AI Face-Swapping App Linked to Cybercrime in Southeast Asia
The artificial intelligence application Haotian, designed for face-swapping capabilities, has emerged as a major player in the realm of online fraud. This Chinese-language app has reportedly generated millions of dollars by providing its technology through platforms like Telegram, facilitating integration with popular messaging services such as WhatsApp and WeChat. Users reportedly have the ability to modify up to 50 settings, allowing them to alter aspects like cheekbone size and eye positioning to convincingly impersonate others. However, its remarkable capabilities have drawn the attention of researchers, including insights from WIRED, indicating that Haotian has been actively marketed to individuals involved in so-called “pig butchering” scams, primarily targeted at unsuspecting victims in Southeast Asia.
Scammers are utilizing Haotian and similar deepfake technologies to bolster their deceitful practices. Victims often believe they are engaged in genuine video chats with individuals they perceive as romantic partners, trusted friends, or business associates, further complicating their eventual realization of fraud. A report from the cryptocurrency tracing firm Elliptic has identified that Haatian has received at least $3.9 million linked to these fraudulent activities, with almost half of these transactions connected to a marketplace sanctioned by the U.S. government.
Hieu Minh Ngo, a former hacker turned cybercrime investigator at the Vietnamese nonprofit ChongLuaDao, has conducted extensive research into Haotian’s operations since its emergence in 2021. According to Ngo, the app has consistently produced near-perfect results that continue to improve, with financial flows to its wallet occurring daily. This indicates a robust and growing market for its services, particularly within the context of Southeast Asia’s escalating cybercrime landscape.
Haotian fits within a broader technological ecosystem that has evolved alongside the rapidly advancing cybercrime industry, encompassing forced labor scams and fraudulent enterprises. As video deepfake tools, including face-swapping technologies, become increasingly accessible, their application in scams and various forms of cybercrime is expanding globally. The United Nations Office on Drugs and Crime has identified over 10 distinct face-swapping tools potentially utilized by criminals in Southeast Asia, further illustrating the pervasive nature of this issue.
While Haotian does maintain a website to promote its face-swapping technology, its primary outreach mechanism appears to be a bustling Telegram channel, launched in October 2023. With over 20,000 subscribers, this channel disseminates updates about new app versions, development news, and offers technical support. Although utilizing Telegram for software marketing may not inherently raise red flags, the growing customer base for Haotian increasingly skews toward individuals seeking gray market services linked to fraudulent activities.
Telegram has chosen not to comment on its involvement in this situation. However, following WIRED’s inquiries, the main Haotian Telegram channel and several related accounts have either become inaccessible or seemingly deleted. It remains unclear whether Telegram initiated these removals in response to the scrutiny.
In evaluating Haotian’s operations against the MITRE ATT&CK framework, several adversary tactics and techniques stand out. Initial access, through deceptive communications, is a likely entry point for scammers. Persistence may manifest as follow-up engagements with targeted victims, leveraging convincingly altered video feeds to maintain the façade. Privilege escalation could be observed where scammers gain increasing trust and authority with their victims as interactions evolve.
As businesses navigate the landscape of digital risks, the implications of technologies like Haotian cannot be understated. Understanding the tools and techniques employed by cybercriminals informs preparedness strategies for safeguarding enterprises against evolving threats in a technology-driven world.
