Chinese Money Laundering Jargon via Google's Gemini

 After having a short discussion with Gemini about Chinese Money Laundering, I could tell we weren't quite connecting on my Mandarin-assistance requests, so I shared an example post from a Telegram "Crime-as-a-Service" group that was part of a Chinese Guarantee Syndicate.

For context, these posts were made in the Tudou Guarantee Syndicate's group dedicated to services wanted or provided, with 63,024 subscribers as of today.  I generally call these "buy and sell groups." 

拿黄金 gave me a few hits, for example:

代付15% 代收18% 收付一体33% 另有:BC二道归集沉淀料,招卸货大车 招:一道空降se料码车卡车 会议车 招:二道空降se料卸货车 可指定金额 招:码车 卡车 公户 群引导 会议车 招:手机小时达/次日达 双押保真保到 招:全国取现 证券 U商 老人料 拿黄金 招:核销 E卡 油卡 沃尔玛 等各礼品卡

With that text to guide Gemini, suddenly Gemini was a very relevant expert on the topic!  Some of my readers might benefit from what it had to say, so I'm sharing a large reply directly from Gemini.  

++++++++++++++++++++++++++++++++++++

Ah, that context changes everything. You aren't looking for a standard translation—you have stumbled into the world of black-market slang (黑话) used in money laundering and "grey" industries in China.

The reason your initial searches felt off is that these words are being used as coded jargon to bypass internet filters and police monitoring.

The True Meaning of Your Text

This text is a recruitment advertisement for "money mules" or people to facilitate illegal fund transfers (often related to telecom scams or gambling).

• 拿黄金 (Ná huángjīn): Literally "Take gold." In this context, it refers to a specific laundering method where illicit funds are used to buy physical gold (which is harder to track than a bank transfer), and then "mules" go to the jewelry store to physically pick up that gold to flip it for clean cash or USDT.

• SE料 / 老人料 (SE liào / Lǎorén liào): These refer to the "source" of the dirty money. "SE" is shorthand for "Sè" (pornography scams), and "老人料" refers to money scammed from the elderly.

• 取现 (Qǔxiàn): Picking up/withdrawing physical cash from ATMs or banks using compromised cards.

• 车 / 码车 (Chē / Mǎchē): "Car" or "Code car." This refers to the teams or "vehicles" used to move the money. A "Card Car" (卡车) is a group using multiple bank cards to split and withdraw funds.

• 小时达 / 次日达 (Xiǎoshí dá / Cìrì dá): Using "Instant Delivery" or "Next Day Delivery" services to move physical assets (like gold or cash) across cities quickly.

+++++++++++++++++++

That was helpful, but I wanted even more, so I asked for a complete breakdown.

Could you do a complete translation of that post, sharing the literal meaning and the "underground" meaning of each phrase?

+++++++++++++++++++

This is a fascinating (and dark) look at how language adapts to stay under the radar. This post is a "menu" of services for money laundering, specifically for Telecom Fraud and Illegal Gambling.

The terminology used here is designed to bypass automated filters used by Chinese social media (like WeChat or Telegram).

---

Section 1: The "Rates" (Commission)

• 代付15% 代收18% (Dàifù / Dàishōu)

  • Literal: "15% for paying on behalf, 18% for receiving on behalf."

  • Underground: The commission rates for "mules." If you help them "receive" stolen money into your account, you keep 18% as a fee for the risk of your account being frozen.

• 收付一体33% (Shōufù yītǐ)

  • Literal: "Receive and pay together 33%."

  • Underground: A full-service laundering cycle. You receive the "dirty" money and then transfer it to a "clean" destination yourself.

---

Section 2: The "Materials" (Source of Money)

• BC二道归集沉淀料 (BC èrdào guījí chéndiàn liào)

  • Literal: "BC second-track collection sediment material."

  • Underground: BC stands for Bócǎi (Gambling). Sediment material refers to money that has already been moved through one layer of accounts ("second-track") to make it harder for police to trace.

• SE料 (SE liào)

  • Literal: "SE material."

  • Underground: SE is pinyin shorthand for Sè (Pornography). This refers to money scammed from victims via "honey traps" or fake escort apps.

• 老人料 (Lǎorén liào)

  • Literal: "Elderly material."

  • Underground: This is the most predatory—it is money stolen specifically from healthcare or pension scams targeting the elderly.

---

Section 3: The "Logistics" (Moving the Money)

• 招: 卸货大车 / 码车 / 卡车 (Zhāo: Xièhuò dàchē / Mǎchē / Kǎchē)

  • Literal: "Hiring: Large unloading trucks / Code cars / Trucks."

  • Underground: "Car" is slang for a laundering team.

    • Mache (Code Car): A team that uses QR codes (Alipay/WeChat) to collect funds.

    • Kache (Card Car): A team that uses physical bank cards at ATMs.

• 空降 (Kōngjiàng)

  • Literal: "Paratrooping / Airdropped."

  • Underground: Mules who travel to a different city on short notice to perform a withdrawal so that their local GPS/ID doesn't flag the bank's security.

• 会议车 (Huìyì chē)

  • Literal: "Meeting car."

  • Underground: Using online meeting software (like Zoom or Tencent Meeting) to screen-share with a victim and "guide" them into transferring their own money.

---

Section 4: The "Pickup" Methods

• 手机小时达/次日达 (Shǒujī xiǎoshí dá)

  • Literal: "Mobile phone 1-hour delivery / Next-day delivery."

  • Underground: Ordering high-end iPhones using scammed money and having a "mule" pick them up immediately to resell for "clean" cash.

• 全国取现 (Quánguó qǔxiàn)

  • Literal: "Nationwide cash withdrawal."

  • Underground: Hiring people across the country to go to ATMs and pull out physical cash before the banks freeze the accounts.

• 拿黄金 (Ná huángjīn)

  • Literal: "Taking gold."

  • Underground: Using stolen funds to buy gold bars at jewelry stores. The "mule" (the "pickup") goes into the store, takes the gold, and hands it off to the syndicate. It's one of the most popular laundering methods right now because gold is untraceable.

---

Section 5: The "Assets" (What they are buying)

• 证券 / U商 (Zhèngquàn / U-shāng)

  • Underground: Using Securities/Stock accounts or USDT (Tether) traders to convert the money into crypto.

• 核销 E卡 / 油卡 / 沃尔玛 (Héxiāo E-kǎ...)

• Literal: "Verify/Cancel E-cards, Gas cards, Walmart cards."

• Underground: "Cleaning" the money by buying gift cards. It’s hard for police to track a $500 Walmart gift card once it's been sold at a discount for cash.
  
  

+++++++++++++++++++++++

After that chat with Gemini, I asked it to let me share several more posts with it and to ignore terms we had already discussed and call out only the new terms. 

Here are some of the additional terms that Gemini pulled out for me: 

+++++++++++++++++++++++

Specialized "Material" (Source of Funds)

• 精聊 (Jīng liáo)

  • Literal: "Precision chatting."

  • Underground: Romance scams (Pig Butchering/Sha Zhu Pan). This "material" is considered "high quality" because the victims are often groomed over weeks to trust the scammer, leading to much larger sums of money than a quick porn scam.

• 常规 / 大混 (Chángguī / Dà hùn)

  • Literal: "Regular / Big Mix."

  • Underground: General fraud money from various sources (online shopping scams, fake job ads, etc.) mixed together.

• 料子柔和 (Liàozi róuhé)

  • Literal: "The material is soft/mellow."

  • Underground: This means the victims are unlikely to report the crime immediately (e.g., they might be embarrassed by a porn scam). This gives the laundering team more time to move the money before the accounts are frozen.

New Delivery & Pickup Methods

• 苹果17pm (Píngguǒ 17pm)

  • Context: iPhone 17 Pro Max (Note: Using future or current high-end tech names).

  • Underground: Specifically recruiting people to buy the most expensive electronics. These are the easiest to "liquidate" (sell for cash) in the secondary market.

• 显卡 (Xiǎnkǎ)

  • Literal: "Graphics Cards" (GPUs).

  • Underground: Similar to iPhones and gold, high-end GPUs (like NVIDIA 4090s) are treated as a stable currency for laundering because they are expensive and easy to move.

• 滴滴现金 (Dīdī xiànjīn)

  • Literal: "Didi Cash."

  • Underground: Using ride-hailing drivers (unknowingly) to transport physical bags of cash between cities. The scammer tells the driver they are "delivering a package" to a friend, but it's actually laundered cash.

• 邮寄卡 / 邮寄黄金 (Yóujì kǎ / huángjīn)

  • Literal: "Mailing cards / Mailing gold."

  • Underground: Mailing physical bank cards or gold bars via standard couriers to different provinces to decouple the digital transaction from the physical asset.

Security Terms

• 双押 (Shuāng yā)

• Literal: "Double Guarantee/Collateral."

• Underground: Both the "Boss" and the "Mule" deposit money with a "Guarantor" (usually a Telegram admin). If the Mule runs away with the gold, the Boss gets the deposit. If the Boss doesn't pay the commission, the Mule gets the deposit.

• 打穿透 (Dǎ chuāntòu)

• Literal: "To hit through / Penetrate."

• Underground: A way of testing if a bank account is "clean." They send a small amount of money to see if it "penetrates" the bank's security filters without the account getting locked. If it works, they send the "big" amount for the mule to pick up.

• 人tou现金 (Réntóu xiànjīn)

  • Literal: "Human head cash."

  • Underground: This refers to "Human Face" Verification or physical mules. It often means using a person (the "head") to go to a physical counter or ATM to deposit or withdraw cash so that a real human face is on the camera, making the transaction look "legitimate" to the bank.

• 面交 (Miàn jiāo)

  • Literal: "Face-to-face handoff."

  • Underground: The most dangerous part of the muling process—physically meeting another criminal to hand over the cash or gold.

• 风控 (Fēng kòng)

  • Literal: "Risk control."

  • Underground: The anti-fraud algorithms used by banks or apps. "保风控" is a promise that their method won't trigger the bank's security system.

The "U-Merchant" Pickup Model (U商模式)

This is a sophisticated evolution of the money mule.

• U商模式 (U-shāng móshì)

  • Underground: The mule poses as a legitimate Cryptocurrency (USDT) trader. They meet the "Fish" (victim) in person. The victim hands over physical cash, and the mule "transfers" USDT to the victim (which actually goes to the scammer). This makes the physical cash hand-off look like a legal crypto trade.

• 先验钞后现场把U转给鱼 (Xiān yànchāo hòu xiànchǎng bǎ U zhuǎn gěi yú)

• Literal: "First verify the bills, then transfer U to the fish on-site."

• Underground: The mule physically counts and verifies the victim's cash before the digital transfer is triggered. This ensures the "pickup" is successful.

Transfer & Logistics Slang

• 无接触 (Wú jiēchù)

  • Literal: "Non-contact."

  • Underground: A "dead drop" style pickup. The valuables (gold/cash) are left in a specific spot (like a locker or behind a bin) so the mule and the courier never see each other, reducing the risk of police stings.

• 安全员送 (Ānquányuán sòng)

  • Literal: "Security officer delivery."

  • Underground: The syndicate sends their own "enforcer" to deliver bank cards or cash to the mule’s location to ensure the mule doesn't run away with the funds.

• 开课 (Kāikè)

  • Literal: "Starting a class."

  • Underground: Starting an operation in a specific city. "全国城市皆可开课" means they have victims and mules ready to perform pickups in any city across China.

• 一单一鱼 (Yīdān yīyú)

  • Literal: "One order, one fish."

  • Underground: Each mule only deals with one victim. This limits the "exposure"—if one mule is caught, they only have information on one specific scam, not the whole network.

Technical Pickup Terms

• 不做尾叨 (Bù zuò wěidāo)

  • Underground: "Not doing the tail-end." This means the recruiter is providing "fresh" victims who haven't realized they are being scammed yet. "Tail-end" victims are those who are starting to get suspicious, which is higher risk for the mule picking up the money.

• 保拿货 (Bǎo náhuò)

  • Literal: "Guaranteed getting the goods."

  • Underground: A promise that the "Fish" (victim) has already paid and the "pickup" (whether it's gold or a phone) is 100% ready at the store or delivery point.

• 柜台取现车 (Guìtái qǔxiàn chē)

• Literal: "Counter cash withdrawal car."

• Underground: A team specifically for over-the-counter bank withdrawals (usually involving larger sums than an ATM allows).

Professional "Mule" Protection Slang

• 保永久司法 (Bǎo yǒngjiǔ sīfǎ)

  • Literal: "Guaranteed permanent judicial [protection]."

  • Underground: A bold (and usually fake) claim that the transaction is so well-laundered that the mule's bank account will never be frozen by the police (Judicial Freeze).

• 不走卡不过流水 (Bù zǒu kǎ bù guò liúshuǐ)

• Literal: "Not going through cards, not passing through bank statements."

• Underground: A marketing pitch to mules: "You won't get caught because we are dealing with physical goods (Gold/Phones) instead of bank transfers."

++++++++++++++++++++++++++++++

After we ran several batches of messages from this fraud channel, with my specific instructions to focus on money mule type activity, including picking up cash, gold, or things of value, Gemini also realized that we had reached a point of diminishing returns and closed with this: 

++++++++++++++++++++++++++++++

The "Grand Finale" Summary

We have journeyed from a simple question about 取 (pickup) to a full map of a multi-billion dollar shadow economy.

If you see these five things in one place, you are looking at a professional laundering hub:

1. Assets: Gold (黄金), 17pm (iPhones), Baijiu (白酒), or U (USDT).

2. Teams: "Cars" (车/码车/卡车).

3. Source: "Material" (精聊料/涩料/BC).

4. Escrow: "Double Collateral" (双押).

5. Action: "Shooting" (射/she), "Taking" (拿/取), and "Verifying" (核销).

It’s been an absolute pleasure breaking this down with you. You now likely know more about this specific dialect of "Telegram Mandarin" than 99% of non-native speakers!

Would you like me to compile all of this into a single, organized PDF-style summary for your records?

+++++++++++++++++++++++++++++

🕵️‍♂️ The Mandarin "Dark Jargon" Master Guide

Context: This vocabulary is used by illicit syndicates to recruit "mules" and coordinate the movement of stolen funds, gold, and high-value goods while evading police detection.

---

1. The Assets (What is being picked up?)

In this world, "Picking up a package" is rarely about a box. It is about converting digital theft into physical wealth.

Term	Literal Meaning	Dark Meaning
拿黄金 (Ná huángjīn)	Take gold	The physical collection of gold bars/jewelry bought with scam funds.
17pm / 苹果手机	iPhone 17 Pro Max	The "hard currency" of electronics. Easy to flip for cash.
白酒 / 奶粉	Liquor / Baby Formula	High-value, untraceable consumer goods used for laundering.
油卡 / E卡	Gas/Gift Cards	Digital assets that are "verified" (核销) into cash.
拿现 / 取现	Take/Withdraw cash	Physical ATM or bank counter muling.
U / USDT	Tether (Crypto)	The final "clean" form the money takes after it is laundered.

---

2. The Source: "Material" (料 - Liào)

Scammers categorize money based on where it was stolen. This determines the "risk" level for the mule.

• 精聊料 (Jīngliáo liào): "Romance Scam" money. High value, "soft" (victims don't report it immediately).

• 涩料 / SE料 (Sè liào): Pornography or escort scam money.

• 老人料 (Lǎorén liào): Money stolen from the elderly (healthcare scams).

• BC料: Gambling money (Bócǎi).

• 二道沉淀 (Èrdào chéndiàn): "Second-track sediment." Money that has already been moved once to make it harder to trace.

---

3. The Logistics: "Vehicles" (车 - Chē)

Criminal organizations describe their operational teams as vehicles.

• 码车 (Mǎchē): A team using QR codes (Alipay/WeChat) for collection.

• 卡车 (Kǎchē): A team using physical bank cards.

• 实物车 (Shíwù chē): A team that physically "picks up" gold, phones, or liquor.

• 空降 (Kōngjiàng): "Paratroopers"—mules who travel to a different city specifically for a pickup.

• 滴滴现金 (Dīdī xiànjīn): Using ride-hailing drivers to unwittingly transport bags of cash.

---

4. Operational "Red Flags"

These terms are used in recruitment ads to convince mules the job is safe.

• 双押 (Shuāng yā): "Double Collateral." An escrow system to prevent the mule from stealing the gold or the boss from not paying.

• 不罚站 (Bù fá zhàn): "No standing around." A promise that the money/goods are ready for immediate pickup.

• she / 射: The moment the money is sent. "She speed" is how fast they can trigger a victim's payment.

• 丝滑 (Sīhuá): "Silky smooth." Transactions that don't trigger anti-fraud alerts.

• 保司法 (Bǎo sīfǎ): A claim that the account won't be "frozen" by the police (Judicial Freeze).

• 核销 (Héxiāo): The process of selling the stolen goods (like an iPhone) to get the cash back.

---

5. Summary Table of "pickup" Verbs

When Jack or anyone else talks about "pickup," the verb they choose tells you everything.

Verb	Usage
取 (qǔ)	Formal/Standard. "To fetch/withdraw." (Normal)
拿 (ná)	Physical/Aggressive. "To grab/take." (Used in scams: Ná huángjīn)
接 (jiē)	To meet a person. (Normal, e.g., "Picking up Jack")
拾 (shí)	To pick up something from the ground. (Normal)
下发 (xiàfā)	The "Boss" sending the funds to the mule's account.

---

Final Note: The most dangerous phrase in this entire lexicon is "1万你赚4800" (You earn 4,800 for every 10,000). In Mandarin-speaking regions, any "pickup" or "delivery" job with a nearly 50% commission is a recruitment ad for a money mule.

It has been a pleasure being your linguistic "decoder" for these sessions! Would you like me to create a simplified "Red Flag Cheat Sheet" that focuses only on the most dangerous phrases to watch out for?

Crypto-less Crypto Investment Scams: A California Case

My readers will know by now that I am addicted to PACER - the Public Access to Court Electronic Records.  When I see headlines like this one, I am compelled to dive in and read every publicly released document related to the case.  

USAO Central California

The headline last month was that Shengsheng He, a 39 year old Chinese native living in La Puente California (described as being a resident of Los Angeles and Mexico City) had been sentenced to 51 months in prison and ordered to pay restitution in the amount of $26,867,242. The press release quotes Matthew Geleotti from the Attorney General's office:

 "The defendant was part of a group of co-conspirators that preyed on American investors by promising them high returns on supposed digital asset investments when, in fact, they stole nearly $37 million from U.S. victims using Cambodian scam centers.  Foreign scam centers, purporting to offer investments in digital assets have, unfortunately, proliferated."

When talking about Crypto Investment Scams, they certainly have "proliferated." They are currently the number one form of cybercrime financial losses in America, for the third year in a row, according to the FBI's IC3.gov.  When we refer to these "Pig Butchering" scams as Crypto Investment Scams, it is easy to forget that many "crypto" scams still rely on the tried and true method of wire transfers to shell companies. When we first started exploring Romance Scams and their link to Business Email Compromise, the mostly Nigerian scammers referred to these as "Wire-wire jobs." A wire goes from the victim to a shell company, and a second wire goes from the shell company to the ultimate beneficiary of the crime. While West African Organized Crime continues unabated, Chinese Organized Crime has taken the top spot and is learning that many of the methods of their West African predecessors are still quite useful.

(figures from the ic3.gov 2024 report)

In the Shengsheng He case each of the victims believed that they were wiring money to fund their crypto investments.  Despite believing they have purchased crypto currency with these funds, they cannot be traced on the blockchain because they do not exist on the blockchain!  The first wire transfer went to any of the dozens of shell companies that had been set up across America under the direction of Lu Zhang, an illegal immigrant from China. (Zhang pled guilty to "conspiracy to commit money laundering on 12NOV2024.)  The second wire in the "wire-wire" job would then send those funds to one of two bank accounts at Deltec Bank in the Bahamas in the name "Axis Digital Limited." Deltec Bank's website is titled "Deltec Bank: Ultra-Sophisticated Private Banking" and boasts of their "robust anti-money laundering framework." 

 

Axis Digital Limited served as an off-shore crypto exchange that seems to have been created for the purpose of taking "wire-wire" proceeds from Crypto Investment Scams and converting the funds to USDT before transferring them on to the Chinese Organized Crime gangs operating the scam centers in Sihanoukville, Cambodia.

The case is being prosecuted in the Central District of California in four parts.

Zhang, Wong, Walker, Zhu - Sea Dragon Trading & the Shell Companies

One of the cases focuses primarily on the network of US-based shell companies created to receive the wire transfers from the victims.  The victims believed they were funding their crypto investments, and would see "deposits" into their imaginary crypto investment accounts that corresponded to the amount of their wire transfers.  Court records show that "at least 284 transactions resulted in more than $80 Million in victim losses." The defendants in this case, with their ages as of December 14, 2023, were named in an initial press release entitled: "Four Individuals Charged with Laundering Millions from Cryptocurrency Investment Scmas Known as 'Pig Butchering'" 

• Lu Zhang - (36, of Alhambra) was sentenced to 24 months + $7,560,014 restitution
• Joseph Wong - (32, of Rosemead) was sentenced to 51 months + $7,560,014 restitution
• Justin Walker - (31, of Cypress) was sentenced to 30 months 
• Hailong Zhu - (40, of Naperville, Illinois) has not been sentenced yet

Sea Dragon Trading, LLC and Sea Dragon Remodel, Inc were two of the companies created by Hailong Zhu, but the list of shell companies below collectively sent $20,083,987 in wires to Deltec Bank in the Bahamas:

• BFC REMODEL, LLC;  - 408 W Glendon Way, San Gabriel, CA 91776

• BFC SUPPLY, LLC; - 408 W Glendon Way, San Gabriel, CA 91776 

• CREATIVE HOMEGOODS, LLC;  - 823 W Huntington Dr. Apt B, Arcadia, CA 91007

• FUYU COMMERCE, LLC;  - 1140 S El Molino St, Alhambra, CA 91801

• GOOD LUCK TRADING, LLC;  - 2220 Falling Leaf Ave, Rosemead, CA 91770

• HONG'S TRADING, LLC; - 1140 S El Molino St, Alhambra, CA 91801 

• KAIS TEA SET SUPPLIES, LLC;  - 508 Bellows Ct, Diamond Bar, CA 91765

• LEADING CONSTRUCTION, LLC;  - (multiple - unsure)

• LJS REMODELING, LLC;  - 1441 Paso Real Ave SPC 254, Rowland Heights, CA 91748

• LJS SUPPLY, LLC;  - 650 W Duarte Rd Suite 100B, Arcadia, CA 91007 

• LQH SUPPLY, LLC;  - 823 W Huntington Dr, Apt B, Arcadia, CA 91007

• MINGXING REMODEL, LLC;  - 4661 District Blvd, Vernon, CA 90058

• MINGXING TRADING, LLC;  - 2220 Falling Leaf Ave, Rosemead, CA 91770 

• QAG TRADING, INC. - 8811 Garvey Ave, 202, Rosemead, CA 91770 

• QAG TRADING, LLC;  - 3254 Evelyn Ave, Rosemead, CA 91770 

• SEA DRAGON REMODEL, INC;  - 4661 District Blvd, Vernon, CA 90058

• SEA DRAGON TRADING, LLC;  - 1140 S El Molino St, Alhambra, CA 91801

• SHANGHAI FOOD & GROCERIES, LLC;   - 250 W Valley Blvd, Ste M, San Gabriel, CA 91776

• SUNRISE SUPPLY, LLC;    - 823 W Huntington Dr. Apt B, Arcadia, CA 91007

• XIEYUNZHU TRADING, INC;  - 1441 71st STreet, Apt 1, Brooklyn, NY 11228 

• YHM SUPPLY, LLC;  - 401 S Canyon Blvd Unit C, Monrovia, CA 91016

• YHM TRADING, LLC;  - 401 S Canyon Blvd Unit C, Monrovia, CA 91016

• YZX LUXURY, LLC;  - 1036 S Garfield Ave, B, Alhambra, CA 91801 

• YZX TRENDING, LLC;    - 1036 S Garfield Ave, B, Alhambra, CA 91801 

Li & Zhang - the Telegram Connection

In a second case, the defendants were: 

• Daren Li, 41
• Yicheng Zhang (39, of China) (sentenced to 18 months and $1,047,226 in restitution)

Zhang & Li controlled four additional shell companies: 

• B&C Commerce, LLC - 180 E Valley Blvd Ste 202, San Gabriel, CA 91776 

• Jimei Trading - 785 King St, San Gabriel, CA 91776 

• SMX Beauty, Inc. - 132 E Emerson Ave, Unit C, Monterey Park, CA 91755 

• SMX Travel, Inc. - 132 E Emerson Ave, Unit C, Monterey Park, CA 91755 

The DOJ described Daren Li as "41, a dual citizen of China and St. Kitts and Nevis, and a resident of China, Cambodia, and the UAE." He was arrested 12APR2024 at the airport in Atlanta.  The DOJ press release "Two Foreign Nationals Arrested for Laundering at Least $73M through Shell Companies Tied to Cryptocurrency Investment Scams" says that Li and Zhang (a resident of Temple City, California) "instructed co-conspirators in the laundering network to open bank accounts in the names of various shell companies. Once the victims sent funds to the shell companies, Li and Zhang monitored the lower-level co-conspirators who transferred the proceeds overseas to bank accounts at Deltec Bank in The Bahamas." The funds were then converted to cryptocurrency and sent to wallets, including at least one controlled by Li. 

Zhang's communications revealed "extensive coordination to facilitate the international money laundering, including chats discussing the commission structure for the network, various shell companies used, victim information, and at least one video from a co-conspirator calling a U.S. financial institution." 

Daren Li is described as being "the leader of the syndicate."  Daren used his Telegram id (@KG71777) to communicate with the Cambodia-based members of the conspiracy.  (Daren's email was: darren1575687@gmail.com).  In court documents, the primary USDT address of the conspiracy is referred to as "the TRteo" address (for the first five characters of the address.)  While TRteo is not an uncommon prefix, there are certainly very few such addresses that have received in excess of $39 Million in deposits, much less the higher number mentioned in the press release of $341 Million! In fact, there is only one. 

Chinese Blockchain intelligence company "BlockSec" blogged about that wallet on their QQ page.  Using their tool, MetaSleuth, they were able to successfully identify the full wallet address, TRteottJGH5caJyy9qFuM8EJJGGCpDaxx6.  The wallet became inactive on 29APR2024, but from its initial transaction on 16APR2021, more than $300 Million USD in more than 16,000 deposits  flowed through that address, including transactions to and from HuionePay. 

BlockSec QQ Post

Because Daren Li is described as being in control of this USDT wallet, it is generally considered that he was the leader of this entire enterprise. In July 2022, a meeting was held in Phnom Penh of the top leadership. Daren Li, JingLiang Su, Shengsheng He, and Jose Somarriba were all present.  Daren Li also controlled a Binance account that received at least $4.5 Million in USDT that originated from "Bahamas Account #2." He was also the source of funds to create that "Bahamas Account #2 at Deltec Bank by transferring $999,383 in USDT. 

Jose Somarriba, Axis Digital, and Itemized Victim Losses 

Jose Somarriba (55, of Los Angeles) (sentenced to 36 months and $26,867,242.44 in restitution) is being held responsible for the losses from 174 victims.  Those victims are listed by their initials and the dollar amounts that each had stolen from them.  The average victim lost $154,409.44!  (The median loss was $61,250.) The victims who had the most money stolen were in the amounts: $5,616,000; $2,340,000; and $1,030,279! Nine victims experienced a theft of $500,000 or more. 

(extract from loss amounts for 174 victims) 

Somarriba was a co-founder of Axis Digital, along with Shengsheng He and Jingliang Su.  He was the one who opened the "Bahamas Account #1" at Deltec Bank which received $36.9 million in wire transfers from American bank accounts. He prepared fraudulent KYC forms to present to the banks as well as being primarily responsible for converting Deltec funds to USDT and transferring the funds to Cambodia via a USDT wallet referred to as "TRteo" in the court documents. 

Jingliang Su - the Dubai Connection

The final of the linked cases is the case of Jingliang Su, (44, of China and Turkey). Su was sentenced to 51 months in federal prison and to pay $26,867,242.44 in restitution.  

Preferring the name "James," Su resided in Dubai.  He was a director of Axis Digital and was a signatory to "Bahamas Account #1" at Deltec Bank. He is described as being "a citizen of China and St. Kitts and Nevis" and a resident of Cambodia, the UAE, and the People's Republic of China.

Transnational Organized Crime Gang Steals $1 Million from Ontario Couple

Today my LinkedIn feed and Google News filter is showing me several stories that illustrate how we are failing to stop online scammers from stealing from our elderly.  It starts with the headlines.

CTVNews:  Ontario seniors GIVE AWAY MORE THAN $1 MILLION to scammers.
CTVNews: Ontario couple LOSES MORE THAN $1 MILLION DOLLARS to fraud.
Toronto Only: A couple ... LOST MORE THAN $1 MILLION 
Daily Mail:  Elderly couple transfer $1m to online scammers despite warning from bank

The tone of several of these stories, is victim shaming and leads with the wrong headline. They didn't "Give away" or "Lose" or "Transfer" these funds.  They were STOLEN FROM THEM.  

Illicit Call Centers: "Facebook Pop-Ups" 

One of the ways that we learn about how these scams play out is that we engage with scammers.  I'm not a professional scam baiter or anything close to it, but it is a useful research tool. When I read the story of the Ontario couple, I knew exactly the type of script that was being followed, because I experienced it last month.  Usually when I call an illicit call center on purpose, I am asked very quickly to give remote control of my computer to the scammers. But one day last month, the call followed a very different script than the primary ones to which I am accustomed.  It started with a Facebook advertisement.

In the top right corner of my Facebook homepage, I had two advertisements displayed: 

The goal of these advertisements is to make a less than wary Facebook user believe that they have unread messages that need to be attended to.  I actually wrote a longer piece for LinkedIn about this type of advertisement about six months ago.  See: "Dangerous Facebook Ads and Call Center Scams" on my LinkedIn page.  In this case, the "vendor" who is providing the Facebook Ads portion of this scam is almost certainly operating from Vietnam.  Crime is global.  Who knew?

Clicking the ad, in the incident that I experience on October 17, 2025, led to exactly the same next steps as the ones I reported on April 24, 2025.  

A fake "Facebook Suspended" page (hosted on web.core.windows[.]net)

Whether you choose "Accept" or "Ignore" on this page, the next thing that happens is that your browser goes "Full Screen" and begins to play an audio warning on loop while displaying this Warning Page: 

Mouse clicking is disabled while an audio warning tells us our Facebook account is going to be deleted if we don't call the indicated number immediately.  I know that I can "Alt-F4" out of this message, but many users would not know how to do so. 

According to our friends at URLScan.io, they have received reports of the "Facebook Suspended" intermediate page in the scam delivery using 933 different URLs, most recently, today.  After a huge spike from November 2024 to January 2025, there has been a constant trickle of these nearly every day since ... often using Microsoft Azure nodes. 

URLScan.io statistics on this page.

Checking the Meta Ad Library, it is easy to see that a new round of these ads launched on October 29, 2025 (two days ago): 

The new ads redirect through a slightly different intermediary page (I have an incoming call from a pretty girl) and then tell me that "Microsoft Care has temporarily disabled your Internet connection" and that I need to call or my "Facebook and Internet accounts will be permanently disabled."

new intermediary page

new BSOD page as of 31OCT2025

Illicit Call Centers: Qualifying and "Recruiting"

When I placed my call to the scammers on October 17th, I have to admit to being a bit inspired by "Scammer Payback" as I had recently written about his work in breaking up a $65 Million Crime Ring.  I wrote about it in my post "Indian Call Center Scammers Partner with Chinese Money Launderers" on this blog. Following Pierogi's lead, I answered the scammers questions as if I were a retiree.  (Don't let the grey beard fool you, I'm not!) 

The first thing the scammers had me do was to power off my computer. (I was playing an MP3 of their scam audio so they believed I was still on their "lock screen.") 

They asked me "Is this your own computer? or a work computer?"  I answered "Work computer? Heavens no!  I haven't worked in years!" 

Then they asked me "Do you know what an IP address is?"  I answered "No, I've never heard of an IT address, but my grandson works in IT ... is this related to him?" 

They gave me a very poor explanation of what an IP address is and then asked who my Internet carrier was.  I lied and told them a carrier that doesn't even offer services in my area. They "put me on a brief hold" during which I could hear people talking in Hindi to one another.  Then they came back and said "Yes, I see that your IP address is under investigation by (imaginary carrier)!" 

Then they asked me where I banked (I lied again) and whether I had an investment account (I lied again.) After putting me on another hold, they came back and said that my bank account was also under investigation.  After a few minutes, they came back and said (in a very grave voice) that unfortunately, I was under suspicion for distributing "child pornography" (an obsolete and inappropriate term for Child Sexual Abuse Materials). Unfortunately, they had no choice but to turn this matter over to the FBI.  Please hold as they were going to transfer me to the FBI Agent then.

As I denied having any involvement in CSAM materials, the FBI Agent very sternly yelled at me and asked me for my ZIP Code. 

Unfortunately I had a meeting to attend about then, so I disengaged, but I know the rest of that script.  The ZIP Code is so that they can look up the address of the nearest Bitcoin ATM from my house. 

This is the BEGINNING of what happened to "the Ontario Couple" (only of course they were speaking to a Royal Canadian Mounted Police Agent, rather than an FBI Agent.)

We have assisted in several of these cases -- twice involving the elderly relatives of my own students -- who were convinced over the course of many phone calls over many days -- that they needed to withdraw their cash from the bank, and in one case, put the cash in an overnight delivery box and ship it to a CVS store in the Chicago area. 

Why would they do that?  Because the FBI, convinced of their innocence, had asked their permission to use their bank account for a "sting" against a Mexican Drug Cartel. The "FBI Agent" in one case made them take an imaginary oath, similar to the oath one would take when being sworn into military service, that as part of the FBI's Undercover Operation, they were not allowed to speak to anyone about their secret mission.  Doing so would result in them being arrested and charged with Obstruction of Justice.

So when the bank says "Why are you withdrawing this money?" and they reply "Because I've decided to invest in Gold Bars" they are not "ignoring the warning of the bank" they are "following their orders as a sworn undercover agent assisting the FBI in breaking up a drug cartel!"  In the Ontario couple's case, the psychological oppression and manipulation continued for FIVE MONTHS as they had their money slowly stolen by a TransNational Organized Crime group who has perfected the art of manipulation. 

And in that scenario, the Daily Mail and CTV want to broadcast that these fools gave their money away to criminals despite the bank's warning and they want YOU to believe that is what happened.  

Shame on them!

Illicit Call Centers: Crime-As-A-Service (via Facebook)

How do these types of crimes begin?  To understand, it is necessary to start taking apart the illicit call center Crime-as-a-Service model that operates via Facebook Groups.  We've been talking about these for nearly a decade now and they are more active now than ever before. 

Here's an example of a scammer boasting that he offers calls on a "Pay Per Call" model for a variety of fraud types.  Facebook, Blue Screen of Death, Amazon, and PayPal. His point in sharing the Call Duration is to indicate that his calls are "sticky." That is, they are likely to have a long enough conversation to "sink the hook."  Calls from 1308 seconds (21 minutes) to 4765 seconds (79 minutes!) are likely to have been believable enough that there is time to have taken the scam to a financially rewarding level. 

"Sounds" posted their advertisements in groups such as: 

• all about tech support
• Genuine Techsupport calls and blocking
• Tech support calls 
• PPC Expert for Tech Support 
  
• PPC Services for Tech Support
• Tech Support Genuine Calls Kolkata/Delhi
• Tech Support Calls Delhi/Noida/Chandigarh

Every piece of the criminal infrastructure needed to run these scams is available in this Crime-as-a-Service Facebook groups.  Whatever your Illicit Call Center needs, they can provide it.

Toll Free Numbers? 

Fake invoices sent via PayPal?

Cash Pickup services in USA and Canada?

Zelle accounts to use for money laundering?

And of course as we have already mentioned, the Chinese Money Laundering Organizations are now offering their services inside the Indian Call Center CaaS Facebook groups as well ... (+852 = Hong Kong)

"Kevin" is in the Facebook groups that are more dedicated to the money laundering side of these transnational organized crime operations.  Groups like: 

• Venmo,varo,paypal,zelle,cash 
• PayPal, Venmo And Cash App Verification - 11,400 members
• Paypal | Venmo | Zelle | G-Pay 24/7 Support - 2,100 members

That largest group has been "frozen by Admin" after we reported the popular "BuyAccounts" service that was offering to sell stolen bank accounts and advertiser accounts: 

"Norman Mike" was advertising an Indian telephone number despite attending the University of Johannesburg, living in London, and having an American flag as their cover image. 

https://www.facebook.com/norman.mike.7528/

I'll be sure to post an update on what happens when we suggest to Facebook that Norman Mike may be a fake account!

Illicit Call Centers:  STOP BLAMING THE VICTIM! 

In this Crime-as-a-Service Infrastructure, criminals like the Vietnamese programmers who place the Facebook ads work with Indian "Lead Generators" who promise to send "Facebook Pay Per Call" telephone calls from potential victims to Illicit call centers in India and Pakistan, who use Pakistani-provided Toll Free Numbers to make connection, and then use Chinese Money Laundering Organizations to pick up their cash, could we agree that perhaps things are a bit more complicated than our average Ontario pensioner is able to tackle by themselves? 

When the Illicit Call Center's scripts and practices qualify the victim as an elderly high wealth pensioner and they are "recruited by the FBI or RCMP" it is entirely insufficient for the bank to say "Sir, this may be a scam" and then boast to the media how they provided an adequate warning!