to Telegram. Each layer of the lineage swaps new trust anchors, new venues, and new goods into the same underlying skeleton:

• Alipay’s funds-held-until-receipt becomes escrowed transactions denominated in cryptocurrency. 
• Real-name authentication becomes pseudonymous reputation kept by the marketplace itself. 
• The Xianyu Small Court becomes an admin-run dispute group, then a Telegram bot. 

The skeleton is preserved at every layer. Only the trust anchors and the goods are swapped out.

Xianyu has been used directly for illicit transactions. Mainstream Chinese tech media has referred to Xianyu as “China’s dark web,” because of the volume of gray-market listings on the app. The familiarity with the platform for illicit trading helped subsequent illicit versions of the model scale effectively in Chinese-speaking ecosystems. Chinese users had already been culturally trained on platform-mediated escrow trading between strangers for almost two decades by the time the dark-web operators started cloning the pattern.

The Etymology of 担保

The vocabulary the dark web and Telegram-era marketplaces use is itself inherited from Alipay. The term 担保 (dānbǎo, “guarantee”) is seen in the naming schemes of nearly every contemporary guarantee platform, such as Huione Guarantee (汇旺担保, Huìwàng Dānbǎo) and Tudou Guarantee (土豆担保, Tǔdòu Dānbǎo), and is often present in the abbreviated Telegram channel handles the platforms use, where db stands in for dānbǎo (e.g. tddb for Tudou Guarantee). The term was already universal in Chinese e-commerce, and was itself a deliberate translation choice made by the Alipay team in 2003.

Before 2003, 担保 existed in Chinese mostly in legal and financial contexts. It appears in Chinese contract law and means roughly “to guarantee, to vouch for, to collateralize.” The Alipay team repurposed the term to mean platform-mediated third-party escrow for stranger-to-stranger transactions. They recognized the problem as analogous to the “not-at-the-point-of-delivery” dilemma in early international trade and reached for the term already used in that context, 担保交易, the standard Chinese gloss for the English word Escrow. The choice was a deliberate borrowing of international-trade vocabulary into consumer commerce. By early 2004, 70% of Taobao listings were using 担保交易, and it soon became mandatory for every transaction on the platform. 

Eventually a generation of Chinese internet users, some of whom would later end up on the dark web, had already been culturally trained to associate 担保交易 with safe stranger-to-stranger trading.H

Starting around 2013–2015, Chinese-language Bitcoin forums such as bitcointalk.org’s Chinese board, the 巴比特 / Babbitt forum, and various BTC China community spaces developed a vocabulary around 中间人担保 (zhōngjiānrén dānbǎo, “middleman guarantee”) for peer-to-peer fiat-to-crypto OTC trading. This is where the term picked up its specific crypto connotation, the trusted-individual-as-escrow-agent pattern that Huione would later automate at industrial scale.

The vocabulary was already so deeply naturalized in mainstream Chinese internet culture that any Chinese-speaking marketplace operator would have used the term 担保 without thinking. Operators inherited a fully formed, mass-market trust vocabulary from legitimate e-commerce.

A 2013 post on the Chinese-language subforum of bitcointalk.com, using both 中间人担保 and 担保交易 in the same sentence. The user is looking to buy large quantities of Bitcoin for cash, and proposes to use a trusted intermediary to guarantee the transaction, or use Alipay’s escrow service

The Tor-Era Chinese Dark Web (2013–2021)

Chinese-language dark-web marketplaces were, like their Russian– and English-language counterparts, settled almost entirely in Bitcoin, integrated heavily with Telegram as a secondary communication channel, and operated under constant pressure from law-enforcement crackdowns that periodically wipe out lower-tier marketplaces. Chinese hackers turned to dark web venues in the 2010s as part of a wider Asian shift that included Japanese, North Korean, Indonesian, and Vietnamese actors.

Deepmix

The flagship venue of this era was the Chinese Darknet Forum (暗网中文论坛), founded in 2013. By 2015–2016 it restructured itself into a proper marketplace platform, and rebranded as Deepmix. The trust mechanism it presented to users was a vendor reputation system displayed as a ratio of positive reviews to risk reports, with a platform-held wallet for funds rather than the per-transaction escrow flow that the Telegram-era markets would later use. 

Deepmix as it is today, featuring illicit data for sale. Sellers have a positive-review-to-risk ratio displayed in a column on the right.

Funds deposit in Deepmix. Users deposit Litecoin to a platform-controlled address and spend deposited funds on marketplace items. Deepmix does platform-side mixing of incoming funds.

Chang’an Sleepless Night (长安不夜城) emerged in 2022 as a serious rival, with a more modern interface, a built-in admin contact, an official Telegram group, support for BTC, ETH, and USDT, and low withdrawal fees. Like Deepmix, it uses platform-controlled cryptocurrency wallets and user reputation scores. Exchange Market had been running since at least 2019, with categories for data resources, service businesses, virtual items, physical items, and “private guarantee” (私人担保) deals, plus paid advertising slots at the top of the index. Other named markets that existed in the 2018–2021 window included Loulan City (楼兰城), Tea Horse Ancient Road (茶马古道), Free City (自由城), Golden Castle (黄金城堡), and Cool Customer Mall (酷客商城).

Structural Features Relevant to the Guarantee Lineage

Two structural features of these Tor marketplaces are relevant to the history of modern guarantee platforms:

1. Trust between buyer and seller was built into the platform by design. These were escrow-mediated peer-to-peer marketplaces, not just forums with optional escrow functionality bolted on. The platform operator held funds in escrow, ran dispute resolution, and by the 2020s increasingly used bot automation. 
2. The markets were branded explicitly around the Chinese consumer-internet vocabulary rather than dark web terminology, with category labels like 担保 (guarantee), 商城 (mall), and 交易市场 (trading market). They were marketing themselves as if they were Taobao or Xianyu, not Silk Road or AlphaBay.

Free City forum as it is today, offering various guarantee services. In the top left it brands itself as “Free City: anonymous guarantee trading marketplace forum community.”

The Decline of the Dark Web Model

The Chinese Tor marketplace ecosystem peaked around 2020–2021 and then went into an accelerated decline. Numerous dark web markets died in 2021, including Tea Horse Ancient Road, Golden Castle, and Cool Customer Mall. Several distinct pressures combined to produce this die-off.

Exit scams and police crackdowns were the two leading causes of marketplace closure. Tea Horse Ancient Road, for instance, had been promoted heavily on Twitter and Telegram before vanishing with users’ Bitcoin balances. Contemporary first-person accounts warned that the Chinese dark web was “crawling with scammers” and that DDoS, drug, and other paid services typically delivered no value.

China’s Great Firewall blocks Tor at the protocol level, and the Ministry of Public Security’s “Net Cleanup” (净网, jìngwǎng) campaigns imposed administrative penalties on 1,522 people for personal-information crimes and arrested 6,329 suspects for COVID-related online fraud in the early stages of the 2020 operation alone. Operating any Tor marketplace required users to bridge through obfs4, meek, and similar transports, which creates both a usability tax and a fingerprinting risk. Foreign-language sales were rare on these markets precisely because the user base was small, Chinese-only, and behind a censorship wall.

The escrow operator was the single point of failure. When Alipay holds escrow, the operator is Alibaba, an audited public company subject to Chinese regulators. When a Tor market like Tea Horse Ancient Road held escrow, the operator was an anonymous forum administrator whose only commitment device was reputation, which was destroyed the moment they ran. The result was a structural tendency for markets to terminate in an exit scam once user balances grew large enough. 

The Telegram-era model raises the cost of an exit scam. The operator is still the single point of failure, but a Telegram-based guarantee platform operator with corporate branding and a vendor base whose deposits it depends on for ongoing revenue has substantially more to lose by absconding than an anonymous dark-web forum admin did. Vendor deposits in particular invert part of the exit-scam incentive: the platform earns continuously from deposits and listing fees, so the payoff from running away with escrowed user balances is weighed against the loss of future recurring revenue. The operator now has a business worth more than the float in the escrow wallet at any given moment.

The prominence of Chinese-language marketplaces on Tor has significantly receded due to a combination of exit-scam churn, state pressure, structural lack of trust, and skill drain. The rise of Southeast Asian scam compounds post-COVID was generating more demand than ever for an escrow-mediated Chinese-language marketplace, but the incumbent dark-web platforms were not equipped to host it. Although big players like Deepmix, Chang’an Sleepless Nights, and Free City remain operational today, they occupy a different niche than the Telegram guarantee platforms. They are marketplaces of individual retail consumers, and are not tailored to, or equipped to handle, the industrial-scale demands of the international scam center supply chain.

The Rise of Scam Centers

From the late 2010s onward, Chinese-organized criminal networks built an industrial-scale scam-compound economy across Cambodia, Myanmar, and Laos. 

In 2019, Cambodia’s ban on online gambling pushed roughly 200,000 Chinese nationals out of the country, and COVID-era border closures then cut off the flow of mainland casino tourists. The casino operators run by Chinese nationals based in Sihanoukville and the Mekong Special Economic Zones repurposed their now-empty gaming floors and dormitory blocks for online scam operations, reusing the same physical perimeters, security staff, and recruited workforces to run pig-butchering and related fraud at industrial scale. 

By the early 2020s these compounds housed tens of thousands of trafficked workers running pig-butchering, romance-investment, and fake-trading-platform scams against victims worldwide. The proceeds, in the tens of billions of dollars, had to be laundered and redeployed. The compounds also generated a parallel demand for inputs: SIM cards, bank accounts, money mules, fake identity documents, deepfake services, worker recruitment, and physical supplies like restraints, surveillance equipment, and telecom gear. 

No Tor marketplace could serve that volume or that range of needs, and an escrow venue capable of doing so was the missing piece of the compound supply chain.

Prince Group and Anchor Demand

The largest single operator on the physical side of this economy is Prince Group, the Cambodian conglomerate founded and run by Chen Zhi, a naturalized Cambodian citizen of Chinese origin. Through a sprawl of more than a hundred subsidiaries spanning real estate, casinos, finance, and tourism, Prince Group runs many of the Sihanoukville and Mekong-region compounds where the scams are carried out. The compounds Prince Group operates are themselves the largest single source of the input demand. The SIM cards, mule accounts, fake IDs, deepfake services, restraints, and recruitment that compound supervisors source from guarantee vendors are bought to keep Prince-style facilities running, and the laundering services that move stolen victim funds into payroll and onward redeployment exist because compounds at that scale need them. 

By the early 2020s, the demand was in place and dark web markets were failing. What the ecosystem needed was a venue that could support the guarantee model at scale, and that venue turned out to be Telegram.

The Migration to Telegram

Several factors made Telegram the natural new venue for Chinese-language guarantee marketplaces:

Reach

Telegram has more than a billion users and is accessible without specialist software, Tor bridges, or a willingness to defeat the Great Firewall. For a vendor selling to Chinese-language buyers across Cambodia, Myanmar, the Philippines, and the diaspora, that is a market an order of magnitude wider than anything Tor could provide. The platform’s bot feature also let escrow markets automate verification, order tracking, and transaction history without standing up a separate website or app.

Bot Infrastructure

That bot infrastructure is what made the Tor-style admin-mediated dispute process scale into the Huione era. By 2024, Huione, Tudou, and Xinbi were all running bot-managed escrow, vendor onboarding, and merchant deposits at industrial scale. The Tor markets had nothing comparable. Their dispute resolution depended on a small number of human admins, which capped the number of vendors any marketplace could host.

Settlement in Stablecoins

Bitcoin volatility and traceability had been ongoing problems for the Tor markets, where every transaction was BTC-denominated. The Telegram-era guarantee markets settled instead in USDT, which is dollar-stable, fast, and, at the time, lightly traced. Huione Group eventually built its own stablecoin, USDH, to serve the same niche.

Takedown Resilience

The Telegram-native venue also turned out to be considerably more takedown-resilient than .onion addresses had been. When Telegram banned the Huione and Xinbi channels on May 13, 2025, both platforms were back online within days using backup channels and NFT-linked usernames. Operators had pre-positioned mirror channels and deposit wallets specifically to absorb takedown shocks, and Huione Pay’s average transaction volume rose 50% within weeks of the ban as vendors migrated to Tudou.

Operational Integration

The marketplace lives on the same platform as the offline operations it serves. Huione Guarantee’s vendors offered services tightly coupled to the operational needs of Cambodian and Burmese pig-butchering compounds, including SIM cards, fake IDs, USDT laundering, “intimidation as a service,” recruitment of trafficking victims, and electric-shock devices and steel restraints with captions clearly aimed at compound operators. Those same compounds coordinate on Telegram. 

Cultural Register

Telegram, in the Chinese-speaking diaspora’s perception, sits closer to WeChat than to Tor. A Telegram-based guarantee market therefore reads as an extension of the Chinese consumer-internet trust model rather than a defection from it. The Tor-era markets had already styled themselves after Xianyu, and Telegram-era guarantee marketplaces could approximate the actual feel.

Before Huione, a Xianyu Clone on Telegram

The Telegram-era story of guarantee marketplaces usually begins with Huione’s appearance in early 2021, but as early as March 2020, more than a year before Huione Guarantee launched, a Telegram-based Chinese-language guarantee marketplace was already operating. It called itself Xianyu, named directly after the legitimate platform, and provided escrow-mediated stranger-to-stranger trade. Among their offerings were Weibo OID-to-phone-to-password lookups, geolocation services, and stolen-database listings, with payment in Bitcoin. By calling itself Xianyu, the platform was telling Chinese-speaking buyers what kind of trade infrastructure to expect, with no further explanation needed. It is rumored that the illicit Xianyu marketplace was eventually rug-pulled, setting the stage for the rise of Huione’s wildly successful guarantee platform.   

The Huione Era

Huione Guarantee, launched in 2021, was the first large-scale guarantee marketplace on Telegram. The Chinese-language ecosystem until then had hosted only smaller bilateral guarantee brokers, OTC groups, and supply-and-demand channels, none of which were structured platforms with vendor deposits and bot-mediated escrow. Huione introduced that format, and the structural advantages it carried into it are why it dominated.

Institutional Foundations

Huione Group had existed since 2014 as a Cambodia-headquartered financial conglomerate, with Huione Pay holding a Cambodian payments licence and operating publicly as a remittance and foreign exchange business. The marketplace launched under the umbrella of legitimacy the Huione brand enjoyed at the time, and was initially pitched as a benign escrow service for real-estate and used-car transactions, which let it accumulate clients and credibility before pivoting hard into illicit categories. Huione Pay’s director and a major shareholder, Hun To, is a nephew of former prime minister Hun Sen and a cousin of the current prime minister Hun Manet, which made enforcement action against the group inside Cambodia effectively impossible.

Connections to the Prince Group

Huione group’s chairman, Li Xiong, has been described by Chinese authorities as a key member of Chen Zhi’s “criminal gang,” placing the marketplace inside Prince Group’s operational orbit. This gave Huione Guarantee the procurement and laundering needs of one of the largest scam-compound operators in Southeast Asia as anchor demand. 

Huione’s guarantee platform was also vertically integrated with Huione Pay, Huione Crypto, and Huione International Payments, so a vendor could clear, settle, and move proceeds between currencies entirely inside the single platform rather than relying on third-party OTC desks and exchanges.

Dominance and Downfall

By 2024 Huione’s transaction volume had crossed $27 billion USD, and it was the venue every other operator was benchmarked against. Huione’s dominance ended in a coordinated sequence of actions across 2025:

• The US Treasury’s May 2025 Section 311 designation of Huione Group as a primary money laundering concern.
• Telegram’s takedown of the Huione and Xinbi channel networks twelve days later removed the platform’s two most important operating dependencies at once. 
• The joint US-UK sanctions package against Prince Group and Chen Zhi named 146 entities and seized approximately $15 billion USD in cryptocurrency, cutting into the platform’s demand. 
• Cambodian compound raids running through mid- and late-2025.
• The Chinese government’s January 2026 execution of eleven individuals linked to Myanmar scam operations applied parallel pressure on the operational layer the marketplace served. 

This combination of events ended Huione’s position as the dominant guarantee platform and forced the fragmentation of the ecosystem.

The Ecosystem Today

As of early 2026, the Chinese-language guarantee ecosystem is fragmented and still mostly resident on Telegram. 

The May 2025 takedown of Huione and Xinbi did not produce a single dominant successor. Tudou absorbed the largest share of displaced demand, with inflows surging nearly seventyfold in the months after the ban. But Tiancheng, Dabai, Ouyi, Yinuo, Jin Bo, Haihua, Timi, Lao Niu and a long tail of smaller channels all expanded simultaneously. 

Vendors typically maintain storefronts on three or four marketplaces at once and route a given deal to whichever venue is least disrupted that week. Huione and Xinbi themselves came back online within days of the ban using backup channels, and continue to operate at reduced but meaningful volume.

Logos of various guarantee marketplaces. From left to right, top row to bottom: Huione, Xinbi, Tudou, Jinbo, Dabai, Timi, Yinuo, Haihua, Ouyi, Tiancheng, Bochuang, Lao Niu

Platform Diversification

Telegram’s policy posture shifted materially after the August 2024 arrest of Pavel Durov in France. By May 2025, the platform was responding to law-enforcement requests with IP and phone-number disclosures and carrying out the kind of takedowns it had spent the previous decade refusing. In response, Huione and Xinbi-affiliated operators began prototyping proprietary Telegram-style messengers, ChatMe and SafeW, intended to host the marketplace on infrastructure the operators themselves control. These deployments are still thin compared to Telegram’s network effects, but they are the clearest signal of where the high-value laundering and compound-service flows are headed.

Enforcement Impact

The wave of enforcement in 2025 was the first coordinated attempt to reach both the financial and physical layers of the ecosystem at the same scale. It has produced visible adaptation, including reshuffled channel branding, redistributed flows across successor markets, and accelerated work on alternative venues. However, it has not meaningfully reduced volume across the ecosystem in aggregate. The most popular post-takedown successor Telegram groups have members numbering in the hundreds of thousands, with hundreds of thousands of messages per day in many channels.

Daily message counts in the Flare platform as of the time of writing, for Ouyi guarantee’s main Telegram channel, and a highly active Xinbi-affiliated channel, respectively

Recommendations for Security Teams

For security teams, this prehistory is not simply background intelligence. The same platforms processing $27 billion in illicit cryptocurrency also broker the stolen credentials, NFC-relay fraud kits, deepfake services, corporate impersonation tooling, and fake identity documents that surface as direct threats against enterprise environments.

These are three priorities for monitoring these marketplaces:

1. Monitor for organizational exposure across Chinese-language Telegram channels. The guarantee marketplaces generate hundreds of thousands of messages daily across 30+ active platforms. Stolen corporate credentials, employee PII, and brand impersonation assets traded on these venues represent actionable exposure that most Western threat intelligence programs do not currently collect against.
2. Treat pig-butchering and investment fraud as an enterprise risk, not a consumer problem. The $5.8 billion in reported US losses in 2024 came disproportionately from professionals — the same demographic that constitutes your workforce. Employees compromised through romance-investment scams become insider threat vectors when they are coerced into providing corporate access or moving funds through business accounts.
3. Track the infrastructure migration. Operators are constantly rebranding and migrating between networks of Telegram channels, and beginning to experiment with platforms outside of Telegram. The model is not going away, and defensive coverage needs to adapt with it.

The guarantee marketplace ecosystem has survived a venue change, a US Treasury designation, a coordinated Telegram takedown, and a multi-billion-dollar sanctions package and emerged more distributed, more resilient, and more active than before. Monitoring these marketplaces is crucial for security teams worldwide.