Cryptosecurity researchers have detected an unexpected movement in the subworld of online scams: Tudou Guarantee, a Telegram-based market known for providing a wide range of illegal services, seems to have stopped operating publicly. According to the analysis of the intelligence firm blockchain Elliptic, transactions within its public channels have fallen abruptly after years of expansion, and the platform would have processed more than $12 billion in volume of operations, a number that places it among the largest known illicit markets.
The "guarantee" markets function as intermediaries that offer an alleged custody or guarantee service for operations between buyers and sellers of illegal services: profiles are announced with stolen data, fraud tools, laundering services and even scam infrastructure such as fake investment sites or phishing techniques. In this ecosystem, some sections of Tudou - for example its gambling business - seem to remain active, which raises the question whether we are facing a definitive closure or a conversion of the operation to activities other than those related to traditional financial fraud.
Tudou's trajectory cannot be understood without looking at the regional landscape: for months, vendors who offered stolen data and scam services migrated from other platforms, such as HuiOne Guarantee, to Tudou. This transition was not casual: HuiOne bought a financial contribution in Tudou in December 2024, making it a strategic alternative for its affiliates when Telegram began to close channels linked to these networks. About these closures and migration reported The New York Times which also documented the magnitude of the activity in the region.
The phenomenon of the markets in Telegram is not new, and its relevance grew in the hands of increasingly advanced technological tools. Recent reports of the Chainalysis show that specialized technology providers - including suppliers of artificial intelligence services - received hundreds of millions of dollars in cryptomonedas during 2024. This money supports the development and distribution of solutions that facilitate the creation of false identities, cloned voices and deepfakes, and that allow the climbing of "pig butchering" or romantic biting at industrial levels.
The relationship between actors and platforms is fluid: other markets such as Xinbi Guarantee have shown resilience and growth even after Telegram's interventions, according to comments collected by researchers. This suggests that, although a large platform ceases to operate publicly, the network of suppliers and customers tends to disperse and rearm in other digital spaces, keeping the economy of fraud alive.
Tudou's apparent withdrawal has temporarily coincided with high-impact police actions. In January 2026, the arrest and extradition to China of Chen Zhi, a manager linked to the Prince Group, was investigated for his alleged involvement in a vast scam combining online seduction, investment promises and forced labour exploitation in Southeast Asia. Coverage of events and arrests, including The Guardian, coincides with Elliptic data showing a rapid fall in the activity of the administrative portfolios associated with Tudou, which points to a possible relationship between the two.
But the partial closure of a large market does not necessarily mean a definitive victory: experts warn that the gap that leaves Tudou will probably be occupied by other actors. In fact, experience indicates that each major intervention redistributes customers and services to alternatives that can operate more stealth or in less exposed infrastructure. Elliptic warns that malicious activity could be fragmented among other guarantee markets that are presented as substitutes.
The response of the prosecution and international agencies, however, is gaining muscle. In late 2025 the U.S. Department of Justice announced the creation of a Scar Center Strike Force, a team dedicated to dismantling transnational networks behind crypto fraud and "pig butchering" type scams. According to official reports, this unit has been able to seize and retain significant amounts of cryptomoneda linked to these networks and works in coordination with private companies to provide low infrastructure to facilitate the attacks.
Analysis and response companies have also put figures on the economic and technological impact: research disseminated by entities such as TRM Labs they see how public policies and public-private cooperation seek to cut both the capital and the logistics of fraudulent operations, from cloud services to payment platforms in cryptomoneda.
For people and businesses, the message is clear: the environment changes fast and the scammers rely on increasingly sophisticated tools. The deception tactics combine psychological persuasion with digital identity supplanting technologies, and the mixture is especially dangerous because it reduces the victim's perception of risk. To protect itself is always to verify identities with independent methods, to distrust investment proposals that promise high returns without transparency and to use platforms and services that implement robust anti-fraud controls.
The story of Tudou therefore contains several lessons. On the one hand, it shows that law enforcement and media pressure can deactivate relevant nodes in the criminal economy. On the other hand, he recalls that the fraud infrastructure is resilient: when one channel disappears, others emerge, sustained by technological suppliers and parallel markets where it is traded with data and attack tools. The battle against these networks is long and requires international coordination, technological monitoring and digital literacy of the public.
In the coming months it will be relevant to note whether the decline in activity in Tudou results in a structural fall in the criminal ecosystem or a simple displacement of operations. Meanwhile, blockchain tracking efforts, judicial interventions and joint work between technology companies and authorities seem to be the most effective way to cut the economic fabric that feeds these scams.
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
malicious VS Code extensions: the attack that exposed 3,800 internal repositories
GitHub has confirmed that a device of an employee engaged by a malicious extension of Visual Studio Code allowed the exfiltration of hundreds or thousands of internal repositori...
Grafana exposes the new face of security: attacks on the supply chain that exposed tokens, internal repositories and npm dependencies
Grafana Labs confirmed on May 19, 2026 that the intrusion detected at the beginning of the month did not compromise the production systems or the operation of Grafana Cloud, but...
Fox Temper exposes the fragility of digital signature in the cloud
Microsoft's disclosure of the operation of "malware-signing-as-a-service" known as Fox Temper replaces in the center the most critical vulnerability of the modern software ecosy...
It is no longer how many CVE there are, it is the concentration of vulnerabilities that facilitates the escalation of privileges in Azure, Office and Windows Server
Data from the 2026 Microsoft Vulnerabilities Report they reveal an uncomfortable truth for security equipment: it is not the total volume of CVE that determines the real risk of...