Indian Call Center Scammers partner with Chinese Money Launderers

 

At the end of August 2025, The US Attorney's office in San Diego announced four indictments against members of a Chinese organized crime ring that stole at least $65 million from thousands of older Americans.  The case was notable because the US Attorney credited two YouTube channels with the leads that led to 25 arrests so far in California, New York, Texas, and Michigan. 

When we see 25 Chinese arrests, it might be tempting to think this is all Chinese Organized Crime, but those who actually watch the videos will realize that's not the case.  The referenced videos are from late 2020 and early 2021 and each started with Scammer Payback (Pierogi) responding to a refund scam.

Indian Call Center operators refer to this type of "lead generation" as "email blasting" and we have tens of thousands of example posts from Facebook groups offering the "service" of sending bogus Microsoft Defender emails, claiming that the victim's credit card is being charged and offering a telephone number to dispute the charge. The ads for this service in Tech Support Facebook groups have been constant for years, including ads as recently as this week: 

A typical "Microsoft Defender Refund" from this time period looked like this: 

We've called dozens of these numbers and they all follow a similar script, they convince the caller to allow remote control to their computer to assist them with the "refund." We often feed a Virtual Machine to the scammers and use it to help us understand what remote control tool they are using and where it is hosted.  But Scammer Payback goes quite a bit further! 

When Pierogi received the numbers from a similar call center scam, he called the number.  His video makes clear that the scammers he was communicating with were speaking Hindi to one another. He not only lets the remote control happen, but he helpfully has a bank account open.  The scammers see the millions of dollars available and can't help themselves.  He is a juicy target!

Scammer Payback: https://www.youtube.com/watch?v=hrLZbc-Rfbo

The scammers have Pierogi type in his own refund amount - but they alter it to make it appear that he typed too many digits resulting in a much larger than intended refund.  Then they demand that he withdraw the difference in cash and ship it back to "them."

Being a very compliant victim, Scammer Payback agrees immediately, taking down the address and agreeing to send the package of cash "overnight delivery." At this point, Pierogi engages the Trilogy media team. Trilogy agrees to take their camera crew to the pick up site to find out who is on the other end of the package. 

Trilogy Media: https://www.youtube.com/watch?v=in_Y5q_-F2Y

But in three out of three cases where Pierogi uses Trilogy to deliver a cash package, the package is being sent to a young Chinese person who is at an Air BNB that has been rented for a very short time period. 

We actually have seen this model in other cases ... in 2022, we write about the case of Jianjie Liu on this blog in a post called "Chinese Call Center Runner Pleads Guilty in Georgia."  

Jianjie Liu did cash pickups for a wide variety of scams, including Grandparent scams, Inheritance scams, and Government Grant Scams.  She was actually arrested in a case involving Walmart Gift Cards that led to the discovery of 718 Gift Cards in her vehicle. In one case almost exactly like those above, Liu was sent a $20,000 Cashier's check after someone processing a $555 refund was accidentally refunded $20,555 and had to send the difference back to the scammers.  The check was made payable to a shell company in Georgia controlled by Liu.

Where do these Chinese agents doing the cash, check, and gift card payment come from? Recently it is one of the most popular "Crime As A Service" offerings from the various Chinese Guarantee Syndicates.  Each of the Guarantee Syndicates has a menu of vendors who have made a large deposit in USDT in order to have the right to sell their services there.  This category is usually called some variation of "Collection Services." 

You may have heard of "Huione Pay" which is generally considered the largest of the Chinese Guarantee Syndicates.  FinCEN took action, with an announcement that "Cambodia-based Huione Pay" is a money laundering concern, and proposing new Rule-making calling them a "Primary Money-Laundering Concern" to combat this type of cybercrime.  After this announcement, Huione migrated most of their vendors over to a former competitor, Tudou Danbao (which means "Potato Guarantee.")

The "Buy and Sell" channel for Potato currently has 130,000 subscribers, while one of their primary channels has 209,000 subscribers.  Category 2 on their vendor menu is "Collection Services" which currently has 656 vendors who have paid deposits between 15,000 USDT and 259,000 USDT to have their services recommended and advertised by the new Guarantee Syndicate.  These are the teams that are offering cash pickup services across the United States.

(findings from non-profit Intelligence for Good)

Many other Guarantee Syndicates have dozens to hundreds of similar vendors in their respective Collection Services vendor category.  Here is a typical ad, boasting of the cities where the vendor maintains teams of workers, ready to pick up packages: 

The US Financial Crimes Enforcement Network (FinCEN) has issued two recent reports about Chinese Money Laundering Networks.  One is an advisory regarding the use of Chinese Money Laundering Networks by drug cartels from Mexico.  The other has detailed analysis on several different models used by Chinese Money Laundering networks.

Several "Red Flags" are shared as advice to Financial Institutions to help them recognize CMLO behaviors that should be reported via Suspicious Activity Reports: 

Attorney Generals go after Bitcoin ATMs for supporting Fraud

On 08SEP2025, the District of Columbia's Attorney General filed a lawsuit against Athena, a "Bitcoin ATM machine" provider with 4100+ BTMs installed. Athena charges as much as a 26% fee when someone deposits cash to buy cryptocurrency. More importantly, the lawsuit claims that 93% of all deposits into Athena “BTMs” in the DC area were made by scam victims.

The main argument made by this lawsuit is that Athena knows that it is facilitating fraud, it is making substantial profit from that fraud (up to 26% per transaction), and that it refuses to refund money to the victims, despite 1/4th of the money still being in Athena's coffers after a transaction!  

https://oag.dc.gov/sites/default/files/2025-09/Athena%20Complaint.pdf

The DC AG goes further, with a very significant accusation:

"Athena also has allowed elderly consumers to deposit very large amounts of cash over short time periods into wallets that Athena knew had already been used by other scam victims. Athena’s ineffective oversight procedures have created an unchecked pipeline for illicit international fraud transactions." 

 The DC AG's lawsuit claims that the average age of the victims who were enticed to depositing fraud funds into an Athena BTM in their district was 71 and that half of them deposited at least $8000!

Despite included statistics showing only 1.2% of elders invest in Bitcoin, the vast majority of BTM deposits are made by those over the age of 60. The FBI’s IC3.gov in 2023 reported $124 Million in Bitcoin ATM scams against those over 60, compared to $33 Million for all other ages combined.

In response to the common claim that Bitcoin ATMs are intended to help the "unbanked", there is nothing to support that claim. Compare that statistic to an FDIC Survey of "unbanked" Americans, which showed that only 1.2% of "unbanked" citizens use crypto for any reason other than "Investment." I loved this survey question by the FDIC in their 2023 survey.

https://www.fdic.gov/household-survey/2023-fdic-national-survey-unbanked-and-underbanked-households-report

The FDIC Survey also broke down crypto usage by household income.

While the DC AG's lawsuit is significant, it was not the first. Iowa's Attorney General filed two similar lawsuits, one against Coinflip and the other against Bitcoin Depot. (Click to see a list of the Factual Allegations for each.) Iowa's lawsuits show that Coinflip BTMs in Iowa were used to assist in the theft of $13 Million from scam victims between Jan 2021 and June 2024, while Bitcoin Depot BTMs in Iowa were used to assist in the theft of $7.2 Million between October 2021 and July 2023. That's $20 Million in scams in a state with only 3.2 million residents.

My favorite quote from Iowa:

“At best, Bitcoin Depot is a willfully blind participant in the victimization of hundreds of Iowans. At worst it is a silent partner to many scammers’ preying on Iowans, taking a cut of each scam with its excessive and deceptive BTM fees that are further paired with a lack of refunds.”

This analyst would believe that statement could be applied to every “Bitcoin ATM” in every state.

Coinflip Lawsuit

Bitcoin Depot Lawsuit

While the process of using a BTM involves the display of several warnings and disclaimers, the lawsuits point out that the elderly victims of these scams are almost always on the phone with a scammer while they conduct the transaction, who is warning them to ignore all of these disclaimers. But the disclaimer itself is given as evidence that the BTM providers are fully aware that their company is being used to facilitate significant volumes of fraud against the elderly, and that this fraud is providing significant revenue to said companies. These images are from the DC AG v. Athena complaint:

Bitcoin Depot has over 8,000 BTMs, but boasts more than 16,000 locations where you can buy cryptocurrency (including their "BDCheckout" where you can purchase crypto at a cash register.) Here's a location breakdown by state, including 414 Iowa locations (and 399 in my home state, Alabama!):

http://branches.bitcoindepot.com/

Coinflip has over 5500+ BTM locations and claims to have processed at least $4 Billion in transactions. But what percentage of those transactions are fraudulent?

https://coinflip.tech/about

Chinese Guarantee Syndicates and the Fruit Machine

When I was speaking to a group of Bank Security people in New York City yesterday, I mentioned "machine rooms" -- which are rooms full of Apple iPhones that are used to send iMessage phishing spam. Someone in the audience asked "Where would they get that many phones?"

The kids like to use the acronym "IYKYK" (If You Know You Know).  I learn new IYKYK phrases in Chinese Telegram every day. 

Today's new favorite phrase? 水果机 - Shuǐguǒ jī - "Fruit machine." 

 Example usage: 🔥低价出正品水果机 ("Genuine fruit machines at low prices") 

Fruit machine is coded language for Apple iPhones.

This advertiser pays HuionePay's Haowang Guarantee for the right to share an ad for their group once each hour in Huione, their highest rate, so that one line advertisement is posted 24 times per day to Haowang Guarantees "buy and sell" group. 

What? You thought Telegram had banned HuionePay? hahahahahaha ... but they do try to hide their traffic by rebranding their "Crime As A Service" vendors to be "Potato Guarantee" rather than Haowang Guarantee.

Group: "Yongle smuggles Apple phones"
The Chinese characters above the "danbao" spell "Potato" (tǔ dòu)
The Chinese characters below "danbao" are "Guarantee" (dān bǎo)

Links shared by this advertiser go to a 38,438 member "Potato Guarantee" group called "Yongle smuggles Apple phones" and share that Yongle has deposited "208,000 USDT" in order to insure that your transactions are safe. (The "Trust Model" of the Chinese Guarantee Syndicates is that vendors make a deposit to be listed in the vendor directory and the Syndicate promises that any transaction up to the level of the deposit will be backed by the Syndicate should anything go wrong.)

(Google translated)

The welcome message for the group says:

"Various models of iPhone are available, all smuggled into the country as brand new, unopened, and unactivated official Chinese versions, suitable for personal use or resale." They go on to say that your phone will be delivered within 72 hours and that if it is shown to be used, they will refund 10x your purchase price!

Another September ad using the "Fruit machine" language in a major HuionePay group also now goes to a "Potato Guarantee" group with 12,154 members. (Group 2851, with a 38,000 USDT Deposit) The translated "welcome" message when joining the group calls the group "Xili Smuggles mobile phones and digital products" and promises "Various models of iPhone are available, all smuggled into the country as brand new, unopened, and unactivated national versions, suitable for personal use or resale."

Group: "Xili Smuggles Mobile Phones and Digital Products"

Xili, who prefers to call himself "Heineken," is currently taking deposits for iPhone 17s. He also will throw in an Apple watch if you pay 1000 Yuan extra. Currently he charges 5999 Yuan for an iPhone 16 ProMax 1TB, or approximately $850. 

Xili / Heineken's most recent advertisement

If that whole thing sounds insane, I would encourage you to read the book "Apple in China" by Patrick McGee. Smuggling iPhones is an EXTREMELY lucrative organized crime business in China!

There are of course many more Guarantee Syndicates, with many thousands of vendors who have paid to advertise their "Crime As A Service" offerings, from Gift Card and Cash Pickups, SMS/iMessage/RCS Phishing, Credit Card Theft, Trade-based Money Laundering and anything else you can imagine, from Human Trafficking to Cigarette smuggling.  

Here are a few that we are tracking ... 

#HuionePay #CMLO #Apple #iPhones #Guarantee #Danbao #Haowang #iMsgSpam #SMS #Smishing