The making of the Chinese language spy app Haotian is so successful that it has made millions of dollars by selling its face-swapping technology on Telegram. The service integrates seamlessly with messaging platforms like WhatsApp and WeChat and says users can adjust up to 50 settings—including the ability to adjust things like cheekbone size and eye position—to help mimic simulated faces. But while Haotian is a robust and flexible platform, researchers and a WIRED analysis found that the service was promoting so-called “pig cleaners” and those running online fraud operations in Southeast Asia.
Hackers have used Haotian and other fake deep tools to easily confirm their scams by allowing victims to “video chat” with a character they believe they were talking to as part of an investment opportunity, friendship, or even a romantic relationship. An analysis by cryptocurrency tracking firm Elliptic of four cryptocurrency wallets linked to Haotian shows that the company has received at least 3.9 million payments in recent years, including money from cryptocurrency wallets linked to suspected crimes, including fraud. Additionally, about half of its payments were related to the scam market authorized by the US government, Elliptic said.
Hieu Minh Ngo, a hacker-turned-cybercrime investigator at Vietnamese anti-fraud nonprofit ChongLuaDao, says Haotian, which appeared around 2021, was “one of the first and most popular.” Ngo has done extensive research on Haotian and its practice. “Its results are almost perfect,” he says. “And they get better and better every day. If you look at a crypto wallet, you’ll see money coming in every day.”
Haotian is just one part of a wider tech ecosystem that has emerged from Southeast Asia’s growing cybercrime industry and forced labor scam compounds. And as face swapping and other video deepfake tools have become more widely available, they have increasingly been incorporated into fraud and other forms of cybercrime around the world. Over the past two years, officials working for the United Nations Office on Drugs and Crime have discovered more than 10 possible face-swapping tools used by cybercriminals in Southeast Asia, including cryptocurrency scams and impersonating police officers.
Haotian has a website for its face-swapping tool, but primarily promotes its desktop app through the Telegram community channel, which launched in October 2023 according to Ngo’s research. Through this channel, which now has more than 20,000 subscribers, the company markets new versions of the application, provides development updates, and provides technical support. Although Telegram marketing software is not abusive in nature, researchers say that Haotian customers are increasingly turning to scammers who are already looking for information about the many gray market services in the messaging app.
Telegram declined to comment. However, after WIRED contacted the company, the main Haotian Telegram social channel and other related accounts are either inaccessible or appear to have been deleted. Telegram did not return a request for comment on whether the company had taken down the accounts.
