US Justice Department Seizes Huione Group Money Laundering Infrastructure

The US Justice Department has announced the seizure of a cloud computing account used by subsidiaries of the Huione Group, a Cambodia-based conglomerate alleged to have provided laundering services for the proceeds of cryptocurrency investment fraud, cyber scams, and other criminal activity. The account hosted the backend infrastructure supporting these subsidiaries, enabling illicit cryptocurrency proceeds to be transferred, moved, and concealed before conversion into the legitimate banking sector.

The seized account supported the operation of Huione Guarantee, also known as Haowang Guarantee, which operated Telegram channels offering stolen credit card and identity data, the proceeds of malware-enabled thefts, human trafficking facilitation, and laundering services for romance and investment scam proceeds. Huione Guarantee also provided escrow services that facilitated transactions for criminal actors, including the laundering of cryptocurrency. Investigators have repeatedly traced cyber-enabled fraud proceeds to cryptocurrency addresses attributed to the Huione Group, where funds were subsequently layered and obscured.

The action follows the final rule issued in October last year by the Financial Crimes Enforcement Network (FinCEN), which severed the Huione Group from the US financial system after determining it to be a primary money laundering concern under section 311 of the USA Patriot Act. That determination cited the group's role in laundering cryptocurrency investment fraud proceeds, cyber heists attributed to the Democratic People's Republic of Korea, and the proceeds of further cyber scams. FinCEN has now issued a notice of proposed rulemaking (NPRM) to expand the rule's definition of the Huione Group to include H-Pay Service PLC, which it has assessed to be a component of the group and itself of primary money laundering concern.

The case is being investigated by the Federal Bureau of Investigation (FBI) and the Internal Revenue Service Criminal Investigation (IRS-CI), with prosecution led by the Criminal Division's Computer Crime and Intellectual Property Section (CCIPS) and the US Attorney's Office for the Northern District of California. The seizure forms part of Operation Riptide, a sustained FBI campaign targeting the actors, infrastructure, and financial networks underpinning cyber-enabled fraud.

The persistence of the Huione ecosystem despite the section 311 determination underscores a recurring supervisory challenge: designations sever access at the institutional level but do not, by themselves, dismantle the operational infrastructure beneath. The expansion of the rule to capture H-Pay Service PLC reflects the tendency of such networks to reconstitute through affiliated entities, and reinforces the value of monitoring counterparty and corporate-structure changes among previously designated groups rather than treating a single designation as a closed matter.

Read the press release here.