ZHGUI is a coordinated mirror-exchange and TRC20-focused fraud ecosystem that uses cloned domains, fake trading dashboards, social-engineering via WhatsApp communities, a self-submitted FinCEN MSB entry, and TRON-based wallets to harvest funds and KYC data from Mandarin-speaking investors in Southeast Asia. On-chain analysis links large USDT flows through a labelled “RazorPay” aggregation wallet (TETzN…) into an internal relay (TNKCBR…) and onward to major CEX deposit addresses, demonstrating a structured laundering pipeline. #ZHGUI #TRON
Keypoints
- CloudSEK identified ZHGUI Cryptocurrency Ltd. as a mirror-exchange scam network targeting Mandarin-speaking retail investors in Malaysia and Southeast Asia using invitation-only onboarding and staged profits.
- Infrastructure analysis found 10+ cloned domains (e.g., zhguihc.com, zhguize.com) behind Cloudflare CDNs with AWS-hosted backends, WebSocket (socket.io) fake trading feeds, Udesk-style verification endpoints, and an iOS app (ZHGUI GE, ID: 6747241718).
- Operators exploited a self-submitted, unverified FinCEN MSB registration (No. 31000270792163) and paid press-release networks to manufacture regulatory credibility and reputation laundering.
- Victim acquisition is driven by social-engineering “pig-butchering” funnels in WhatsApp/Telegram groups and finance communities, with operators posing as investment mentors and blocking withdrawals via scripted “tax review” or compliance excuses.
- On-chain TRON (TRC20) analysis reveals a RazorPay-labelled aggregation wallet (TETzNbCvMYs4Ki6Jh3g8YiXFjQoyyMYba9) that forwards funds to a routing wallet (TNKCBRt7o4iFCRR75KmTbupqU7qgYjWqnc) which fans out to CHAIN wallets and multiple CEX deposit addresses (Binance, OKX, HTX, KuCoin, Bybit).
- Whitepaper metadata (created with WPS Presentation, timezone +08:00) and Chinese-language resources point to China-aligned toolchains and operational ties despite U.S.-facing regulatory claims.
- CloudSEK recommends platform disruption, CEX reporting, continuous domain and wallet monitoring, and coordinated law-enforcement engagement to mitigate ongoing cross-border financial fraud.
MITRE Techniques
- [None ] No MITRE ATT&CK techniques mentioned – “No MITRE ATT&CK techniques are explicitly referenced in the article.”
Indicators of Compromise
- [Domain ] Mirror/exchange frontends and onboarding portals – zhguihc.com, zhguize.com, and 10+ cloned mirror domains (e.g., zhgui.com, zhguro.com).
- [IP Address ] Backend management consoles and CDN/backing hosts – 52.77.125.17 (management console), 188.114.96.3 (Cloudflare/AWS-fronted), and other AWS/Cloudflare IPs (18.164.237.46, 172.67.191.67).
- [Wallet Address ] TRON (TRC-20) laundering and routing wallets – TETzNbCvMYs4Ki6Jh3g8YiXFjQoyyMYba9 (RazorPay wallet), TNKCBRt7o4iFCRR75KmTbupqU7qgYjWqnc (ZHGUI Wallet – R), and multiple downstream CHAIN and CEX deposit addresses (TAcmFE…, TMyhbR…, TX2SVZ…, etc.).
- [File Name ] Public whitepaper used for credibility and metadata attribution – ZHGUI-Whitepaper-EN.pdf (publicly hosted at https://doc.zhgui.com/).
- [File Hash ] Favicon/hash used for OSINT correlation of mirror sites – favicon hash 1ca2e500f792fdce9128e8f26fd0a5c10b3f06f1047ce5217e5789db9b33681b (used to link knightkron.com and sydmonet.com as clones).
- [Email / Phone ] Support and recruitment contact points linked to onboarding and social funnels – [email protected], +1 (303) 435-1617 (claimed Denver support), and Malaysia-based WhatsApp admin numbers such as +601170205120 and +601169993517.
- [Registry / Artifact ] Self-submitted FinCEN MSB registration used for false legitimacy – MSB Registration No. 31000270792163 (ZHGUI Cryptocurrency Ltd., self-submitted/unverified entry).