Black-on-Black Fraud: Beware of Token Theft Risks in Fake Xinbi Guarantee "Safew" Apps
Safew is a privacy-focused messaging application with core functions similar to Telegram. Built on Telegram’s encryption technology (the MTProto protocol), it provides end-to-end encryption for messages, voice calls, videos, and files during transmission. Content is only visible to the communicating parties and cannot be accessed by servers. Some enterprises even further deploy it on private servers to gain full control over data or evade compliance reviews.
Amid growing law enforcement cooperation and community bans on Telegram, Xinbi Guarantee—the largest illegal cryptocurrency escrow platform in Southeast Asia—is attempting to migrate merchants from its public Telegram groups to Safew. This has led to the proliferation of fake Safew apps, posing a threat to the crypto asset security of underground industry operators, mainly public-group merchants.
This report aims to disclose part of this “black-on-black” trend.
Timeline
On May 13, 2025 (Beijing Time), Haowang Guarantee and Xinbi Guarantee—then the two largest illegal cryptocurrency trading platforms in Southeast Asia—were simultaneously sanctioned by Telegram officials. Numerous official service accounts and business public groups operated by both entities were banned directly, causing a short-term business suspension and widespread panic in the underground ecosystem.
The two entities adopted different responses:
On the morning of May 13, Haowang Guarantee announced the cessation of operations and transferred all its public-group business to Tudou Guarantee, an affiliated entity in which Haowang Guarantee had previously invested 30%. Through a nominal shutdown, Haowang Guarantee executed a strategic exit, rebranded as Tudou Guarantee, and continued its illegal operations.
On May 14, Xinbi Guarantee updated the homepage of its official website xinbi.com and announced the official launch of Safew public groups to avoid the ban on its illegal public groups on Telegram. Although the official website content is no longer available, traces can still be found using web archiving tools at:
However, voices soon emerged within the underground cybercrime community accusing Xinbi Guarantee of launching Safew to steal users’ crypto assets. Such negative discussions peaked in early 2026, after Tudou Guarantee completely collapsed and Xinbi Guarantee accelerated the migration of its public groups.
Counterfeit Safew websites keep emerging
Although Xinbi Guarantee repeatedly emphasized the official download link for Safew and claimed the app was available on the iOS App Store, fake Safew gangs, like fake wallet theft rings, flooded browsers with unofficial download links.
Take the unofficial website safew-x.com as an example. Malicious behavior was detected when analyzing the sample (download link: https://www.safew-x.com/_dl.php?t=win) in the ANY.RUN sandbox.
After execution, the sample drops a variant of Gh0stRAT SweetSpecter (a full-featured remote access trojan, RAT) and establishes command-and-control (C2) communication with its C2 server, triggering the following Emerging Threats rules:
ET MALWARE [ANY.RUN] Gh0stRAT.Gen Server Response (SweetSpecter)
ET DROP Spamhaus DROP Listed Traffic Inbound group 2
This variant is capable of remote desktop control, keylogging, file theft, and other functions.
Once a target device is infected, the attacker can gain full remote control over the compromised host, including:Real-time remote desktop,Keylogging,Camera/microphone surveillance,File theft and exfiltration,Arbitrary command execution,Deployment of additional malicious tools
Upon infection, the threat actor can achieve long-term covert persistence and steal sensitive data, making this malware commonly used in cyber espionage. It is classified as a high-risk Remote Access Trojan (RAT).
For public-group merchants who heavily rely on cryptocurrency wallets for underground operations, the clear target of this malware is the wallet private keys stored on the device.
Business Analysis of Xinbi Guarantee Safew Public Group
Bitrace has long been monitoring the financial activities of Xinbi Guarantee. A survey of the Safew public group staking addresses shows that although Xinbi Guarantee launched the Safew public group in May 2025, it did not allocate an independent business address for this service until August of the same year, and the business scale was relatively small and gradually decreased month by month.
It was not until the end of 2025 to the beginning of 2026 that Huiwang Payment and Tudou Guarantee went bankrupt one after another. Xinbi Guarantee vigorously promoted its Safew public group business, and the address activity began to rise. In January 2026, it briefly achieved a monthly cash flow of over 32 million USDT, and then gradually decreased month by month.
Statistics on all deposit addresses of Xinbi Guarantee show that the monthly deposit volume via the Safew channel is only equivalent to one day’s volume via the Telegram channel, indicating that Telegram remains the top choice for underground public group merchants on Xinbi Guarantee.
Conclusion
In fact, black-on-black attacks targeting underground cybercrime operators are frequent. From fake wallets and fake Telegram apps, to offline extortion and online social engineering, groups operating outside legal boundaries have become prime targets.
Following the collapse of Tudou Guarantee, Xinbi Guarantee has become the largest illegal cryptocurrency escrow platform in Southeast Asia. This phishing campaign targeting Safew public group merchants is neither the beginning nor the end.
Bitrace will continue to monitor this threat closely.
Contact us:
Website: www.bitrace.io
Email: bd@bitrace.io
Twitter: @Bitrace_team
LinkedIn:@bitrace tech
