This week we talk about smishing, Huione, and scams.

We also discuss money laundering, the Cambodian government, and Tether.

Recommended Book: The Longevity Imperative by Andrew J. Scott

Transcript

The portmanteau ‘smishing’ combines SMS and phishing to refer to the practice of using text messages to trick the recipients of said messages into revealing information that allows scammers to access their victim’s accounts on various platforms.

One common variation of smishing, which I’ve seen a lot recently, personally, are messages purportedly from toll road operators that tell the recipient they’ve got an unpaid toll, and they need to follow a link that’s provided in order to pay it. If the person receiving that message follows the instructions, they’ll tend to land on a webpage that’s convincing enough, which looks like the sort of site you might go to if you’re paying that kind of toll, online, and you enter your payment information and are then either immediately charged for this fake toll, or that information is used in some more cohesive manner—maybe the card is stolen, maybe it’s added to a larger collection of data they have on you which is then leveraged for a larger payout.

This type of scam has become more common in recent years because of innovations deployed by what security researchers have called the Smishing Triad, which is a trio of mobile phishing groups operating out of China that seem to have refined their infrastructure and techniques so that messages they send via iMessage to iPhone users and RCS to Android users can bypass mobile phone networks and enjoy a nearly 100% delivery rate—which makes the name a little ironic, since these groups don’t use SMS to deliver these scam texts anymore, as those other methods of delivery are more reliable for such messages, these days.

The big innovation introduced by these groups, though, beyond that deliverability, is the productization of mobile phishing, which basically means they’ve packaged up applications that allow their customers, which are usually smaller-time phishing groups and individuals, to share links to convincing-looking copies of Paypal, Mastercard, Stripe, and CitiGroup payment sites, among others, including individual banks, and that makes knee-jerk payments from the victims receiving these texts more likely, and less likely to set of alarm bells in the minds those receiving them, because they look like just normal payment sites.

These pre-packaged scam assets also include regularly rotated web domains, which makes them less likely to trigger the recipient’s anti-scam software—their browser will be less likely to flag them as problematic, basically. And the Triad has hundreds of actual humans working desk jobs, worldwide, supporting their customer base, which again is a bunch of scammers that use this package of tools to try to steal money from their marks.

All of this is enabled, in part, by clever emulation software that allows Triad customers to leverage legit and legit-seeming phone numbers from a computer or phone, those devices then sending out around 100 messages per second, per device, to phone numbers in the targeted region. They’re able to do this on a budget because of the efficiency of the software acquired from the Smishing Triad, and the Triad stays just ahead of regulators and law enforcement by rapidly iterating their offerings, which in turn does the same for all of their customers—which grants the benefits of a larger institution to all these individual and smaller scam groups.

What I’d like to talk about today is another alleged backend for scammers, this one this more overt and public facing, and perhaps even more impactful because of its size and because of the nature of its offerings.

—

The Huione (hu-WAY-wahn) Group is a financial conglomerate primarily based in Cambodia, though it also has satellite offices in other countries, mostly in Southeast Asia.

Folks use the entity’s QR codes to pay for stuff all around Cambodia, from restaurant tabs to hotel bills to supermarket tallies, and it offers normal banking stuff like checking and savings accounts, alongside things like escrow services and a cryptocurrency exchange.

This is a company that buys billboards along major highways throughout the country and which has well-connected people in charge, including one of the Cambodian prime minister’s cousins, who is the director of a Huione company.

In addition to its many legitimate offerings, though, Huione has also been accused to providing a range of gray and blackmarket products and services to folks who are doing skeevy but partially legal things, alongside wholly criminal enterprises, like a human trafficking outfit in Myanmar and folks running large smishing schemes in other parts of Southeast Asia.

Huione’s primary offering for the criminal underworld though, is allegedly serving as a money laundering go-between.

If you run a smishing scammer network, or a group that kidnaps people and sell them into various types of modern slavery in Myanmar, you may have trouble using the money you earn for these efforts because they’re off-book, blackmarket sorts of income. You need to clean, to launder that money to make it seem legitimate, so that you can put it in banks or otherwise use it to pay for things like you would with normal, non-illegally earned money.

Money laundering matchmaker services maintain networks of what are called money mules, and these mules are sometimes individuals, and they’re sometimes shell companies with bank accounts or their own cryptocurrency wallets.

If you’re scamming people out of their money, you might use this type of service to connect you with a money mule, and you provide that mule’s bank or crypto account information to your victim—so when you receive a scammy text message and follow it to completing, the bank your money is sent to will probably be that of a mule, not the person or group doing the scamming.

So the victim transfers their money to that mule’s account, and the mule then moves said money from one account to another to another to another to another, eventually converting it into an asset like a cryptocurrency, once the path has been suitably muddled. They take their cut, which is often something like 15%, somewhere along the way, and you, their customer, the scammer, are handed neutralized, clean resources in the form of that cryptocurrency—which you can then convert into real money at some point—on the other end.

An entity like Huione makes money by connecting scammers and other criminals with mules, but also by serving as a guarantor on these transactions.

So this entity allegedly, via a network of Telegram channels it maintains, telegram being an anonymizing chat app similar to WhatsApp, it allows matchmakers to advertise on these channels, using thinly veiled language to promote their services, and Huione is able to make money selling ads to mules and other matchmakers who want to promote via these highly trafficked channels, one of which has more than 400,000 users—and they have many of these things, and that alone apparently brings in a fair bit of revenue, serving as a sort of hard-to-track Craigslist for this component of the scam economy.

The guarantor component of this digital bazaar means that Huione holds the transactions between scammer and mules in escrow, just like any other escrow service: they take the money and hold it until the service has been completed, at which point they release it, taking a small cut for the service of ensuring that no one gets ripped off—except for the original victim of the scam, of course.

The majority of these transactions are completed using Tether, which is a stablecoin that tries to peg its value to the US dollar, each token worth exactly one USD, rather than fluctuating like speculative crypto assets, like Bitcoin, and this allows everyone involved to maintain a veil of both feigned ignorance and anonymity, making it difficult to track who does what, how much money changes hands, and who gets paid and does the paying.

This setup allows Huione to claim ignorance any time someone accuses them of doing illegal stuff: after all, they can’t possibly be responsible for what all the entities using their services are up to, right? All everything is just muddled and anonymized enough to grant seeming truthfulness to that claim of ignorance.

Because of how all this is set up, most of what we know about this is the result of whistleblowing from insiders and leaked documents, alongside divulgences from security researchers who know how to get into these sorts of networks and who at times hack those involved in various ways.

And it seems, based on those divulgences and other gleaned knowledge, that Huione’s money laundering services, alone, have been linked to nearly $27 billion in cryptocurrency transactions since 2021—though that could be a significant undercount because of the blurry nature of this industry and the entities involved with it.

Thus far, Huione has never been targeted for sanctions by any government.

Tether took action to freeze some of its accounts after law enforcement officials flagged them for criminal behavior, and Telegram has closed some of those illicit, matchmaking channels, but it’s easy enough to set up new versions of both, while the escrow subsidiary of Huione, previously called Huione Guarantee, denies any connection to these activities and even changed its name to Haowang Guarantee in October of 2024, though that denial seems to be public-facing only: the escrow-providing company continues to claim that the larger Huione Group is one of its strategic partners and shareholders.

Huione also has its own matchmatching service, called Huione International Pay, which operates as a real-deal bank, but also does what all the other matchmakers do—it helps criminal enterprises shuffle their money around, taking a fee to provide them with clean money, usually in the shape of Tether crypto tokens, on the other end.

Though notably, Huione also recently launched their own stablecoin called USDH, alongside an in-house communication service called ChatMe and an array of mini-games that seem optimized for automation, which is another means of laundering money via what seems like gambling apps, allowing their clients to cut out the casinos that are sometimes used as part of the laundering process. All of which seems primed to internalize more of this process, slowly doing away with the need for Telegram and Tether and those casinos, which would seem to remove some of the risk associated with those external, uncontrolled-by-Huione, platforms.

Despite all this, this enterprise has been allowed to flourish and grow like it has, according to a threat analyst with the UN, at least, because of lax enforcement in Cambodia, and the conglomerate’s connections with the government and ability to say, basically, we’re legit, look, we’re just a bank, we can’t control what other people might do with our services. Their whole setup is obscure enough, too, that anyone who takes a close look at their entangled business structure quickly gets lost in its complexity and many tangles and dead-ends.

Some governments, including the Chinese government, have been cracking down on entities like Huione operating within their borders, but many such crackdowns are hobbled when they’re aimed at operations based in different countries, especially those with lax enforcement, like Cambodia.

Also worth noting is that if someone’s going to get caught, it’ll most likely be the mules, not the matchmakers or scammers, and that’s by design. It’s a bit like street-level drug dealers being more likely to be picked up by police than the folks running the larger drug enterprise of which they’re a part. Huione and other entities like it are largely insulated from major consequences, even if the mules who use their services periodically get caught in dragnets cast by law enforcement.

That said, the National Bank of Cambodia recently announced that it hasn’t renewed Huione’s license to operate its payment service in the country, the one that runs all those QR codes, because it didn’t meet renewal requirements. That happened in late-March of 2025, so pretty recently, though the company has already said that it will register its business in Japan and Canada, so it seems to be looking for a suitable plot of land on which to rebuild this component of its setup.

Many security researchers and law enforcement officials have warned that the time to crack down on Huione and similar conglomerates is now, because they’re currently reliant on partially exposed third-parties like Telegram and Tether. Once they successfully move those activities inward, they’ll be a lot more difficult to track, but also nearly impossible to shutter, unless there’s a significant change in the government and enforcement climate in the countries in which they’re based, which at this point at least, looks unlikely.

Show Notes

https://www.nytimes.com/2025/03/23/world/asia/cambodia-money-laundering-huione.html

https://www.wired.com/story/the-largest-illicit-online-marketplace-ever-is-growing-at-an-alarming-rate/

https://www.wired.com/story/pig-butchering-scam-crypto-huione-guarantee/

https://www.wired.com/story/interpol-pig-butchering-scams-rename/

https://www.propublica.org/article/casinos-cambodia-myanmar-laos-southeast-asia-fraud-cybercrime

https://krebsonsecurity.com/2025/04/china-based-sms-phishing-triad-pivots-to-banks/#more-70793

https://en.wikipedia.org/wiki/Mobile_phone_spam

This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit letsknowthings.substack.com/subscribe