TL;DR: The UK’s FCDO has designated Xinbi, a Chinese-language illicit guarantee marketplace that Chainalysis says processed more than $19.9 billion between 2021 and 2025, because it underpins scam centres, money laundering, compromised data sales, and payment rails for industrial-scale fraud. The case shows infrastructure disruption is now as important as arresting individual scammers.
At a glance
What this is: The UK sanctioned Xinbi as part of a broader move to target the scam marketplace infrastructure that enables pig butchering, laundering, and payment facilitation at scale.
Why it matters: For IAM, fraud, and identity verification teams, this matters because illicit marketplaces increasingly broker trust, data, and payment access in ways that resemble governed identity infrastructure, just without the controls.
By the numbers:
- Our analysis indicates Xinbi processed over $19.9 billion between 2021 and 2025.
👉 Read Chainalysis's analysis of Xinbi sanctions and scam infrastructure disruption
Context
Illicit guarantee markets are trust intermediaries for criminal ecosystems. They provide escrow, listing, and reputation services that let scam operators, money launderers, and data vendors transact at scale while masking the real participants behind the exchange.
The Xinbi designation matters because it shifts enforcement attention from isolated fraud cases to the commercial infrastructure that sustains them. For identity and fraud practitioners, the parallel is clear: whenever a marketplace becomes the trusted layer for sensitive exchanges, governance failure spreads across the whole network, not just one account or one transaction.
Key questions
Q: How should investigators disrupt scam marketplaces that broker trust and escrow?
A: Treat the marketplace as infrastructure, not as a single account or chat channel. Focus on wallet clusters, escrow flows, vendor overlap, and payment off-ramps so you can identify the trust services that keep the network operating even after one platform is removed.
Q: Why do scam ecosystems keep recovering after takedowns?
A: They recover because the business model is portable. Operators preserve vendor relationships, move to new messaging apps, and rebuild payment paths while keeping the same laundering and scam functions intact. That makes continuity analysis more useful than counting deleted channels.
Q: What do security teams get wrong about marketplace fraud controls?
A: They often treat fraud prevention as a separate function from identity governance. In practice, verification, behavioural analytics, transaction monitoring, and exception handling all govern the same participant lifecycle. If those signals are disconnected, the platform reacts too late and cannot explain why one account was approved while another was blocked.
Q: Who is accountable when illicit marketplaces support large-scale scam operations?
A: Accountability usually spans sanctions authorities, financial intelligence teams, law enforcement, and platform operators that allow the infrastructure to persist. The key question is whether the enabling marketplace had enough visibility and controls to prevent it from becoming a repeatable abuse layer.
Technical breakdown
How illicit guarantee marketplaces broker trust
Guarantee marketplaces are peer-to-peer platforms that provide escrow and mediation for otherwise untrusted parties. In criminal ecosystems, that trust layer enables vendors to sell illicit goods, buyers to receive services, and both sides to reduce immediate counterparty risk. The result is not a single transaction path but an adaptable commercial layer that can support money laundering, compromised database sales, and scam infrastructure procurement. Because the marketplace abstracts trust, it becomes an aggregation point for many bad actors at once.
Practical implication: Investigators should treat marketplace trust services as infrastructure, not just venues, when prioritising disruption efforts.
Why platform migration weakens takedown strategies
When enforcement disrupts one messaging channel or storefront, illicit operators often reconstitute elsewhere, preserve relationships, and keep payment flows intact. Xinbi’s move from Telegram to SafeW and its creation of XinbiPay illustrate a resilience pattern: the service decouples from any single platform and builds proprietary rails to reduce dependency on external moderation. That makes the operation harder to remove because the business logic, identity graph, and payment path can survive a channel takedown.
Practical implication: Analysts should track cross-platform continuity, not just the visible front end, because channel loss rarely equals operational loss.
Why financial rails are the real control surface
The practical control surface is the movement of value, not just the content of the scam. Once a platform can route funds, list vendors, and connect to downstream laundering services, it can sustain fraud even if communications are disrupted. This is why transaction tracing, cluster attribution, and sanctions align better with the underlying risk than isolated account moderation. The same pattern appears in other high-trust ecosystems: if payment rails and identity proofs remain intact, the abuse model stays alive.
Practical implication: Prioritise flow mapping and cash-out disruption over narrow content takedowns when the goal is durable containment.
Threat narrative
Attacker objective: The objective is to preserve a durable financial and trust backbone for mass fraud operations while reducing exposure to platform takedowns and sanctions.
- Entry occurs through a trusted guarantee marketplace that brokers escrow and vendor discovery for illicit services, lowering friction for scam operators and laundering vendors.
- Escalation follows when the marketplace links to Black U services, unlicensed OTC brokers, compromised personal databases, and scam infrastructure providers, letting the network scale across multiple abuse types.
- Impact is achieved when the platform sustains scam-centre monetisation, obscures proceeds, and preserves resilience through platform migration and proprietary payment rails.
NHI Mgmt Group analysis
Xinbi shows that scam ecosystems now depend on trust infrastructure, not just fraud tactics. The marketplace does not simply host illicit activity, it brokers the commercial relationships that make mass fraud operationally scalable. That makes it closer to a governance layer than a storefront, which is why enforcement has to target the trust fabric as well as the individual actors. For practitioners, the lesson is that resilience and fraud success often depend on the same hidden intermediary.
Escrow backbone risk is the right concept for this category. Xinbi’s value comes from its ability to mediate trust, route funds, and preserve continuity across different communication channels and payment surfaces. Once those functions are distributed across Telegram, SafeW, and proprietary apps, the service becomes harder to suppress with single-platform actions. For identity and fraud teams, the control question becomes where trust is being externalised and whether that trust can be revoked.
Infrastructure-centric disruption is more effective than actor-centric enforcement alone. The FCDO designation signals that regulators are moving toward the rails, marketplaces, and aggregation points that make transnational scam networks profitable. This approach aligns with how modern abuse actually works: vendors, cash-out services, and data brokers form a reusable ecosystem that outlives any one arrest or takedown. Practitioners should expect more attention on the intermediaries that enable fraud rather than only the perpetrators who execute it.
Chinese-language guarantee markets create a cross-border governance problem that sits between fraud, sanctions, and data abuse. Xinbi reportedly spans laundering, compromised data sales, and scam support services, which means the same network can touch payment risk, personal data exposure, and operational fraud. That intersection matters because it breaks the old assumption that these abuse types can be handled in separate silos. For the field, the practical conclusion is to govern the enabling marketplace, not just the downstream incident.
Platform resilience is becoming a feature of illicit service design. Xinbi’s migration behaviour shows that criminal infrastructure now plans for disruption, not just growth. It can shift communication channels, preserve volume, and add proprietary payment rails to reduce dependence on any single host. For practitioners, that is a warning that disruption metrics should measure network adaptation, not only immediate visibility loss.
What this signals
Escrow backbone risk is the operational concept practitioners should carry forward from this designation. When marketplaces mediate trust, payment, and discovery at scale, the abuse path is no longer a single transaction but a reusable trust layer that spans vendors, channels, and cash-out points. Teams dealing with fraud, identity verification, or payment abuse should therefore instrument the intermediary layer, not just the endpoint event.
The broader programme signal is that disruption work is becoming more about continuity mapping than point-in-time blocking. If a service can migrate from one chat platform to another and add a proprietary payment app, your detection and response model needs to follow the relationship graph, not the host location. That is especially relevant where identity proofs, escrow, and payment credentials converge in a single abuse chain.
For practitioners
- Map the trust layer, not just the scam event Identify the marketplaces, escrow services, messaging channels, and OTC brokers that sit between scam operators and their victims. Build investigations around the intermediaries that enable repeatable transactions and cross-vendor continuity.
- Track cash-out continuity across platforms Monitor whether disrupted services reappear on new apps, new channels, or proprietary payment rails while keeping the same wallet clusters and vendor relationships. Continuity across platforms is a stronger signal than the disappearance of one storefront.
- Prioritise transaction tracing for disruption decisions Use cluster attribution and fund-flow mapping to identify aggregation points that connect multiple scam vendors, laundering services, and databases. This helps separate high-leverage intervention targets from low-value endpoints.
- Align sanctions with operational evidence Document how a marketplace supports laundering, data sales, and scam operations before escalating to regulators or legal teams. Clear evidence of materially enabling infrastructure strengthens accountability and reduces the chance of mis-targeting.
Key takeaways
- Xinbi illustrates how scam infrastructure now depends on trusted intermediaries, not just individual fraudsters.
- The reported $19.9 billion flow shows the scale of abuse that can sit behind a single guarantee marketplace.
- Practitioners should target trust brokers, fund flows, and continuity across platforms if they want durable disruption.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | DE.CM-7 | Continuous monitoring is relevant to tracing scam infrastructure and payment continuity. |
| NIST SP 800-53 Rev 5 | AU-6 | Audit analysis supports tracing abuse across escrow and payment rails. |
| MITRE ATT&CK | TA0009 , Collection; TA0010 , Exfiltration; TA0040 , Impact | The network shows staged abuse leading to financial impact and data exploitation. |
Map scam-supporting infrastructure to collection, exfiltration, and impact tactics for disruption planning.
Key terms
- Guarantee Marketplace: A guarantee marketplace is a brokered trading platform that provides escrow and reputation services for parties that do not trust each other. In illicit ecosystems, it lowers friction for scam vendors, laundering services, and data sellers by making transactions feel safer while obscuring the real actors behind them.
- Escrow Backbone: The escrow backbone is the trust and settlement layer that keeps a fraud ecosystem commercially functional. It includes the marketplaces, payment rails, and intermediaries that let bad actors exchange value, move funds, and preserve continuity when one channel or host is disrupted.
- Cross-Platform Continuity: Cross-platform continuity is the ability of an abuse network to keep operating after moving from one messaging app, storefront, or payment surface to another. It is a resilience signal, not a benign business metric, because it shows the underlying relationships and cash flow survive the takedown of a single front end.
What's in the full report
Chainalysis's full analysis covers the operational detail this post intentionally leaves for the source:
- On-chain cluster mapping that links Xinbi to other guarantee marketplaces and laundering services
- The transaction-flow evidence behind the reported $19.9 billion processed volume
- The role of SafeW migration and XinbiPay in preserving operational continuity
- How the FCDO designation fits into broader sanctions and disruption strategy
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management. It is designed for practitioners who need to connect identity controls to real-world abuse patterns across modern security programmes.
Published by the NHIMG editorial team on July 12, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org