▸涉恐涉爆资金shèkǒng shèbào zījīnTerror / explosives fundsCritical
Funds tied to terrorism or anti-government activity (恐怖主义资金,反政府资金). The single most dangerous category to touch.
The whole document hides in plain sight behind a cooking-and-trucking metaphor. Tap any term to read what it actually means.
Two axes run through the whole sheet. Toxicity (the badges below) is how dangerous a material is — i.e., how quickly law enforcement is expected to act. Settlement is the deal the crew offers the operator — effectively a warranty. The hidden logic: the more obviously a victim was robbed, the faster a case opens, the higher the toxicity, and the shorter/pricier the settlement.
The vertical axis sorts the crimes that generate the dirty money, from the radioactive "red" tier the ecosystem refuses, down through everyday consumer fraud, to gambling and Ponzi funds that look almost like legitimate commerce.
Funds tied to terrorism or anti-government activity (恐怖主义资金,反政府资金). The single most dangerous category to touch.
Proceeds of black-market arms dealing (黑市军火交易款).
Drug-trafficking proceeds (毒品交易款).
Ransom money (绑架款).
Impersonating an authority and defrauding the victim under the pretext that they are implicated in a criminal case — the canonical "you are under investigation, transfer funds to clear yourself" scam.
Impersonating a leader or boss — the "猜猜我是谁?" ("guess who I am?") scam that exploits hierarchy and deference.
Posing as the boss and ordering the finance department to wire money for fake "project payments / goods / deposits" (工程款 / 货款 / 保证金) — business-email-compromise, essentially.
Also an authority-impersonation play: use the police/prosecutor pretext to harvest the victim's credentials, then drain the card directly.
Obtaining payment information by card cloning, phishing sites, or fake mobile base stations (复制卡 / 钓鱼网站 / 伪基站) and using it for unauthorised charges.
The same authority-impersonation playbook aimed at overseas Chinese — e.g. Chinese students abroad — rather than domestic targets.
Using AI to clone a voice or face for impersonation. Tellingly, the grade follows the social-engineering target, not the tool: impersonating authority figures is classed as "three-black"; impersonating friends or family is classed as the lower 报备料 / 大混+.
A procurement fraud: a merchant is induced to scan-and-pay a mule under a fake purchasing pretext, often by impersonating an organisation. Toxicity rated higher than big-mix.
Impersonating other officials — maternal-child health centre, medical-insurance bureau, economic-management bureau. If the pitch starts invoking "case involvement," it escalates to full three-black.
SMS or other messages claiming a consumer loan (e.g. a "monthly-pay" account) is overdue, guiding the victim to transfer; later rounds take smaller amounts with a persistent script. This is the newest addition to the v24.0 update.
Luring children with free in-game items, then coercing them with threats — e.g. "we'll have your parents arrested" — into transferring money. The presence of a routine product category for defrauding minors is one of the clearest markers of how industrialised and morally inverted this ecosystem is.
Posing as a teacher, doctor, the child, or a relative. Short maintenance period; toxicity roughly equal to big-mix.
Posing as a friend asking for help paying for flight tickets.
Selling fake concert/event tickets on social apps.
Collecting fake training fees, posing as a school to take tuition, or charging for "processing" a driver's licence. Longer maintenance period.
Fraud built around games and in-game economies.
Posing as a celebrity's lawyer, agent, or staff to defraud fans.
Defrauding RMB under the pretext of currency exchange; usually larger sums.
All refund-pretext scams — P2P refunds, online-shopping refunds, ticket refunds — grouped here.
Anything tied to credit, loans, credit cards, online lending, or credit-score "repair."
Sits "between big-mix and regular." A fake tipster ("god of stock-picks") lures the victim with small early rebates, then takes the cut. Settlement: 入算.
Luring a victim into a nude video chat, harvesting their contact list, then extorting them with the threat of exposure.
Using a sexual or "part-time job" lure to funnel victims into 刷单 — fake "order-brushing" tasks that demand ever-larger deposits for promised commissions.
All sexual-traffic lures. The doc notes there is "no real prostitution-dispatch anymore" — what is marketed as such is just porn-traffic converted into task-brushing.
Variants of the porn-traffic-to-task funnel. The "aphrodisiac" version adds a banned-substance pretext that requires a "packaging purchase" before the victim is routed to task-brushing. The doc estimates ~99% of "hookup" offers are really task-conversion scams, and that the sexual-lure market is roughly 80% hookup / 20% aphrodisiac framing.
A "we'll run your cross-border online store for you" scam. The e-commerce site belongs to the operator, and order/logistics timing is used to delay the victim's realisation that they are being robbed. Carries features of both "regular" and "intensive-chat" schemes. Settlement: 保时 / 入算.
The classic pig-butchering (杀猪盘). After the victim's first deposit, every later round is engineered loss; a fake "mentor" leads the trades (导师带单) while the team coordinates the "cut." *Low toxicity early; becomes a major case at collapse. Settlement: 保时(保当天),also 入算.
An investment-fraud structure sitting between "big-region" and short-cycle Ponzi; leans toward the capital-pool model. Settlement: 保时(保当天/保三).
Posing as a stock margin-lending service. Settlement: 保时(保3/7/15/30天).
Betting on football scorelines packaged as an "investment" — as long as a given scoreline doesn't occur, the victim "earns" a payout. Settlement: 保时(保3/7/15/30天).
A capital-pool (Ponzi) scheme on a 30–45 day cycle — same model as the long version but with a shorter product window. Settlement: 保时(保3/7/15/30天).
A 3–6 month+ "capital-pool" scheme using a "principal-protected wealth product" as the hook. Early paper profits flow to the victim; the "final knife" (尾刀) cleans out the pool at the end. Settlement: 保时(保3/7/15/30天).
Described as "legitimate-format gambling platforms," and treated as the most stable / cleanest business in the catalogue — its funds most resemble ordinary commerce. Settlement windows stretch all the way to 永久 ("permanent"): 保时(保24/3/7/15/30/永久).
This is where "as a service" becomes undeniable. Laundering crews don't merely move money; they sell risk-bearing products with named warranty terms. Toxicity (input risk) maps directly onto the settlement offered — exactly the way an insurer or a payments processor prices risk.
The crew takes the money in and credits it almost immediately; the operator's exposure ends quickly. Used for lower-toxicity material.
Payout is held back. Applied to higher-toxicity material (and mandatory for the red tier), because the funds are likely to draw a freeze.
The crew guarantees the funds for a defined window — same-day, 3 / 7 / 15 / 30 days, up to "permanent." Functionally a warranty: if the cleaned funds are caught by a freeze inside the guaranteed window, the crew bears the loss. High-toxicity material gets short windows; gambling funds get long or permanent ones.
The earlier tiers describe the source of funds ("base material"). This section grades what happens after the first hop — the "unloading methods." In AML terms this is layering: inserting account-hops and intermediaries to break the traceable trail. The crucial — and sophisticated — point the document itself stresses is that more hops ≠ safer; insulation depends on the base material's toxicity and the route.
Victim → A-card → your B-card. The money cashed out is "second-pass." The doc's blunt verdict: no filtering effect — definitely goes judicial. One hop is no protection.
A-card → third-party electronic account → B-card → C-card. The insulation "depends on the third-party in the middle."
Chains routed through virtual / electronic / transit accounts (虚拟户 / 电子户 / 中转户). Insulation "depends on the isolation of the intermediate accounts." ABC is simply one hop shorter than ABCD.
Funds routed through a corporate online-banking bulk-payout function. Insulation "random"; the crews say they manage it by limiting which base material they accept.
Routed through POS-machine processing or a payment company's reserve-fund pool (备付金资金池) before reaching a settlement card. Rated as better insulation; the money-house typically resells the proceeds as clean funds.
Using a second victim as a "bridge" who withdraws cash and re-deposits it, breaking the digital trail. In version A the bridge person is also defrauded; in version B they are not, and the cash is deposited into a guarantee-time "foreign-trade card."
This block is the labour market: an industrialised division of labour where each role is priced by its 利润方式 ("profit method"). Read together, it describes a two-sided market — predicate-crime shops on one side, a specialised laundering supply chain on the other — that mirrors legitimate fintech with unnerving precision.
The hands-on workers — card-verification, "security," executing transfers on the material-provider's instructions. Profit: basis-points (点位) on volume, exactly like a payment processor's take rate. This is the role that the trafficked, coerced labour in scam compounds is forced into.
An operation crew that also supplies its own mule cards; the material-provider hands over second-pass cards to be unloaded. Profit: operation basis-points.
Describes itself as a "channel company" (通道公司). It interfaces with operators and returns USDT at an agreed exchange rate. Profit: the margin after all-stage costs at the agreed FX rate. The self-conception as financial infrastructure is the heart of the "as a service" model.
The conversion-and-exit layer. They receive RMB relayed from first-pass cards (the "承兑卡" handling already-filtered or guarantee-time material) and pay out USDT or local foreign currency at an equivalent rate, keeping the FX spread.
A first-pass card whose unloading method is a POS machine; once funds reach the settlement card they are accepted out. Both RMB and USDT exits are possible.
The actual cardholder running points — known in the trade as a "head" (人头). Witting. Profit to the recruiter: the spread between the price the crew pays for the card and what is paid to the head.
A cardholder deceived into surrendering their account under the guise of "loan processing," "building transaction history," or part-time work. Simultaneously a launderer (legally exposed) and a victim.
Cardholders tricked using a fake "national poverty-relief disbursement" pretext. The doc dryly notes the model "used to scam money, now scams cards."
The operator launders by having the victim buy goods or send cash via courier, delivery, or self-delivery to the crew. Profit: FX margin minus the unloading cost.
Ingesting funds through platform features — "command red-packets" or pulling victims into groups on workplace apps. Profit: FX margin minus cost.
Receiving funds via commodity-company or corporate accounts and routing them into a gold exchange. Profit: FX margin minus cost.
Cards supplied by overseas money-houses that buy RMB — sourced from people doing currency exchange or from foreigners paying into China. This is the cross-border bridge that closes the loop back to USDT. Profit depends on card-acquisition cost and the FX achieved.
A long block of the original ("天眼 / 司法 / 风控") is the ecosystem's folk-knowledge about police, courts and bank controls. Its presence is the analytically important part: a service economy doesn't just execute transactions — it sells the surrounding knowledge. The specifics below are the operators' own claims, paraphrased and not endorsed; treat them as unreliable.
It characterises payment-stops (止付) as short, reversible holds (claimed ~3-day / 72-hour default that auto-releases if not renewed); judicial freezes (冻结) as a longer measure (claimed ~6-month default, with a ceiling it puts around two years); and it distinguishes a "protective stop" (where the bank believes you are the victim) from a "suspicion-investigation stop." It separately treats bank-level controls — "non-counter" restrictions (非柜) and risk-control (风控) — as something distinct from a court action. Finally, it disparages a particular lookup/tracking tool ("天眼"), claiming its case-category and card-tier classifications are frequently wrong and its timestamps unreliable.
Why it matters: timing-and-detection knowledge is itself a product. Bundling it with the risk-grading and the warranties is what turns bespoke crime into a packaged, priced service.
Almost every category in this Chinese-language taxonomy has a direct, named counterpart in India — and the two ecosystems increasingly share infrastructure: the same Southeast Asian scam compounds, the same USDT exit ramps, and in many cases the same Chinese operators at the top. India's own Cyber Crime Coordination Centre (I4C) has even used the exact phrase "money laundering as a service" to describe the mule-account payment gateways behind it.
| Ecosystem term | What it is | Indian counterpart | Indicative data |
|---|---|---|---|
| 三黑 / 公检法 Authority impersonation |
Posing as police/court; "you're implicated in a case, transfer to clear yourself." | "Digital arrest" scams — fraudsters posing as CBI, ED, customs or police coerce victims over video calls into "verification" transfers. | ~6% of cases, ~9% of losses (2025). |
| 精聊 / 资金盘 Romance + Ponzi |
Pig-butchering; fake mentor-led "investment," engineered losses, capital-pool rug-pull. | Investment / trading-app fraud — fake platforms (e.g. apps probed by the ED such as OctaFX-style and CoinDCX-routed schemes); romance-to-investment funnels. | ~35% of cases but ~76% of all money lost — the single biggest threat. |
| 裸聊 / 色敲 Sextortion |
Nude-chat lure → contact-list harvest → extortion. | Sextortion — among the most common offences by volume. | ~19% of cases (2025). |
| 催收料 / 小贷 Fake loans/debt |
Bogus overdue-loan and credit "repair" scripts. | Predatory loan-apps & loan-recovery harassment — a major RBI/consumer-protection concern. | Widespread; drives a large slice of NCRP complaints. |
| 几道料 Layering passes |
Inserting account-hops/intermediaries to break the trail. | Multi-layered mule networks — state agencies describe tracing money "through seven layers" from Indian accounts to USDT. | Gujarat CCoE & others, 2025–26. |
| 卡U / 钱庄 USDT exit / money-house |
Converting cleaned funds to USDT; underground clearing. | USDT as the exit ramp — rupees converted to Tether and routed to wallets run by Chinese handlers (India→China, India→Pakistan, via Cambodia/Dubai). "Water houses" = the same 钱庄. | ED: ₹12,000cr+ laundered via mule accounts, shell firms & crypto. |
| 人头 / 贷款 / 扶贫卡 Mule cards (witting & tricked) |
Rented or deceptively-obtained accounts; "illegal payment gateways." | Mule accounts & "mule herders" — accounts taken "for a trading business," then surfacing in fraud; remotely controlled from overseas. I4C's own term: money laundering as a service. | 24.67 lakh mule accounts flagged; statewide arrests of mule herders. |
| 操作车队 Operation labour |
The coerced workforce running the scams. | "Cyber slavery" — Indians lured by fake jobs and trafficked into Myanmar (KK Park, Golden Triangle) and Cambodia compounds, forced to scam. | 2,400+ rescued from Myanmar; 520+ from Cambodia (2023–26). |
| 红料 Gravest-crime proceeds |
Terror/arms/drug financing — the forbidden tier. | Terror-linked crypto flows — state agencies have flagged dark-web crypto networks with terror links. | Gujarat CCoE disclosures, 2026. |
Indian enforcement maps onto these activities through several statutes working together: the Prevention of Money Laundering Act (PMLA), 2002 — under which the ED attaches "proceeds of crime," including USDT and crypto wallets; the Bharatiya Nyaya Sanhita (BNS), 2023 — cheating, forgery and organised-crime provisions that replaced the old IPC; and the Information Technology Act, 2000 — notably §66C (identity theft) and §66D (cheating by personation using a computer resource).
Operationally, the response runs through the I4C, the National Cyber Crime Reporting Portal (NCRP) / 1930 helpline and the CFCFRMS, which enable rapid "golden-hour" freezing of funds, a shared registry of suspect identifiers and mule accounts with banks, and coordination with Interpol and Southeast Asian governments on the physical scam compounds.
The biggest divergence is the rails. The Chinese taxonomy is built around card-based "running points," POS and bank-enterprise bulk payouts, because those are the dominant domestic channels. India's equivalent layering rides heavily on UPI and instant bank transfers plus the mule-account economy, which is why India's defensive playbook centres on real-time transaction blocking and bank-shared suspect registries — and why officials credit that intervention with containing losses even as case volumes rise. The exit ramp (USDT) and the upstream operators (largely Chinese syndicates in Southeast Asia) are, by contrast, almost identical across both worlds.
Put together, the document describes a two-sided market. On the demand side: a portfolio of predicate-crime shops generating dirty RMB. On the supply side: a laundering industry that has unbundled the value chain into discrete, separately-priced services — risk-grading (the 料性 taxonomy), warranties (入算 / 拖算 / 保时), layering (几道料), FX conversion (卡U / 承兑), multiple off-ramps, and a mule supply chain built partly on its own fresh victims and coerced labour. The two sides transact in a shared, standardised vocabulary — which is the function this very glossary serves. A common ontology is what lets an anonymous operator and an anonymous crew agree, in one line of chat, on exactly what is being moved, how risky it is, and what it costs. That standardisation — not any single technique — is the defining feature of "as a service."
For detection and policy the most useful reading is structural: toxicity-grading tells you which flows draw fast freezes; the layering taxonomy maps onto where in a payment graph traceability breaks (third-party reserve pools, corporate bulk-payout, commodity exchanges, the USDT exit); and the mule typology — especially the loan-card and poverty-relief-card victims, and the trafficked compound workers — shows that the people holding the dirty accounts and placing the calls are frequently exploited civilians, not the principals. That matters for investigation, for prosecution, and for how the harm is understood.