DOJ Seizes Huione’s Cloud Infrastructure, Disrupting $4B Illicit Crypto Network

Published by James Harris on June 24, 2026June 24, 2026

The U.S. Department of Justice seized a cloud computing account on June 23 that powered the backend infrastructure of Cambodia’s Huione Group, targeting the technical skeleton of what U.S. authorities describe as one of the most sophisticated crypto-enabled fraud laundering networks operating today. This was not a wallet seizure or an individual arrest. The DOJ went after the infrastructure itself.

Huione Guarantee, the Telegram-based marketplace at the center of the action, allegedly functioned as a full-service escrow and payment layer for criminal operators: moving illicit crypto, brokering stolen identity credentials, and providing the financial plumbing that let fraud networks scale across borders without touching regulated banking. [Elliptic previously reported](https://www.elliptic.co/blog/huione-largest-ever-illicit-online-marketplace-stablecoin) that the operation had expanded into its own stablecoin (USDH), activity across Ethereum, BNB Chain, and Tron, and exchange-like services, making it less a marketplace and more a parallel financial system. A FinCEN investigation found at least $4 billion in illicit flows through Huione-related entities between August 2021 and January 2025, including proceeds from “pig butchering” scams and funds linked to North Korea’s Lazarus Group. The North Korean connection is what elevates this beyond a standard fraud case: Lazarus-linked laundering channels have been a consistent sanctions enforcement priority, and any infrastructure touching those flows draws a different level of interagency attention.

U.S. victims reported $7.2 billion in cryptocurrency investment fraud in 2025 alone, inside total cybercrime losses of $21 billion for the year, which reframes the DOJ action less as a one-off and more as institutional triage.

The infrastructure-first approach signals a deliberate shift in enforcement strategy. Seizing wallets and charging individuals has limited effect on networks designed to be modular and replaceable. Going after cloud accounts and technical backends is harder to route around quickly, and the involvement of Chainalysis, Elliptic, and Google’s CyberCrime Investigation Team suggests coordination between on-chain intelligence and traditional cybercrime investigation that is becoming a repeatable playbook. Treasury sanctions on Cambodia-linked entities run parallel to the DOJ action, which means Huione is now being squeezed from the financial designation side and the operational infrastructure side simultaneously. Other Telegram-based escrow markets operating similar hybrid crypto-messaging structures should read this as a threat model update, not a distant warning.

On-chain analysts have noted that enforcement actions like this typically cause short-term fragmentation rather than shutdown, as operators migrate to alternative infrastructure. Whether the DOJ’s approach meaningfully compresses that recovery window is the operative question, and the answer will likely become visible in transaction flow data on Tron and BNB Chain over the coming weeks.