Full Report
lso Tuesday, the Treasury Department took action against the same Cambodian company, Huione Group, and affiliates. The post Justice Department seizes infrastructure used by cyber scam and criminal marketplace appeared first on CyberScoop.
Analysis Summary
# Incident Report: Seizure of Huione Group Cybercrime Infrastructure
## Executive Summary
In June 2026, the U.S. Department of Justice (DOJ) and Department of the Treasury coordinated a massive disruption of the Cambodia-based Huione Group and its affiliate, Prince Group. The operation involved the seizure of cloud computing infrastructure used as a "technological backbone" for money laundering and a prolific criminal marketplace. This action, following the previous seizure of $15 billion in Bitcoin, aims to dismantle a regional hub for "pig butchering" scams, human trafficking, and illicit data sales.
## Incident Details
- **Discovery Date:** Ongoing investigation; major actions taken October 2025 and June 2026
- **Incident Date:** June 23, 2026 (Infrastructure seizure and sanctions)
- **Affected Organization:** Huione Group (Huione Guarantee/Haowang Guarantee), Prince Group, H-Pay Service
- **Sector:** Financial Services / Conglomerate (Criminal Infrastructure)
- **Geography:** Cambodia / Southeast Asia (Global impact)
## Timeline of Events
### Initial Access
- **Date/Time:** October 2025 (Initial Phase)
- **Vector:** Targeted law enforcement action and financial sanctions.
- **Details:** FinCEN issues its first rule to sever Huione Group from the U.S. financial system.
### Lateral Movement
- **Details:** Post-initial sanctions, Huione Group attempted to bypass restrictions by utilizing successor entities, such as H-Pay Service, to maintain operations.
### Data Exfiltration/Impact
- **Details:** The infrastructure facilitated billions of dollars in fraud proceeds. It hosted Telegram channels for the sale of stolen credit cards, sensitive personal data (PII), and malware.
### Detection & Response
- **Discovery:** International multi-agency investigation (DOJ, Treasury, FinCEN).
- **October 2025:** DOJ seized $15 billion in BTC from Prince Group chairman Chen Zhi.
- **June 23, 2026:** DOJ seized active cloud computing accounts hosting the backend for Huione Guarantee. Treasury sanctioned 9 individuals and 26 entities.
## Attack Methodology
*Note: This methodology describes the criminal operations facilitated by the infrastructure.*
- **Initial Access:** Crypto-investment scams (pig butchering) and romance scams.
- **Persistence:** Utilization of successor entities (e.g., H-Pay) to evade financial sanctions.
- **Defense Evasion:** Use of encrypted messaging platforms (Telegram) and cryptocurrency escrow services to hide transactions.
- **Credential Access:** Trafficking of stolen credit card and PII data via Huione Guarantee.
- **Lateral Movement:** Movement of illicit funds through "Southeast Asian scam centers."
- **Collection:** Gathering of victim funds via malware-enabled thefts and social engineering.
- **Exfiltration:** Laundering of cryptocurrency proceeds through professional escrow services.
- **Impact:** Billions of dollars in financial losses to global victims and facilitation of human trafficking.
## Impact Assessment
- **Financial:** Billions of dollars in fraud proceeds processed; $15 billion in BTC seized previously.
- **Data Breach:** High volume of sensitive PII and credit card data sold on the marketplace.
- **Operational:** Total seizure of the backend cloud infrastructure, effectively disabling the "Haowang Guarantee" platform.
- **Reputational:** Public exposure of the Huione Group and Prince Group as criminal enterprises rather than legitimate conglomerates.
## Indicators of Compromise
- **Network:** Specific cloud computing backend IP addresses (seized by DOJ - specifics not public).
- **Platforms:** `Telegram` channels associated with "Huione Guarantee" or "Haowang Guarantee."
- **Entities:** Huione Group, Prince Group, H-Pay Service.
## Response Actions
- **Containment:** Treasury "severed" the organizations from the U.S. financial system, preventing legal transactions.
- **Eradication:** Seizure of cloud computing accounts utilized for the technological backbone of the fraud marketplace.
- **Recovery/Legal:** Extradition of key figures (e.g., top operatives for Chen Zhi) from Cambodia to China.
## Lessons Learned
- **Successor Entity Evasion:** Criminal organizations quickly spin up new brands (like H-Pay) to bypass existing sanctions, requiring continuous monitoring.
- **Infrastructure Centralization:** Large-scale scam operations rely on centralized cloud backends, making cloud provider cooperation essential for law enforcement.
- **Conglomerate Masking:** Legitimate-looking corporate conglomerates can host massive clandestine criminal divisions.
## Recommendations
- **Financial Monitoring:** Enhanced scrutiny of transactions originating from or headed to Southeast Asian conglomerates with escrow-adjacent services.
- **KYC Compliance:** Strict adherence to "Know Your Customer" protocols to identify entities attempting to bypass FinCEN rules via successor organizations.
- **Infrastructure Oversight:** Cloud service providers should implement more rigorous vetting for high-volume financial backend accounts in high-risk jurisdictions.