The emergence of black markets for illegal goods, including drugs and weapons, began on the dark web over a decade ago, leveraging cryptocurrencies and anonymity tools like Tor. At that time, these innovations facilitated the execution of vast, untraceable online transactions valued in the billions.
Fast forward to 2025, and the landscape has shifted significantly. Engaging in black-market cryptocurrency transactions now requires little more than access to a messaging platform that accommodates illicit activity, a willingness to navigate bans on channels, and proficiency in Chinese.
Recent analysis from crypto tracing firm Elliptic highlights the expansive growth of Chinese-speaking cryptocurrency scams operating on Telegram. Despite a temporary downturn following the ban of two significant markets in early 2025, the top contenders, Tudou Guarantee and Xinbi Guarantee, are reportedly generating close to $2 billion monthly through a variety of illicit transactions. These include money laundering, the sale of compromised data, fraudulent investment schemes, AI deepfake technologies, and a range of dark web services, from surrogacy to prostitution.
The so-called “pig butchering” scams, predominantly run from Southeast Asia by networks exploiting human trafficking victims, have emerged as an exceptionally profitable form of cybercrime, reportedly yielding around $10 billion annually from U.S. citizens alone, according to the FBI. Markets like Tudou Guarantee and Xinbi Guarantee have scaled operations to accommodate these nefarious activities, providing crucial services that facilitate these fraudulent ventures.
As Tom Robinson, co-founder and chief scientist of Elliptic, notes, the illicit use of cryptocurrency has reached unprecedented levels, marking these marketplaces not only as the largest current online black markets but among the biggest ever documented. Historical comparisons highlight this trend; AlphaBay was once the largest dark web marketplace, trafficking in drugs and hacking tools, with over $1 billion in transactions during its brief operation.
Analyzing Huione Guarantee, a significant Telegram-based market predominantly associated with cryptocurrency scams, Elliptic reports this platform facilitated an astounding $27 billion in transactions from 2021 to 2025. This figure eclipses all predecessors in the realm of online black markets, demonstrating the lucrative potential of operating in plain sight on widely-used platforms.
The underlying tactics employed in these criminal enterprises hint at a combination of initial access and persistence techniques outlined in the MITRE ATT&CK framework. Initial access often occurs through social engineering or credential harvesting, allowing attackers to infiltrate and operate within these digital marketplaces. Once established, they utilize persistence techniques by creating multiple channels to circumvent any potential bans or closures by the platform.
As the cybersecurity landscape evolves, the need for vigilance among businesses and individuals becomes increasingly critical. Understanding these tactics not only provides insight into the operational methodologies of such illicit activities but also underscores the importance of cybersecurity awareness in mitigating risk in this rapidly advancing digital environment.
