Cybercriminals Sell Stolen Credentials on Chinese Markets

Global cybercrime now draws significant financial power from a clandestine network of Chinese-language online marketplaces. Operating on Telegram, this ecosystem has quietly grown into one of the most potent engines fueling illicit activities worldwide.

These platforms, known as “guarantee” or dānbǎo (担保) marketplaces, use an escrow-based trust model to help criminals buy and sell stolen credentials, fraud kits, and illicit services.

The scale is staggering, and the reach now extends well beyond Southeast Asia into Western enterprise environments.

At the heart of this underground economy is a surprisingly familiar system. The guarantee marketplace model mirrors the escrow mechanics used by Alipay and Xianyu, platforms that trained hundreds of millions of Chinese internet users to associate platform-mediated transactions with safety.

Criminals took that trusted model and repurposed it for buying and selling stolen data, fake identities, deepfake services, and money laundering tools.

Analysts at Flare identified and tracked these platforms, finding that the largest, Huione Guarantee, processed more than $27 billion in cryptocurrency between 2021 and 2025.

Flare said in a report shared with Cyber Security News (CSN) that Huione became the single largest illicit online marketplace ever recorded, with competitor Xinbi Guarantee handling at least $8.4 billion over a similar period. Both platforms ran on Telegram before being banned in May 2025.

These marketplaces operate like professional businesses. Each platform is managed by a corporate-style operator with public branding, a customer service team, and a tiered vendor program.

Operators hold buyers’ funds in escrow and only release payment once the buyer confirms delivery. Vendors pay a security deposit in USDT cryptocurrency to list under the platform’s name, and if they scam a buyer, that deposit is forfeited, giving the “guarantee” real financial weight.

Even after the May 2025 Telegram takedown and US Treasury sanctions, the ecosystem bounced back quickly. More than thirty successor marketplaces emerged within months, with Tudou Guarantee seeing a near seventyfold surge in daily inflows.

Operators are now building proprietary messaging platforms to escape Telegram entirely, a clear signal that this underground economy is adapting faster than enforcement can contain.

Cybercriminals Abuse Chinese-Language Guarantee Marketplaces

The core business of these platforms is the active trade in stolen and fraudulent digital assets. Listings across Telegram-based guarantee marketplaces include stolen corporate credentials, fake identity documents, SIM cards, NFC-relay fraud kits, and corporate impersonation tooling.

These products move through bot-automated systems, with escrow held in USDT until the buyer confirms receipt.

What makes this model especially dangerous is that it directly feeds threats inside Western organizations.

Stolen funds from pig-butchering scams enter through victim-controlled wallets, get converted to USDT, and flow through vendor laundering services into scam compound payroll and the next wave of attack tooling.

The FBI logged $5.8 billion in reported cryptocurrency-investment fraud losses in the United States in 2024 alone, the single largest category of cybercrime losses that year.

The platforms also trade in employee PII and brand impersonation assets deployable directly against enterprise networks.

Hundreds of thousands of messages flow daily across more than thirty active channels, making this one of the most active threat intelligence surfaces that most Western security teams currently ignore.

The guarantee model has survived US Treasury designations, coordinated Telegram bans, and multi-billion-dollar sanctions, and continues to expand.

Recommendations for Security Teams and Organizations

Security teams need to treat these marketplaces as a direct operational threat, not a distant regional curiosity.

Flare recommends monitoring Chinese-language Telegram channels for stolen corporate credentials, employee PII, and brand impersonation assets being actively traded every day.

Most Western threat intelligence programs do not collect against this surface, creating a meaningful and exploitable blind spot for organizations.

Organizations should also treat investment fraud and pig-butchering scams as an enterprise risk. Employees who fall victim to romance-investment schemes can be coerced into providing corporate access or moving business funds, effectively turning them into insider threat vectors.

Security teams must track the infrastructure migration in real time, as operators continuously rebrand and begin building private messaging platforms entirely outside of Telegram.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.