

The U.S. Department of Justice announced on 24 June 2026 the seizure of a cloud computing account maintained by subsidiaries of HuiOne Group, a Cambodia-based corporate conglomerate. In a coordinated action published the same day, the U.S. Treasury Department sanctioned nine individuals and 26 entities with ties to Prince Group, a separate Cambodian criminal organisation whose financial infrastructure overlapped substantially with HuiOne's operations. The cloud account had served as backend infrastructure for HuiOne Guarantee, also referred to by its Chinese-language name Haowang Guarantee, a Telegram-based illicit marketplace that processed transactions related to cyber fraud, money laundering, and human trafficking between 2021 and 2025. Blockchain analytics firm Elliptic estimated that by the time the platform was shut down, it had processed more than $31 billion in cryptoasset transactions, making it the largest illicit online marketplace ever documented.
HuiOne Guarantee operated not as a direct fraud operation but as a marketplace connecting criminal buyers and sellers. Sellers listed services and products across a wide range of fraud enablement categories, and HuiOne Guarantee provided escrow services to reduce the risk of fraud between the parties transacting on its platform. The escrow function was commercially significant: without a trusted intermediary, criminal buyers of money laundering services or fraud tooling would face the same trust problem as any market participant dealing with unknown counterparties. By offering escrow, HuiOne Guarantee made itself indispensable to the ecosystem and captured a share of every transaction.
The platform operated on Telegram, which gave it structural resilience compared to traditional dark web marketplaces accessed through the Tor network. Telegram channels are easier to access, require no specialised browser, and can be shared via simple invite links that propagate quickly across criminal networks. The trade-off is that Telegram has the ability to ban channels and accounts, a capability that enforcement pressure has forced the platform to use with increasing frequency. In anticipation of this, successor markets that emerged after HuiOne Guarantee's shutdown have begun building proprietary messaging platforms specifically designed to survive account bans.
HuiOne Group's corporate structure in Cambodia gave the operation a degree of legitimacy cover that pure dark web marketplaces typically lack. The conglomerate had diverse business interests in the region, and its subsidiaries were able to provide services to the illicit marketplace while sitting within a corporate structure that operated openly. This blending of legitimate and criminal business within the same conglomerate is a structural feature of the Southeast Asian criminal ecosystem that differs from the purely underground operations law enforcement has more frequently targeted in previous enforcement actions.
The product categories listed on HuiOne Guarantee spanned every stage of a large-scale cyber fraud operation. Personal and financial data formed the base layer: victim databases containing names, addresses, contact details, and financial account information were available for purchase, providing fraud operators with raw material for targeting campaigns. Money laundering services converted cryptocurrency proceeds from fraud into the conventional banking system without triggering the financial monitoring controls that would flag sudden large cryptocurrency-to-fiat conversions as suspicious.
Web development services specifically for building fraudulent investment platforms and phishing websites were another significant category. Fraud operators running investment scams need a convincing frontend that presents fabricated returns, fake account balances, and the appearance of a regulated financial service. Rather than building these platforms themselves, operators could purchase ready-made or customised versions through HuiOne Guarantee. Phishing websites imitating banks, cryptocurrency exchanges, and payment processors were similarly available as a service.
The most technically sophisticated category covered biometric deception tools: software for face swapping, voice cloning, and conducting video calls using deepfake-generated likenesses. These tools directly addressed one of the most persistent friction points in high-value fraud. When a victim requests a live video call to verify the identity of the person they are dealing with, a convincing deepfake video call eliminates the obstacle. The availability of these capabilities at scale through HuiOne Guarantee lowered the barrier to this type of verification bypass substantially. A July 2024 analysis by Elliptic found that the platform also listed physical goods including tear gas, electric batons, and electronic shackles, items described by sellers as tools for controlling the workers held in scam compounds and preventing them from escaping.
The connection between HuiOne Guarantee and physical human suffering runs through the scam compound model that generated much of the fraud the platform enabled. Southeast Asian scam compounds are facilities where trafficked workers, often lured with false job offers and then held against their will, are forced to operate the phones, messaging accounts, and social media profiles through which investment fraud is conducted. The workers contact potential victims, build relationships over weeks or months, and ultimately persuade them to invest in fraudulent platforms that fabricate returns until the victim's funds are withdrawn by the operators.
Workers in these compounds have described conditions involving violence, threats against family members, and physical restraint. The tear gas, electric batons, and shackles listed on HuiOne Guarantee were the tools through which operators maintained control over these workers. The fraud proceeds that flow through the platform's money laundering services are the direct proceeds of this criminal enterprise. When a corporate employee falls victim to a business email compromise scheme and transfers funds to a scam compound operator, those funds may ultimately pass through a marketplace like HuiOne Guarantee on their way to the conventional banking system.
This dimension of the ecosystem is relevant to how organisations frame the urgency of cyber fraud prevention. The financial losses from business email compromise and investment fraud represent one category of impact. The human trafficking operations that these fraud proceeds fund represent another, and the two are structurally connected through platforms like HuiOne Guarantee.
Elliptic's estimate of more than $31 billion in cryptoasset transactions processed by HuiOne Guarantee before its shutdown positions the platform in a category by itself. Silk Road, the dark web marketplace that defined the category between 2011 and 2013 before its takedown, processed an estimated $1.2 billion in transactions across its full operating life. AlphaBay, which was larger than Silk Road at its peak and operated between 2014 and 2017, generated more volume but still within a range that makes HuiOne Guarantee's $31 billion more than 25 times larger than Silk Road and AlphaBay combined.
The $31 billion figure is a transaction volume, not revenue. It reflects the scale of criminal proceeds flowing through the platform: fraud victims' funds, laundering fees, and payments for criminal services. At the other end of each transaction is an individual who was defrauded through the investment fraud schemes that HuiOne Guarantee's tooling and labour procurement services enabled. The scale figure implies a corresponding volume of victims, spread across the United States and other English-speaking countries that have been the primary targets of Southeast Asian scam compound operations.
The comparison to Silk Road and AlphaBay also illuminates the shift in the nature of the threat. Those earlier platforms primarily facilitated drug sales between individuals. HuiOne Guarantee primarily facilitated industrialised fraud targeting financial victims at scale. The criminal business models are structurally different, and HuiOne Guarantee's model is more harmful in aggregate precisely because it was designed to operate at industrial rather than retail scale.
The cloud computing account seized by the DoJ had served as backend infrastructure for HuiOne Group's subsidiaries, including the servers supporting the HuiOne Guarantee marketplace. Backend infrastructure for a Telegram-based marketplace includes the systems that handle transaction processing, escrow management, dispute resolution, and the storage of listing data and communications between buyers and sellers. Seizure of this infrastructure gives law enforcement access to the operational records of the platform: evidence of which parties transacted, what they purchased, and how much moved through each channel.
The DoJ's statement characterised the account as part of the technological backbone that allowed billions in fraud proceeds to be transferred, moved, and concealed. The seizure does not in itself disable the Telegram channels or the criminal actors who operated through the platform, but it removes the ability to use the seized infrastructure and potentially surfaces evidence relevant to prosecutions of the underlying operators. Infrastructure seizure is one component of a multi-element enforcement action; the Treasury sanctions issued simultaneously address the financial layer by cutting named entities off from the U.S. financial system.
The 26 entities and 9 individuals sanctioned by the Treasury Department's Office of Foreign Assets Control were tied to Prince Group, a Cambodian conglomerate that had been designated as a Transnational Criminal Organisation eight months before the June 2026 action. Prince Group's operations had included scam compounds that generated fraud proceeds, which then moved through HuiOne Guarantee's money laundering services. Prince Group's chairman, Chen Zhi, was arrested, extradited to China, and stripped of his Cambodian citizenship in the period preceding the June 2026 actions.
Treasury's Financial Crimes Enforcement Network simultaneously assessed H-Pay Service PLC as a primary money laundering concern. The designation targets H-Pay specifically in response to HuiOne Group's attempts to maintain access to the U.S. financial system after earlier enforcement had disrupted its primary channels. FinCEN had previously designated HuiOne Group itself as a primary money laundering concern in May 2025. The H-Pay designation extends the enforcement perimeter to cover the financial service providers the group shifted to after the first designation.
HuiOne Guarantee announced it was ceasing operations in May 2025. The announcement followed the earlier FinCEN designation and reflected the mounting enforcement pressure the platform was facing. The shutdown did not, however, eliminate the demand for the services it had provided, and research published by Flare in connection with the June 2026 enforcement action identified more than 30 marketplaces that had emerged since then to fill the void.
Flare researcher Chris d'Eon characterised the 2025 enforcement wave as producing visible adaptation rather than meaningful volume reduction. Channel branding was reshuffled. Transaction flows were redistributed across successor markets. Work on alternative communication infrastructure, specifically proprietary messaging platforms designed to avoid Telegram's banning capabilities, accelerated. But aggregate transaction volume across the ecosystem did not, by Flare's assessment, materially decrease. The criminal business model remained intact and sufficiently profitable to attract new entrants within weeks of the dominant platform's closure.
The speed of this reconstruction is itself informative. It indicates that the barriers to entry for running a criminal services marketplace of this type are not primarily technical. The tooling, the payment infrastructure, and the criminal network relationships that make such a market functional can be assembled and operational faster than the enforcement process that dismantled the original platform. The implication is that enforcement against specific platforms imposes costs and disrupts specific operators without eliminating the underlying market.
The resilience of the HuiOne Guarantee ecosystem after enforcement action reflects structural features of the criminal market it served rather than any specific failure of enforcement strategy. The Southeast Asian cyber fraud model depends on a supply chain: trafficked workers, fraud tooling, money laundering services, and communication infrastructure. When one platform providing parts of that supply chain is removed, the demand from operators who depend on it generates immediate incentive for alternative providers to emerge. The profitability of the operations these services support means that alternative providers can attract participants quickly.
The migration to proprietary messaging platforms is a particularly significant adaptation. Telegram's enforcement action capabilities, including the ability to ban channels and close accounts, had been one of the primary tools used to apply pressure to the network. By building communication infrastructure they control entirely, successor market operators remove this lever. Law enforcement responses to proprietary criminal communication platforms have historically required different legal tools and longer timelines than action against commercial platforms.
For organisations focused on threat intelligence, the successor market landscape requires continuous monitoring rather than a point-in-time response to enforcement action. Which of the 30-plus successors gains dominant share, which categories of fraud tooling it offers, and whether corporate credentials appear in its inventory are questions whose answers change week by week rather than year by year.
HuiOne Guarantee's product categories directly map to attack vectors that enterprises face. The stolen data sold on the platform included credentials originating from breaches of corporate systems. A business email address and password combination that was stolen through a phishing attack on a corporate user and subsequently listed on HuiOne Guarantee or its successors represents advance warning of a future account takeover attempt, if that intelligence can be received and acted on before the credential is used.
The deepfake tools and voice cloning capabilities available through the platform extend this risk into the domain of social engineering against corporate targets. Business email compromise schemes that request wire transfers or cryptocurrency payments are an established threat vector. The addition of convincing live video deepfake capability changes the calculation for corporate procedures that treat a video call with a known counterparty as verification. Security teams need to consider whether their payment authorisation processes remain sufficient against an adversary who can impersonate a known face and voice in a live interaction.
Monitoring for corporate credentials and employee data circulating in criminal marketplaces, including the 30-plus successor markets that have emerged since HuiOne Guarantee's shutdown, is one of the most direct forms of early warning available against the fraud and account takeover risks the platform enabled. Understanding your organisation's attack surface in the context of criminal marketplace ecosystems requires visibility into where those marketplaces operate and what they carry, before that intelligence reaches you through an incident rather than through monitoring. The indicators of compromise associated with the fraud chains that used HuiOne Guarantee's infrastructure may already be circulating in successor markets today.
The DoJ seized a cloud computing account used by HuiOne Group subsidiaries as backend infrastructure for their operations, including the servers supporting HuiOne Guarantee. Seizing this account removes the ability to use that specific infrastructure and gives law enforcement access to the operational records and data stored on those servers. The action does not in itself close Telegram channels or arrest all operators associated with the platform.
The platform operated within a corporate structure in Cambodia that provided legal cover, used cryptocurrency for transactions to reduce visibility in the conventional financial system, and operated through Telegram rather than a dark web site, which made it accessible without raising the suspicion that Tor browser use might generate. The escrow and money laundering services it provided were specifically designed to convert proceeds into the legitimate banking system without triggering monitoring controls. FinCEN's 2025 designation as a primary money laundering concern was the first formal U.S. action against the group's financial infrastructure.
No individual successor has yet reached the scale HuiOne Guarantee achieved. Flare's research indicates that transaction volume is distributed across the 30-plus platforms rather than concentrated in a single dominant successor. However, aggregate volume across the ecosystem has not materially decreased, meaning the total market for criminal services remains comparable to what it was when HuiOne Guarantee was operating.
Pig butchering is a form of investment fraud named for the practice of fattening a pig before slaughter. The fraud involves building a relationship with a victim over weeks or months, introducing them to a fraudulent investment platform that shows fabricated returns, encouraging progressively larger deposits, and then disappearing with the accumulated funds. HuiOne Guarantee supplied the tools and services that made this fraud scalable: ready-made investment platforms, money laundering services for the proceeds, and the labour procurement that connected scam compound operators with the trafficked workers who conduct the fraud.
The most actionable measures are monitoring corporate credentials in criminal marketplaces, reinforcing payment authorisation procedures to account for deepfake-capable social engineering, and maintaining threat intelligence feeds that track the successor markets as they evolve. At the process level, any payment authorisation that can be initiated through channels an attacker controls, including email and video calls, should require out-of-band confirmation through a pre-established contact channel. For the credential monitoring question, that requires continuous visibility into what is circulating in dark web markets rather than periodic point-in-time assessments.
H-Pay Service PLC is a financial service entity that FinCEN designated as a primary money laundering concern in the June 2026 action because it was providing financial services to HuiOne Group after the group's own 2025 designation had cut off its primary financial channels. The separate designation closes a circumvention pathway: when a designated entity attempts to maintain financial access by shifting to a new provider, designating that provider applies the same blocking effect without requiring a new investigation into the original entity.
Arresting and extraditing the chairman of Prince Group represents a significant enforcement success, but it does not in itself dismantle the operational capacity of the criminal network. The 26 entities and 9 individuals sanctioned in the June 2026 action reflect the distributed nature of the organisation across multiple corporate and individual actors. Criminal networks of this scale typically have succession structures that allow operations to continue when leadership is arrested, particularly when the supporting infrastructure and financial channels remain available to other participants.
Attacks like this one rarely announce themselves through official channels first. New payloads, active infrastructure, and exploitation techniques circulate in closed forums and private channels well before any public research surfaces them. By the time an incident makes it into a threat report, organisations without early visibility are already behind.
Defendis gives your security team that early visibility. We monitor the dark web, underground forums, and threat actor channels so your team receives relevant intelligence before it becomes breaking news, with context about emerging threats matched against your organisation's exposure, without requiring your analysts to spend time in places they should not have to go.