Source: Chainalysis; Translated by: Deng Tong, Golden Finance
This article is Part 2 of the 2024 Crypto Crime Mid-Year Report published by Chainalysis. To view the first part, please click "Chainalysis Report: Why Stolen Funds and Ransomware Continue to Increase."
summary
CSAM Network
Since the end of 2023, reports of Chinese CSAM sites have increased.
Most wallet holders are purchasing access for a month or more, with the maximum including approximately 20,000 days (equivalent to more than 54 years) of near-permanent access.
Consistent with our past findings, CSAM vendors continue to leverage instant redemptions when cashing out.
Scams
Scammers are adapting their on-chain and off-chain strategies to conduct shorter but more dynamic and profitable scams.
Pig-killing scams are the largest type of revenue-generating scam so far this year. A Myanmar scam group first discovered on-chain in 2022 has netted at least $101.22 million so far this year.
Most scammers continue to shift from broad Ponzi schemes to more targeted activities, such as pig-killing scams, work-from-home scams, drainer scams (Golden Finance Note: Drainer is a type of malware specifically designed to illegally empty or "drain" cryptocurrency wallets. This software is provided for rent by its developers, meaning that anyone can pay to use the malicious tool.) or address poisoning.
Huione Guarantee
We have observed an increase in the use of Chinese-language marketplaces and money laundering networks. One such marketplace is Huione Guarantee, which is linked to Cambodian conglomerate Huione Group, which connects buyers and sellers who often do little to conceal the illicit nature of their transactions.
Huione Security has processed more than $49 billion in cryptocurrency transactions so far in 2021, far more than previously reported.
Huione’s on-chain connections include pig-killing and other scams, addresses reported as stolen funds, OFAC-approved Russian exchange Garantex, scam shops, CSAM, Chinese gambling sites and casinos, etc.
In the first part of our mid-year crime update, we discussed trends related to ransomware and stolen funds. While total illicit on-chain activity is down nearly 20% year-to-date (YTD), the inflow of stolen funds has nearly doubled, with annual ransomware payments on track to be the highest ever for a single year.
In the second half of our update, we will examine on-chain activity related to the distribution and consumption of child sexual abuse material (CSAM), including an on-chain analysis of payments received by two CSAM vendors and what these amounts indicate.
Next, we will examine the latest trends in cryptocurrency scams. On-chain and off-chain activity shows that scammers are adapting their strategies and running shorter but more profitable and regenerative campaigns. We will discuss a notable scam group - the highest-earning group in 2024 so far - which highlights the trend in recent years away from elaborate Ponzi schemes to more targeted activities such as pig-killing trays.
The scam is so called because the criminals will “fatten” the victim to reap as much profit as possible. This usually involves establishing a romantic relationship with the victim through text messages or dating apps until they pressure the victim into sending money to a fake investment opportunity. Chillingly, the scammers on the other end of these conversations are often people who have been kidnapped, trafficked to Southeast Asia and forced to work in labor camps within large compounds to carry out the scam.
Finally, we take a look at Huione Guarantee, a $49 billion market that was recently exposed as facilitating cybercrime, including CSAM and scams. Let’s get started.
China’s CSAM shows signs of growth
Reports of Chinese CSAM vendors have increased since late last year. The chart below shows the share of RMB-denominated vendors in all CSAM activity compared to activity in other currencies. These sites provide RMB conversion rates for cryptocurrency payments. Since late 2023, Chinese vendors have captured a larger share of global CSAM inflows, peaking in the first quarter of this year so far at 38.8% of total inflows.
According to the Internet Watch Foundation (IWF), an organization dedicated to stopping online child sexual abuse, it is difficult to determine why these networks have grown in China. "We have seen an increase in reports of such sites," said an IWF spokesperson. "Based on reporting channels alone, it is difficult to definitively say if there is an emerging trend or if these sites have been around for some time but have not been reported to the authorities." While the sites themselves may have been around for some time without being noticed by the public, the on-chain infrastructure for these services is all relatively new, with the oldest Chinese wallet dating back to July 18, 2023, and most of the other addresses from late 2023. At least in terms of the on-chain dimension, the timeframe of these wallets suggests that these services are emerging, represent a real trend, and are likely not just the product of new reporting channels.
On-chain checks on Chinese CSAM suppliers
There is no way to quantify the harm caused by child sexual abuse around the world other than in numbers. Given its redistribution potential, small purchases of tens of dollars (as shown in the Chainalysis Investigations chart below) can still lead to long-term exploitation of children.
The network shown in the figure above includes two suspected CSAM vendors that sell materials in Chinese yuan. Transfers from individual wallets to vendors, compared to subscription rates on the CSAM vendors’ websites, indicate what type of access CSAM buyers are purchasing. As mentioned earlier, buyers can get one day of access to CSAM materials from these vendors for just $5. They can also purchase nearly perpetual access (about 20,000 days, or more than 54 years) for just $41. In this example, most wallet holders purchased access for a month or more. As for the CSAM vendors, they utilized instant exchangers when cashing out, which is consistent with our reporting earlier this year.
Scammers use both on-chain and off-chain strategies; large-scale pig-killing scams continue to exist
Cryptocurrency-related scams are on the rise in 2024 as billions of dollars flow in, representing one of the largest areas of illegal activity so far this year. The most striking feature of this year’s scam landscape is the rapid evolution of scammers’ on-chain footprints—the crypto wallets and addresses used to collect payments from scam victims—as well as the off-chain tools they use to manipulate victims, such as domain names and social media account. This activity reveals how scammers are adapting on-chain and off-chain to conduct shorter-lasting, more damaging scams. To avoid detection and disruption, many of these operations recreate or maintain many smaller, simultaneous campaigns to keep the larger organized fraud syndicate operating.
One notable feature of the 2024 scam landscape is how much of the total scam inflows so far this year have gone to wallets that have been active this year, indicating a surge in new scams. The chart below shows the first-appearing wallet’s share of total scam revenue for the years in which the scam received cryptocurrency. Notably, 43% of year-to-date scam inflows have gone to wallets that have been active this year. This trend is significant because in the next highest year, 2022, only 29.9% of total year-to-date inflows went to active wallets that year.
This trend is well reflected in the significantly shorter average lifespan of scams, as shown in the chart below. We plotted this trend by counting the number of days between the first and last time the scam activity was observed on-chain. The average number of days scams have been active decreased significantly from 2020 to 2024 to date, with scams starting in 2020 having 271 days active compared to 42 days for scams starting in 2024. This macro trend is consistent with scammers continuing to move away from elaborate Ponzi schemes and towards more targeted campaigns such as pig-killing or poisoning of addresses, in part due to increased enforcement efforts by stablecoin issuers to defraud addresses. Blacklisted.
Despite the tendency of scammers to use new on-chain addresses, about 57% of scam fund inflows so far in 2024 still go to wallets that were active before 2024. One of the largest single wallets active this year consolidates funds from many scams of KK Park, Myanmar's most notorious pig-killing plate. This wallet was first discovered on-chain in 2022, and scams using this address continue to generate significant revenue, netting more than $100 million so far this year. These funds may come from scam victims or from ransoms submitted by families trying to save trafficked family members.
Additionally, it’s worth noting that scams from KK Park and similar venues have been very active in adapting their off-chain scam presence, often purchasing mature Facebook, Tinder, and Match.com profiles from Chinese services for use in their campaigns. The chart below shows the flow of value from KK Park scam wallets to fraudulent stores selling illegal products, which scammers have used to devastating effect.
A screenshot of the scam store's website also shows the pricing of the social media accounts it sells.
We see more evidence to support this trend by looking at the total inflows to services like this scam shop that sell social media accounts. The chart below shows that cryptocurrency sent to these services has steadily increased over the past two years, with 178,000 deposits totaling approximately $10.5 million from 2022 to 2024. Social media profiles on these sites are priced between $5 and $20 per account, meaning scammers may have purchased between 525,000 and 2.1 million social media profiles that they can use to target victims.
In addition to sending funds to services that provide the tools for scams, scammers ultimately need to send their ill-gotten gains to services to be laundered and converted into fiat currency, primarily through centralized exchanges. This year, we have also seen an increase in the use of Chinese marketplaces and money laundering networks, including Huione Guarantee.
Huione Guarantee: $49 billion online market
Huione Guarantee, an online marketplace associated with Cambodian conglomerate Huione Group, was recently exposed as a significant player in cybercrime. We’ve covered the service much more than we’ve previously reported — we found that the platform has processed over $49 billion in cryptocurrency transactions since 2021.
Historically, Huione Group provided legitimate services, operating as a remittance system for overseas transfers and providing insurance services. The company was once involved in the luxury travel business. However, its platform Huione Guarantee appears to be heavily used for illegal crypto activities, including pig-killing, investment fraud, and money laundering. Huione Guarantee has grown into a large and diverse ecosystem that supports the lucrative pig-killing business that continues to operate in Southeast Asia.
Huione Guarantee is a peer-to-peer (P2P) marketplace that connects buyers and sellers, often facilitating these transactions through Telegram, which provides a point of contact. In total, there are thousands of Telegram groups advertising or posting information on Huione Guarantee, each operated by a different independent merchant or affiliate, many of whom may have ties to criminal enterprises operating in the region.
Huione Guarantee claims to be a neutral party in these transactions; it reportedly operates like a trading platform, charging fees for each trade executed but not verifying the legitimacy of the goods and services listed.
Note: This image is machine translated from the original Chinese version.
Many merchants on Huione Guarantee do little to disguise their activities, using cryptic code words to promote the types of services they seek. For example, some ads show users looking for "convoys," meaning they are looking for money mules to move funds through multiple points and tiers, obscuring the source and destination of the funds.
Other posts promoted the following:
Facial recognition or facial transformation technology is available in the "Develop" section of the platform.
Planning the pig-killing scheme and Ponzi scheme.
Provides global passports, visas, and allegedly assists with applications.
Note: This picture is machine translated, the original text is "Shazhu" which means "killing pigs".
Note: This image is machine translated from the original Chinese version.
Huione Guarantee's on-chain activities
On-chain analysis shows that Huione Pay is active on Ethereum, with total inflows exceeding $1.9 billion, and on TRON, with inflows exceeding $47 billion. In the figure below, we see examples of this activity, with transfers between Huione Pay and various illicit and high-risk counterparties, highlighting Huione’s extensive facilitation network. The P2P network that Huione appears to support off-chain is also mapped on-chain; Huione has received and sent funds to various types of counterparties, including scams, addresses reported as stolen funds, OFAC-approved Russian exchange Garantex, scam shops, CSAMs, Chinese gambling sites and casinos, etc.
Huione Guarantee also processed transactions from wallets allegedly linked to large criminal groups such as KK Park. In addition, Chainalysis found wallets associated with Fully Light Group and Warner International, two entities run by Burmese Kokang families who have reportedly been linked to illegal activities such as gambling venues, secretive financial networks, and money laundering schemes.
The use of Huione Guarantee by these networks suggests that the service facilitates the activities not only of the scammers and fraudsters themselves, but also of the networks of criminals behind them.
Huione Guarantee stands out because it serves as a focal point for different types of cybercriminals, including scammers and CSAM networks. While it may be the largest, it is not the only service of its kind. Other networks similarly use Telegram to facilitate P2P transactions, often in exchange for illicit goods and services. Chainalysis is working closely with our partners to closely monitor this ecosystem to uncover this activity.
