Evolution of Chinese-Language Guarantee Telegram Marketplaces
Dabai Guarantee is a decentralized, Telegram-based marketplace utilized by Chinese-speaking cybercriminal syndicates to coordinate global fraud, ghost-tapping, and money laundering operations. The platform acts as an escrow service using USDT, enabling siloed teams to execute retail and financial fraud across various countries while minimizing trust issues among criminals and reducing law enforcement visibility.
Authors: Insikt Group
Source:
Recorded Future
Key Takeaways
- Dabai Guarantee has emerged as a major Telegram-based marketplace for Chinese-speaking cybercriminals, filling the void left by the defunct Huione Guarantee.
- The platform facilitates global-scale fraud, including ghost-tapping, retail fraud, and ATM withdrawals, utilizing siloed 'sweeping teams' in target countries like Japan and South Korea.
- Transactions and escrow services are primarily conducted using USDT on the Tron network to maintain anonymity and bypass capital controls.
- Sweeping teams target smaller, easily transportable goods (e.g., cosmetics, tobacco, Apple products) rather than exclusively luxury items to evade law enforcement detection.
- The marketplace employs automated Telegram bots to match criminal syndicates with existing campaigns and datasets based on specific search terms.
Affected Systems
- Retail point-of-sale (POS) terminals
- ATMs
- Contactless payment systems
- Banking applications
Attack Chain
A 'boss' initiates a campaign by depositing USDT into Dabai Guarantee's escrow to create a public Telegram group. The boss then recruits 'sweeping teams' (often non-Chinese mules residing in target countries) to conduct retail fraud via ghost-tapping or unauthorized ATM withdrawals. The stolen physical goods or cash are passed to 'goods receiving' and 'goods inspection' teams. Once the boss verifies the acquired assets are satisfactory, Dabai Guarantee releases the escrowed USDT to the participating criminal syndicates.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
No specific detection rules or queries are provided in the article.
Detection Engineering Assessment
EDR Visibility: None — The threat actors operate entirely on the Telegram platform and conduct physical retail/ATM fraud, which falls outside the scope of enterprise EDR deployments. Network Visibility: Low — Telegram traffic is encrypted, making it difficult to distinguish illicit marketplace coordination from legitimate usage via standard network monitoring. Detection Difficulty: Very Hard — The decentralized, siloed nature of the sweeping teams, combined with the use of legitimate encrypted messaging apps and physical mules, makes digital detection extremely challenging.
Required Log Sources
- POS transaction logs
- ATM transaction logs
- Fraud analytics platforms
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Multiple high-value or specific-brand transactions (e.g., Apple products, cosmetics, tobacco) occurring in rapid succession via NFC/contactless payments may indicate ghost-tapping sweeping teams. | POS transaction logs | Actions on Objectives | High |
| Unusually high volumes of Telegram API traffic from corporate networks might indicate unauthorized use of the platform for illicit coordination. | Firewall/Proxy logs | Command and Control | High |
Control Gaps
- Lack of visibility into encrypted Telegram communications
- Difficulty in detecting NFC relay attacks at POS terminals in real-time
Key Behavioral Indicators
- Anomalous purchasing patterns at retail POS (e.g., maxing out contactless limits repeatedly)
- Individuals using multiple burner phones with foreign language settings to conduct local banking transactions
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Monitor POS and ATM networks for anomalous transaction patterns indicative of ghost-tapping or rapid sweeping operations.
Infrastructure Hardening
- Implement stricter velocity limits and behavioral analytics on contactless and NFC transactions.
- Require additional verification for high-value purchases of easily resold goods such as electronics and cosmetics.
User Protection
- Educate retail staff to identify suspicious purchasing behavior, such as individuals using multiple burner phones to complete transactions.
Security Awareness
- Train fraud analysts on the TTPs of Chinese-language guarantee marketplaces and the use of USDT for money laundering.
MITRE ATT&CK Mapping
- T1583.006 - Acquire Infrastructure: Web Services
- T1078 - Valid Accounts
- T1566 - Phishing
Additional IOCs
- Other:
@dabai_c- Dabai Guarantee Big Group channel@dabaiyajing- Dabai Supply and Demand Channel@dabai_e- Dabai Guarantee rules channel@dabai_f- Dabai customer service list channel@dabai- Dabai Guarantee bot channel / 24-hour customer service bot@dbhwbb_BOT- Public Group reporting bot@dbjz_bot- Public Group accounting bot@dbtm0- Dabai Guarantee specialist trader customer service agent@dbtm1- Dabai Guarantee business account@dbtm2- Dabai Guarantee public group patrol account@dbtm3- Dabai Guarantee specialist trader customer service agent@dbtm4- Dabai Guarantee specialist trader customer service agent@dbtm5- Dabai Guarantee arbitration number account@dbtm6- Dabai Guarantee resource docking number account@dbtm7- Dabai Guarantee public group trader account@dbtm8- Dabai Guarantee public group trader account@dbtm9- Dabai Guarantee business account (Mengmeng) / Admin for Group 301@dbtm10- Dabai Guarantee public group trader account@dbwb22- Original creator of Public Group 301 (inactive)@dbtm153- Public Group channel related to remote POS/ghost-tapping@dbtm439- Public Group channel related to remote POS/ghost-tapping@dbtm307- Public Group channel related to remote POS/ghost-tapping@dbtm123- Public Group channel related to database trading@dbtm322- Public Group channel related to US-targeted fraud and burner accounts