Full Report
The U.S. Department of Justice (DoJ) on Tuesday announced the seizure of a cloud computing account put to use by subsidiaries of Cambodia-based corporate conglomerate HuiOne Group, as the Treasury unveiled fresh sanctions against nine individuals and 26 entities linked to Prince Group. "These subsidiaries are alleged to have assisted individuals and organizations in transferring proceeds of
Analysis Summary
# Incident Report: Seizure of HuiOne Group Cloud Infrastructure
## Executive Summary
The U.S. Department of Justice (DoJ) and Department of the Treasury successfully disrupted the digital backbone of the Cambodia-based HuiOne Group by seizing a critical cloud computing account used for large-scale money laundering. The infrastructure supported "HuiOne Guarantee," a massive illicit marketplace that processed billions of dollars in stolen cryptocurrency from pigment-butchering scams and human trafficking operations. This action was accompanied by Treasury sanctions against 9 individuals and 26 entities linked to the affiliated Prince Group.
## Incident Details
- **Discovery Date:** Ongoing investigation; May 2025 (Initial FinCEN designation)
- **Incident Date:** Activity spanned 2021 through June 2026
- **Affected Organization:** HuiOne Group (Subsidiaries: HuiOne Guarantee/Haowang Guarantee, H-Pay Service PLC)
- **Sector:** Conglomerate / Cryptocurrency / Financial Services
- **Geography:** Cambodia (Operations), Global (Impact)
## Timeline of Events
### Initial Access
- **Date/Time:** 2021
- **Vector:** Intentional establishment of criminal infrastructure.
- **Details:** HuiOne Group established subsidiaries and cloud-based backend systems to intentionally facilitate cybercrime and money laundering.
### Lateral Movement
- **Details:** The criminal organization didn't move *through* a network as much as they *expanded* their ecosystem. They built proprietary messaging platforms and moved financial flows across successor markets to evade Telegram bans and law enforcement scrutiny.
### Data Exfiltration/Impact
- **Details:** Transfer of billions in cryptocurrency from fraud proceeds; conversion of illicit funds into the legitimate banking sector; sale of stolen personal and financial data.
### Detection & Response
- **May 2025:** FinCEN designated HuiOne Group as a "primary money laundering concern."
- **June 2026:** The DoJ announced the seizure of the cloud computing account hosting the conglomerate's backend infrastructure.
- **June 2026:** Treasury unveiled sanctions against 35 linked targets (9 individuals, 26 entities).
## Attack Methodology
- **Initial Access:** Provision of crimeware-as-a-service (CaaS) tools and money laundering portals.
- **Persistence:** Use of cloud computing backbone to maintain global availability.
- **Defense Evasion:** Implementation of proprietary messaging platforms to bypass Telegram censorship and DoT/Treasury sanctions.
- **Credential Access:** Sale of stolen personal and financial data via the "HuiOne Guarantee" marketplace.
- **Lateral Movement:** Movement of stolen funds across cryptocurrency blockchains into "legitimate" banks via H-Pay Service PLC.
- **Collection:** Facilitation of crypto investment frauds ("pig butchering") and phishing websites.
- **Impact:** Billions of dollars in fraud; facilitation of human trafficking and physical torture of "scam center" employees.
## Impact Assessment
- **Financial:** Facilitated billions of dollars in fraudulent transactions between 2021 and 2025.
- **Data Breach:** High volume of stolen personal and financial data sold through the marketplace.
- **Operational:** Disruption of HuiOne's cloud backend; seizure of infrastructure effectively halts the conglomerate's primary digital service.
- **Reputational:** Massive public exposure of the Prince Group and HuiOne Group as criminal fronts; sanctions effectively lock targets out of the U.S. financial system.
## Indicators of Compromise
- **Marketplace Aliases:** Haowang Guarantee, HuiOne Guarantee.
- **Infrastructure:** Backend cloud service accounts (specific providers/IPs not disclosed in brief).
- **Behavioral:** High-volume cryptocurrency transfers typically originating from Southeast Asian scam centers; use of AI-powered deepfake/voice-cloning software for impersonation.
## Response Actions
- **Containment:** U.S. Treasury sanctions imposed to prevent further interaction with the U.S. financial system.
- **Eradication:** Seizure of cloud computing accounts used for backend infrastructure.
- **Recovery:** FinCEN assessment of H-Pay Service PLC as a money laundering concern to prevent circumvented operations.
## Lessons Learned
- **CaaS Ecosystem Resilience:** Despite the seizure and HuiOne's 2025 claim of ceasing operations, 30+ successor marketplaces emerged, proving that the ecosystem adapts rapidly.
- **AI Weaponization:** Criminals are actively using voice cloning and deepfakes to enhance the success of social engineering and pig-butchering scams.
- **Converged Threat:** Cybercrime is increasingly linked to physical crimes, including human trafficking and physical coercion in "scam compounds."
## Recommendations
- **Blockchain Monitoring:** Financial institutions should flag and investigate transactions linked to Southeast Asian cryptocurrency exchanges or entities associated with the Prince Group.
- **Zero Trust Verification:** Organizations must implement strict identity verification to counter "deepfake" and voice cloning-powered social engineering.
- **Sanctions Screening:** Immediate update of AML/KYC (Anti-Money Laundering/Know Your Customer) systems to include the 35 newly sanctioned individuals and entities.