📌 Executive Summary
This report decodes internal playbooks used by Chinese‑speaking cyber‑crime syndicates (Southeast Asia‑based). The documents describe “material” (illicit funds) as tradeable commodities with known toxicity, layering architectures (2 to 4.5 hops), and specialized convoys (card‑to‑USDT, POS, physical goods). The March 2026 update adds collection fraud (催收料) to the “Big Mix” category. Criminals systematically exploit police database errors, 72‑hour freeze windows, and unwitting mules (“loan/poverty relief cards”). Regional impacts: China fights internal laundering, India suffers human trafficking & digital arrest scams, USA loses $11B+ annually to pig‑butchering.
💡 Core insider rule: More hops ≠ safety. Safety depends on material origin (long‑term investment scams = near‑white funds) and filtering method (POS / reserve accounts).
🗣️ Underground Terminology & Modus Operandi (Black Slang)
料 (Liào)
Illicit funds from fraud. Traded by toxicity level; “good material” has long judicial latency.
车队 (Chē Duì)
Convoy – team that moves money through mule cards, POS, or crypto. “Drivers” of dirty money.
几道 (Jǐ Dào)
Number of hops/layers between victim and final collection. 2–4.5 layers.
人头 (Rén Tóu)
“Human head” – the unwitting or paid bank card holder (mule).
大混 (Dà Hùn)
“Big Mix” – standard grade fraud material (ticket scams, refund scams, now collection fraud).
保时 / 入算 / 拖算
Time‑guaranteed / immediate settlement / delayed calculation – risk allocation contracts.
卡接回U
Card‑to‑USDT – final exit ramp converting RMB to Tether.
天眼 (Tiānyǎn)
Police case database – known systematic errors exploited by criminals.
🔁 Step‑by‑Step Modus Operandi
- Sourcing: Material supplier runs/acquires scam funds → classified by toxicity (Red, Three Blacks, Big Mix, long‑term Ponzi).
- Convoy negotiation: Supplier contacts convoy via Telegram; agree on layers, settlement type (保时/入算), commission.
- Unloading (卸货): A‑card (victim‑facing) → B/C/D cards (virtual accounts / e‑wallets) → final conversion to USDT or physical goods (gold, oil, electronics).
- Settlement: If time‑guaranteed, convoy pays after freeze‑free period; delayed calculation for high‑toxicity materials.
- Card rotation: Cards discarded every 3 days to avoid investigative freeze, or after 6‑month judicial freeze (lower layers may be released).
📦 Layering Architecture: “Hops” (几道)
| Hops | Name | Mechanism | Forensic resistance |
|---|
| 2 | 二道料 | Victim → A‑card → B‑card | None – “inevitable judicial tracing” |
| 3-4 | AB料 | A → third‑party e‑wallet → B → C | Medium – depends on payment gateway |
| 4 | ABC料 | A → virtual B → virtual C → D | Good with virtual account isolation |
| 4.5 | ABCD料 | Extra “half” layer, similar to ABC | Over‑layering can become traceable |
| 3 (POS) | POS料 | A → POS swipe → payment aggregator pool → B | Good – sold as “white funds” |
⚠️ Criminal golden rule: “More hops ≠ more safety. Even 2‑hop ‘major region’ materials (大区以上) can be traced same day, while 4‑hop long‑term investment materials survive 6+ months.”
💀 Material Toxicity Classification (v24.0 – Mar 2026)
🔴 Red / Special Materials (拒接 by most convoys)
| Source | Settlement |
|---|
| Terrorism / anti‑state funds (涉恐涉爆) | Only delayed calculation (预约拖算) – no guarantee |
| Weapons trafficking (军火) |
| Drug proceeds (毒资) |
| Kidnapping ransom (绑架) |
⚫ Three Blacks (三黑料) – high toxicity
Impersonation of law enforcement, government officials, corporate executives, tech‑enabled identity theft. Leads to judicial action within hours/days. Settlement: 保时 24h or 拖算.
🟠 Big Mix (大混) – industry baseline (updated Mar 2026: added 催收料)
| Subtype examples | Maintenance period |
|---|
| Refund scams (P2P / Taobao / airline) | Days to weeks |
| Ticket / training / game item scams | Days to weeks |
| Collection fraud (催收料) – fake loan overdue SMS | Now Big Mix |
| “Reported materials” (新诈骗方式) | Accepted into Big Mix convoys due to volume shortage (toxicity not higher) |
📈 Investment Material Hierarchy (lowest to highest toxicity)
| Type | Duration | Settlement guarantee | Toxicity rating |
|---|
| Legitimate betting platform | Permanent | Permanent保时 | Near‑white |
| Long‑term Ponzi (资金盘长盘) | 3–6+ months | 15–30 days | Very low |
| Short‑term Ponzi (短盘) | 30–45 days | 3–15 days | Low |
| Major region investment | Days to weeks | 1–3 days | Medium‑high |
| Precision chat / romance scam | Days | Same‑day | High |
🏆 Most valuable material: long‑term investment scams (early/mid) – sold as “almost white funds” with 6‑month+ safe operational window.
🚚 Convoy Types & Settlement Contracts
| Convoy type | Mechanism | Profit model | Best for material |
|---|
| Card‑to‑USDT (卡U车队) | Receive CNY → return USDT at agreed rate | Exchange spread | Long‑term investment / Big Mix |
| POS convoy (POS车) | Swipe through POS, payment pool | Fee per card | Medium toxicity (sex+task scams) |
| Physical goods convoy | Victim buys goods → delivered to convoy → sold for USDT | Spread after verification | High‑risk / “ignore filtering” |
| Red packet / DingTalk convoy | WeChat red packets / group payments | Spread | Micro‑fraud material |
| Gold / oil convoy | Corporate accounts (oil/gold exchanges) receive funds | Spread | Near‑white / large volume |
💰 Settlement Definitions
- 入算 (Immediate) – Convoy pays supplier upon receipt; supplier takes no freeze risk.
- 保时 (Time‑guaranteed) – Convoy guarantees no freeze for X hours/days (24h, 3d, 7d, 15d, 30d, permanent). If freeze occurs, convoy compensates.
- 拖算 (Delayed) – Payment after risk window passes; used for red/three blacks materials.
⚖️ Criminal Exploitation of Legal & Banking Systems
Freeze timelines (as documented by criminals)
| Freeze type | Duration | Criminal response |
|---|
| Judicial payment freeze (司法止付) | Default 72h | Rotate cards every 3 days; automatic unfreeze if police don’t act. |
| Judicial freeze (司法冻结) | 6 months (renewable to 2 years) | Sacrifice A‑card; lower‑layer mule cards often released after 6 months with no charge. |
| Investigative freeze (嫌疑侦查止付) | 3 days, indefinitely renewable | Main threat – discard cards before renewal. |
| Protective freeze (保护性止付) | 72h (victim’s card) | Does not affect criminal’s cards. |
📡 Tianyan database weaknesses (exploited): case type classification error rate “very high” – police randomly select. Criminals use this to dispute toxicity labels. Midnight timestamps (00:00) are often database errors – ignored. No “old version” exists – all screenshots are custom‑made.
🌍 Regional Impact: China · India · United States
🇨🇳 China Impact
China aggressively prosecutes telecom fraud (69,000 prosecutions in 2025) and money laundering (3,259 individuals for crypto/underground banking). The manual’s authors are Chinese‑speaking syndicates operating from Southeast Asia. China leverages capital controls, but that paradoxically fuels underground demand. Key vulnerability: Tianyan database errors exploited by criminals. China executed 11 members of a Myanmar scam family and pressures Cambodia to dismantle scam hubs.
🇮🇳 India Impact
India is both a major victim market and a source of trafficked labor. “Digital arrest” scams (impersonating CBI/police via video calls) have skyrocketed, with masterminds in Cambodia/Myanmar. Hundreds of Indians freed from scam compounds in Myanmar (549 rescued in March 2026). Victims lose entire savings to “safe account” fraud. The CBI’s Operation Chakra‑V targets domestic mule handlers. Trafficking via illegal travel agents from Telangana, UP, Pune fuels the pipeline.
🇺🇸 United States Impact
Primary high‑value target for pig‑butchering (杀猪盘). FBI’s 2025 IC3 report: $21B total cyber‑enabled fraud, $11B+ in crypto fraud. Americans over 60 lost $7.7B. The DOJ Scam Center Strike Force (Nov 2025) seized nearly $402M in crypto. Operation Level Up notified 8,000+ victims, preventing $500M+ losses. Major challenge: funds converted to USDT and layered through Chinese‑language networks ($16.1B laundered in 2025).
📊 Comparative Matrix
| Dimension | China | India | USA |
|---|
| Primary role | Criminal org source, domestic victims | Trafficked labor, digital arrest victims | High‑value pig‑butchering market |
| Most common scam | Telecom fraud, investment scams | Digital arrest, SIM‑box fraud | Romance + crypto investment |
| Enforcement strength | Very high (legislation, intl pressure) | Moderate (jurisdictional limits) | Strong (dedicated strike force) |
| Key vulnerability | Database classification errors | Weak labor emigration controls | Crypto traceability lag |
| Scale (2025) | $16.1B laundered via crypto | Hundreds of millions (digital arrest) | $21B total cyber fraud |
🛡️ Recommendations for Law Enforcement & Defenders
- Reduce freeze response to <24 hours – Criminals exploit the 72h window. Automate investigative freeze propagation to B, C, D cards.
- Fix database inconsistencies – Standardize Tianyan case coding to prevent criminals from dismissing “police random errors”.
- Target USDT conversion nodes – Disrupt Telegram‑based “card‑to‑USDT” convoys and OTC crypto ramps.
- Victim notification programs – Expand initiatives like FBI’s Operation Level Up (8,000+ victims saved).
- Educate against unwitting mules – “Loan / poverty relief” narratives: no legitimate loan requires moving money for others.
- International real‑time intelligence sharing – China, India, USA need joint task forces on Southeast Asian scam compounds.
🔚 Conclusion
The March 2026 “Material Classification 24.0” manual confirms a mature criminal economy where fraud proceeds are treated as predictable financial instruments. Criminals know exact freeze windows, police database errors, and the value of long‑term investment scams (up to 6 months safe operation). The same infrastructure fuels human trafficking in India, massive losses in the US, and challenges China’s anti‑fraud apparatus. Disrupting USDT conversion, fixing judicial timers, and cross‑border coordination are the highest‑leverage interventions.
📌 Report basis: Internal criminal documents (沙僧@sha857, channel @kanbtv, updated 2026-03-15). Compiled for threat intelligence, AML, and cybercrime investigation.