Latest news with #Elliptic
WIRED
5 days ago
- Business
- WIRED
Telegram Purged Chinese Crypto Scam Markets—Then Watched as They Rebuilt
Jun 23, 2025 12:48 PM Last month, Telegram banned black markets that sold tens of billions of dollars in crypto scam-related services. Now, as those markets rebrand and bounce back, it's done nothing to stop them. One month ago, the messaging app Telegram summarily beheaded the online industry of Chinese-language crypto scam services: It banned virtually all accounts related to the first and second most popular marketplaces for vendors offering money laundering, stolen data, and a variety of other illicit wares to the vast criminal enterprises carrying out investment scams from compounds across Southeast Asia. Then, Telegram watched impassively as those black marketeers rebranded, rebuilt, and returned to business as usual on the messaging service's platform. On Monday, crypto tracing firm Elliptic published a new report showing how the industry of Telegram-based Chinese-language black markets for crypto scammers has bounced back in the wake of Telegram's takedown last month of the two biggest of those bazaars, known as Haowang Guarantee and Xinbi Guarantee. Before Telegram banned the two markets' channels and usernames on May 13, they had together enabled a staggering $35 billion in transactions, much of which represented money laundering by crypto scam operations that steal billions from Western victims and force tens of thousands of people to carry out scams in forced labor compounds across Cambodia, Myanmar and Laos. Since Telegram's purge, however, Elliptic has found that other smaller markets have now grown to almost entirely fill the vacuum those two key marketplaces left behind—and Telegram appears to have no plans to stop them. In particular, one market called Tudou Guarantee, partially owned by Huione Group, the same parent company as the now-defunct Haowang Guarantee, has more than doubled in size, likely taking in many of the scammer-friendly services displaced by Telegram's bans and again enabling those fraudsters' billions of dollars a year in illicit revenue. Its main channel now has 289,000 users by Elliptic's count, close to the 296,000 users that Haowang Guarantee had at its peak. Xinbi Guarantee, too, has relaunched on new channels and regained hundreds of thousands of users, Elliptic says. In terms of sales, Tudou is now enabling around $15 million a day in crypto payments, close to the $16.4 million Haowang was facilitating daily, according to Elliptic. 'Telegram recognized this was illicit activity and the kind they didn't want to be hosting, and so they deleted the channels and banned the associated usernames. But it was clear that these people wouldn't just give up, that they would transfer to different marketplaces,' says Tom Robinson, Elliptic's cofounder. 'These scammers have inflicted misery on millions of victims around the world, stealing billions of dollars. Unless these marketplaces are actively pursued, they will continue to flourish.' Posts Elliptic shared with WIRED from Tudou Guarantee—now by some measures the biggest black market on the internet—show examples of money laundering services, offers of scam website development, and vendors selling stolen personal data that scammers use for targeting. Another Tudou post explicitly offers prostitution, including references to possible minors: 'Students, queens, lolita,' the post states next to pictures of young women. 'All available!!' WIRED reached out to Tudou Guarantee for comment via an administrator's Telegram account but didn't receive a response. Before they were taken down by Telegram, Xinbi Guarantee and Haowang Guarantee displayed similar posts offering explicitly illegal services in all those categories and more. Like the newly ascendant Tudou Guarantee, those other 'Guarantee' marketplaces didn't directly sell services, but instead offer escrow and deposit features that prevent vendors from defrauding customers. When WIRED asked Telegram in May about a report from Elliptic that focused on Xinbi Guarantee's criminal offerings, Telegram responded with a broad purge: It banned not only Xinbi's accounts but also those of Haowang Guarantee, the much larger market that had persisted for three years, enabled around $27 billion in transactions, and sold scam industry services as explicit as the batons and shackles used to imprison forced laborers in scam compounds. In a statement sent to WIRED at the time, Telegram spokesperson Remi Vaughn wrote that 'communities previously reported to us by WIRED or included in reports published by Elliptic have all been taken down,' and added that 'criminal activities like scamming or money laundering are forbidden by Telegram's terms of service and are always removed whenever discovered.' Since then, however, Elliptic has continued to share its findings about apparent money laundering activity on ten other markets, including Tudou Guarantee, in a Telegram group that included a WIRED reporter and a Telegram spokesperson. Yet Telegram didn't take down any of the accounts related to the black markets Elliptic highlighted. Xinbi Guarantee has, in fact, rebuilt at new accounts without even rebranding. It still hasn't faced new account bans, despite Telegram itself stating that the market's content violated its terms of service. In a statement to WIRED, a Telegram spokesperson defended the company's apparent decision not to ban the rebounding black markets. 'The channels in question predominantly involve users from China, where rigid capital controls often leave citizens with little choice but to seek alternative avenues for moving funds internationally,' the statement reads. "We assess reports on a case-by-case basis and categorically reject blanket bans—particularly when users are attempting to circumvent oppressive restrictions imposed by authoritarian regimes. We remain unwavering in our commitment to safeguarding user privacy and defending fundamental freedoms, including the right to financial autonomy.' Elliptic's Robinson rejects that argument. 'We've been researching these marketplaces for nearly two years now, and they're not about helping people achieve financial autonomy,' Robinson says. 'These are marketplaces that primarily facilitate money laundering for the proceeds of fraud and other illicit activity." Erin West, a former prosecutor who now leads the non-profit Operation Shamrock, an organization focused on disrupting crypto scam operations, states her accusation against Telegram more simply. 'These are bad guys, enabling bad guy business on their bad guy platform,' West argues. 'They have the ability to shut down a scam economy and the trafficking of human beings. Instead, they're hosting Craigslist for crypto scammers.' Telegram's seemingly inconsistent approach to banning crypto scam black markets may have less to do with its principles of 'financial autonomy' than with trying not to run afoul of the US government, says Jacob Sims, a visiting fellow at Harvard University's Asia Center. In early May, the US Treasury's Financial Crimes Enforcement Network officially labeled Huione Group a 'primary money laundering concern.' Sims argues that designation, which referred directly to Haowang Guarantee but not Tudou Guarantee, may have spurred Telegram to take action—and that it may take another similar move at the government level to push Telegram to act again. 'Ultimately, last month's crackdown shows how disruptive Telegram can be when it does cooperate, but it also shows how fast the scammers are going to adapt,' Sims says. 'There's no real legal culpability that tech companies have for what happens on their platform unless there's a specific case brought to their attention by law enforcement. And so, until that changes, I just don't know what incentive they have to be proactive.'
NDTV
20-06-2025
- Business
- NDTV
Pro-Israel Hackers Steal $90 Million In Iranian Crypto Heist, Then Lose All
A pro-Israel hacking group on Wednesday drained over $90 million worth of cryptocurrency from an Iranian exchange. But multiple crypto tracking firms believe that Gonjeshke Darande, or 'Predatory Sparrow' in Farsi, lost all of the proceeds from the heist after reportedly 'burning' them in the process. The funds are now inaccessible after they were stored in 'vanity addresses' for which they do not have the cryptographic keys, The Guardian reported. On June 18, the group said it hacked the Nobitex exchange, a day after claiming they destroyed data at Iran's state-owned Bank Sepah amid escalating tensions between Israel and the Islamic Republic. Cryptocurrencies such as Doge, Ethereum and Bitcoin were taken from digital wallets on the Iranian exchange Nobitex, which has been connected to the Islamic Revolutionary Guard Corps. According to crypto tracking firm Elliptic, over $90 million in cryptocurrency was transferred from Nobitex crypto wallets to hacker addresses. The stolen funds were routed to addresses containing some variation of the term 'F*ckIRGCterrorists'. In a social media post on X, Predatory Sparrow confirmed that it had targeted Nobitex and later released its source code. 'Predatory Sparrow would not have the private keys for the crypto addresses they sent the Nobitex funds to, and have effectively burned the funds in order to send Nobitex a political message,' Elliptic said. Predatory Sparrow is frequently reported in Israeli media as having Israeli connections, although there has been no official proof of the hackers' identity or nationality. 'Although there is no confirmation yet that the funds were moved by Predatory Sparrow, the hack appears to be motivated by the recent escalation of tensions between Israel and Iran,' Elliptic added. Nobitex claims to have over 7 million users and is Iran's main cryptocurrency exchange. Past investigations by independent reporters have revealed linkages between Nobitex and IRGC-linked ransomware operatives and individuals close to Iran's Supreme Leader, Ali Khamenei. The attack occurred amid growing tensions between Israel and Iran, with the two countries exchanging missile strikes, targeting crucial military installations. On Thursday, the US said it would wait for another two weeks before getting directly involved in the conflict, while Russia warned Israel against targeting the Bushehr nuclear power plant. Earlier, President Donald Trump said his patience was running out with Iran. He issued threats to Supreme Leader Ayatollah Ali Khamenei, who then hit back, saying any intervention from the US would result in 'irreparable damage.'
Coin Geek
20-06-2025
- Business
- Coin Geek
Pro-Israel hackers steal $90M from Iranian exchange: report
Getting your Trinity Audio player ready... A pro-Israel hacking collective has made off with $90 million worth of digital assets in a hack on Nobitex, an Iranian exchange. The group, known as Gonjeshke Darande (which is Farsi for 'Predatory Sparrow'), took responsibility for the attack in posts on X. The group followed up by releasing Nobitex's source code and warning that all assets remaining with the exchange were at risk. 'The Nobitex exchange is at the heart of the regime's efforts to finance terror around the world,' claimed Gonjeshke Darande in an X post. 'Nobitex does not even hide the fact that it circumvents sanctions, but rather explicitly teaches this on its website. The regime's dependence on this exchange is so great that working at Nobitex is considered an alternative to military service, as this channel is vital to the regime.' According to the group, the trove includes $48.7 million in USDT, $6.7 million in Dogecoin, and $1.9 million in BTC. Notably, the group claimed it had 'burned' the stolen funds by sending them to addresses with no known keys, effectively destroying the hoard. Blockchain investigator Elliptic corroborates this, finding funds began flowing from Nobitex to addresses containing variations of the term 'F*ckIRGCTerrorists' on the morning of the attack. Earlier this week, the group took responsibility for another hack that destroyed data at Iran's state-owned bank Sepah, saying that it was an institution that 'circumvented international sanctions and used the people of Iran's money to finance the regime's terrorist proxies, its ballistic missile program and its military nuclear program.' However, the group has a longer history of targeting Iran. An attack in 2023 apparently shut down 70% of the gas stations in Iran. In 2022, they claimed credit for a fire that broke out in an Iranian steel mill in a rare instance of physical damage resulting directly from a hacking attack. Gonjeshke Darande's claims about Nobitex are hardly controversial. Next to North Korea, the country is regularly named in the context of digital assets' role in helping states blunt or avoid international sanctions. A series of reports from Reuters in 2022 accused Binance of helping Iranian nationals to make $8 billion worth of digital asset transactions in violation of international sanctions, with most of the funds flowing straight to Nobitex. Iranian officials have openly advocated for using digital assets to get around sanctions, and Western-based companies—including Kraken—have been stung by regulators looking to punish entities who aid in sanctions evasion by processing transactions from Iran. Though the regime's ability to secure financing appears to be the hack's ultimate target, the funds taken from the exchange undoubtedly belonged to many individuals inside and outside Iran who have now lost access to their assets. Indeed, posts on the topic are flooded by ostensibly Iranian X accounts begging for their funds to be returned. Assuming Gonjeshke Darande sent the assets to wallets it had no access to; traditional wisdom would dictate that the funds are lost forever. However, there is growing recognition that individuals might be able to use the courts to force the return of their stolen assets so long as they can prove ownership. Services like Token Recovery have cropped up who make such recovery their business model. Whether anyone with assets held on Nobitex will successfully recover their funds remains to be seen. Given how much of the stolen assets are USD stablecoins, the dollars underlying each one are still held by their issuers, notwithstanding the hackers burning the coins themselves, which may make for an interesting avenue of redress for anyone affected. Watch: Here's how Triple Entry Accounting guarantees trust in accounting title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" referrerpolicy="strict-origin-when-cross-origin" allowfullscreen="">
India.com
20-06-2025
- Business
- India.com
Israel Iran war: Israel set to cripple Iran financially, wipes out Rs 7813185012 in one stroke by…, Here's how it happened
Hackers believed to be connected to Israel have stolen more than USD 90 million from Iran's largest cryptocurrency exchange, Nobitex. The company confirmed that it was hit by a cyberattack. According to a post on their official X (formerly Twitter) account, both the Nobitex app and website were down while they were checking the damage from the unauthorized access. The stolen money included several types of cryptocurrencies like Bitcoin, Ethereum, Dogecoin, and others. Hackers claim responsibility Some blockchain investigation firms shared that a group came forward on Thursday and claimed responsibility for the hack. They also said they had leaked the full source code of Nobitex. In a message posted on their Telegram channel, the hackers wrote, 'Whatever was left at Nobitex is now public. Their security system is broken.' Advertisement === Traced to political messages According to a blog post by Elliptic, a blockchain analytics company, the stolen funds were sent to crypto addresses that had messages written against Iran's Revolutionary Guard (IRGC). These messages suggest that the attack may have had a political motive too and not just financial. The incident has raised serious questions about cybersecurity in Iran's financial tech space and shows how crypto platforms can become targets during larger geopolitical tensions. Advertisement === Hackers Target Iran's Nobitex to send a political message The hackers who recently stole millions from Iran's biggest crypto exchange, Nobitex, said their goal was not to make money. Instead, they claimed the hack was meant to send a political message. The stolen funds were moved into wallets that seemed designed to embarrass Nobitex and criticize Iran's government. Who are the hackers? The attack was carried out by a hacker group named Gonjeshke Darande, which means 'Predator Bird' in Persian. This group blamed Nobitex for helping Iran's government avoid Western sanctions. They also accused the exchange of secretly moving money to support Iran's fast-growing nuclear program. The group is believed to be linked to Israel, but the Israeli government has never officially admitted to having any ties with them. A political statement, not a heist Security experts believe this was not a money-driven hack. The choice of wallets and the messages left behind show that the real goal was to expose and shame Iran's use of crypto for political and nuclear purposes.
Wall Street Journal
19-06-2025
- Business
- Wall Street Journal
Iranian Crypto Exchange Hacked, More Than $90 Million Taken
Iran's largest cryptocurrency exchange was drained of more than $90 million on Wednesday, with a pro-Israel hacking group claiming responsibility, according to a blockchain analysis firm. The cyberattack on the exchange, Nobitex, appeared motivated by the ongoing hostilities between Israel and Iran, blockchain analysis firm Elliptic said in a blog post. Elliptic said the hack had been carried out by Gonjeshke Darande, or 'Predatory Sparrow,' which claimed responsibility for an attack on Iran's Bank Sepah earlier this week. A post on an X account associated with Gonjeshke Darande overnight said the exchange's source code would be released in 24 hours and that assets in the exchange would be vulnerable. Elliptic founder Tom Robinson said the claim was credible.
