Xinbi Telegram Marketplace Linked to $8.4 Billion in Cryptocurrency-Related Criminal Activities, Including Romance Scams and North Korean Money Laundering

A Telegram-based marketplace facilitating illicit transactions, named Xinbi Guarantee, has processed transactions totaling approximately $8.4 billion since its inception in 2022. This establishment has emerged as the second notable black market following the exposure of HuiOne Guarantee.

Recent analysis by blockchain analytics firm Elliptic indicates that merchants within this marketplace are engaging in the sale of technology, personal data, and services related to money laundering. The predominant payment method within this framework is the USDT stablecoin, with claims that some transactions can be directly linked to funds misappropriated by North Korean entities.

Like its counterpart HuiOne, Xinbi Guarantee has been known to cater to fraudsters throughout Southeast Asia, particularly those involved in romance baiting schemes, which have evolved into a notably lucrative form of cybercrime in recent years. These marketplaces operate entirely through Telegram, serving as a consolidated platform where diverse services ranging from technical tools to money laundering capabilities are provided for executing large-scale online fraud.

According to Elliptic’s findings, Xinbi Guarantee has amassed a user base of approximately 233,000 individuals, with merchants categorized into segments associated with money laundering, satellite internet equipment, counterfeit identification, and databases of compromised personal information. Additionally, certain vendors extend their services to include stalking, intimidation of targets within China, facilitation of women as egg donors or surrogates, and participation in human trafficking, underscoring the extensive range of illicit services beyond mere cyber scams.

Elliptic further notes that Xinbi Guarantee is witnessing significant growth, reaching inflows exceeding $1 billion in the fourth quarter of 2024, surpassing transaction volumes of early Tor-based darknet marketplaces. Intriguingly, Xinbi presents itself as an “investment and capital-guarantee group company,” claimed to be registered in Colorado by an individual named Mohd Shahrulnizam Bin Abd Manap. However, its registration status reflects delinquency due to the failure to file required periodic reports since its incorporation in August 2022.

Both Xinbi and HuiOne Guarantee have been implicated in laundering cryptocurrency assets that were reportedly stolen by actors associated with North Korea, following the hack of the Indian cryptocurrency exchange WazirX in July 2024. Notably, $220,000 in USDT was traced to addresses associated with Xinbi on November 12, 2024.

In response to these revelations, Telegram has taken measures to close numerous channels linked to these marketplaces, effectively disrupting operations associated with over $35 billion in USDT transactions. This development aligns with the recent designation by the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN), which identified the Cambodia-based HuiOne Group as a “primary money laundering concern,” aiming to restrict its access to the U.S. financial infrastructure.

Elliptic has highlighted that these platforms offer critical insights into an underground banking system based in China, primarily driven by stablecoins and digital payments, which are leveraged for extensive money laundering activities.