The Chinese-language artificial intelligence app Haotian is so effective that it’s made millions of dollars selling its face-swapping technology on Telegram. The service integrates easily with messaging platforms like WhatsApp and WeChat and claims that users can tweak up to 50 settings—including the ability to adjust things like cheekbone size and eye position—to help mimic the face they are impersonating. But while Haotian is a robust and versatile platform, researchers and WIRED’s own analysis have found that the service has been marketing to so-called “pig butchering” scammers and those running online fraud operations in Southeast Asia.
Scammers have used Haotian and other deepfake tools to more easily substantiate their deceptions by allowing victims to “videochat” with the character they believe they have been talking to as part of an investment opportunity, friendship, or even romantic relationship. Analysis by the cryptocurrency tracing firm Elliptic of four cryptocurrency wallets linked to Haotian shows the company has received at least $3.9 million in payments in recent years, including money from cryptocurrency wallets linked to alleged criminal activity, including fraud. Additionally, almost half of its payments had ties to a scam marketplace sanctioned by the US government, Elliptic says.
Hieu Minh Ngo, a reformed criminal hacker turned cybercrime investigator at the Vietnamese scam-fighting nonprofit ChongLuaDao, says that Haotian, which emerged around 2021, was “one of the first of its kind and very popular.” Ngo has conducted extensive research into Haotian and its operations. “Its results are nearly perfect,” he says. “And they are getting better and better every day. If you check in the crypto wallet, you will see the money coming in every single day.”
Haotian is just one part of the wider tech ecosystem that has emerged around Southeast Asia’s booming cybercrime industry and forced labor scam compounds. And as face swapping and other video deepfake tools have become more widely available, they have increasingly been incorporated into scamming and other types of cybercrime around the world. In the last two years, officials working for the United Nations Office on Drugs and Crime have identified more than 10 face-swapping tools potentially being used by cybercriminals in Southeast Asia, including for cryptocurrency scams and police officer impersonation.
Haotian has a website for its face-swapping tool, but it primarily promotes its desktop app via a public Telegram channel, which launched in October 2023 according to Ngo’s research. Through this channel, which now has more than 20,000 subscribers, the company markets new versions of the app, gives development updates, and offers technical support. While marketing software through Telegram isn’t inherently nefarious, researchers say that Haotian’s customer base has increasingly skewed toward scammers who already seek out information about an array of gray market services on the messaging app.
Telegram declined to comment. However, after WIRED got in touch with the company, the main public Haotian Telegram channel and some associated accounts became inaccessible or appeared to have been deleted. Telegram did not return a request for comment on whether the company took these accounts down.
Haotian is a Cambodia-based company that says it is headquartered in Phnom Penh and advertises on-site installation services and support in the region. UN researchers highlighted this “same-day on-site installation” service with a screenshot in their 2024 report that shows Haotian’s logo on a phone screen at a possible scam site.
The company’s marketing materials on both its website and Telegram frequently reference the tool’s utility for what could be potentially shady activity. One post on Telegram says the technology can help to create an “elite, authentic persona” that the “client completely believes.” (Scammers often refer to people that are being scammed as customers or clients). Another message highlighted by researchers said: “The chat lacks authenticity? No Trust? Use Haotian AI face-changing software to make a video call to solve all your troubles. After all, how could such a beautiful girl lie?”
Research published in March by the security firm Tehtris tracked various domain names that appear to have been linked to Haotian in recent years, including the current site “haotian.ai,” and past addresses “haotianai.com” and “haotianai.us.” Meanwhile, Ngo’s research found that Haotian’s website has openly referred to social engineering techniques. On both Telegram and its own website, Haotian’s discussion of social engineering frequently uses the phrase “精聊” or “jingliao” that literally means “deep chat” or “spiritual chat.” In practice, though, the phrase refers to social engineering and particularly connotes “pig butchering” scams.
When WIRED reached out to a Haotian Telegram account in English with questions about the service, it responded in Chinese saying it could not communicate in English and that it does not “accept” interviews. “Our target customers are entertainment streamers or live salers,” the Haotian account said in Chinese. “We only provide face-swapping software for live streaming and do not allow our products to be used for illegal activities.” In some of its materials, the company notes, according to translations by WIRED, that it places limitations on creating deepfake pornography.
Haotian told WIRED that it would terminate accounts if it found they were being used for fraud and said it is “not true” that it advertises to scam centers. The account speculated that if such marketing exists, it is “most likely” from accounts impersonating Haotian. When asked about language on haotian.ai that appears to market to scammers, the Haotian Telegram account said that the company does not have a website. After WIRED sent the account a screenshot of the current Haotian website and a link to an archived version, the Haotian Telegram account deleted the entire conversation.
There are a few ways to use Haotian’s desktop software. Gary Warner, director of intelligence at the cybersecurity firm DarkTower, says that the most seamless face swaps come from using the company’s pre-programmed faces or inputting a number of photos of a person so the company can build a face model of them. Examples in promotional videos include Elon Musk and Leonardo DiCaprio, but users could also provide materials so the system can generate their own face or someone else’s. The less source material Haotian has to work with, the less compelling the results will be. Regardless, users can tweak their face-swapped appearance using granular tools to hone various facial attributes. The video output, according to researchers and the company’s promotional videos, can be streamed to video calls on WhatsApp, Line, Telegram, Facebook, Viber, Zoom, WeChat, and other platforms.
Additionally, Haotian advertises voice impersonation features and an AI support chatbot in an associated Telegram channel. Posts in the company’s Telegram channel say its technology supports “cloning anyone’s voice for real-time calls or voice messages” and changing a voice from sounding male to sounding female or the reverse.
Security advocates and authorities around the world have increasingly warned about the threat of cybercriminals using face-swapping tools as part of scams. One concrete measure people can take to help detect potential fraud is to require that the person they are video chatting with waves their hands in front of their face to check for glitches or distortions that could indicate a deepfake. Haotian claims in posts, though, that it has added improvements so the system will work seamlessly if someone touches their face with their hands or waves their hands in front of their face while on video. Posts on Telegram also claim that the service supports blowing kisses, blinking, licking lips, or the subject turning or shaking their head.
While a version of its software can be downloaded from the Haotian website, the firm has primarily sold its software using subscriptions. A previous version of Haotian’s website said a “fully functional” version of its software could cost $4,980 per year, while cheaper packages were also available.
Days after Haotian launched its Telegram channel in October 2023, Ngo’s research says, the company also set up a Telegram account linked to Huione Guarantee, which is sometimes known as Haowang Guarantee. The online marketplace, linked to the Cambodian company Huione Group, provided a deposit and escrow service over Telegram, facilitating the sale of many of the tools needed for scamming, including the sale of victim data, deepfake services, electrified GPS-tracking shackles used in human trafficking, and more. In January, before Huione Guarantee was shut down and then sanctioned by the US government for helping facilitate scams, researchers estimated that the platform had facilitated more than $24 billion in gray market transactions.
Huione Guarantee was Haotian’s payment processor and escrow service as well. Evidence of the relationship has been visible for years in Telegram channels related to both companies where customers are completing payments. Chat logs reviewed by WIRED as well as findings from multiple researchers reinforce this link.
Tom Robinson, cofounder and chief scientist at the cryptocurrency tracing firm Elliptic, says cryptocurrency wallets used by Haotian have received 3,558 payments totalling $3.9 million in recent years. $1.2 million of that was between Haotian and Huione entities, with transactions between them ending on November 7. The service uses the stablecoin Tether, also known as USDT. There have been more than 3,007 payments in excess of $100, Robinson says, and the biggest incoming transaction to Haotian has been for $14,890, he says, with a “large number” of transactions around $500.
Some cryptocurrency wallets paying Haotian have been linked to potential criminal activity, according to Robinson’s research. “Proceeds of at least 52 known fraud instances had ended up at these wallets,” he says, adding that accounts linked to the fraud incidents were flagged by Elliptic’s partners. “That’s exactly what you’d expect if this is a platform that’s used by fraudsters—that they’d be paying for it from the proceeds of fraud that they’ve committed.”
While Haotian regularly releases new features and improves the quality of its deepfakes, it is, of course, only one of many possible tools that scammers could use as part of their operations. The broader scam economy also relies on the trade of stolen data, fake social media accounts, and websites used to scam people, in addition to the vast array of digital tools that make up the fraud tech stack.
Andrew Fierman, the head of national security intelligence at cryptocurrency tracing firm Chainalysis, says that Haotian’s operations broadly seem similar to those of other companies that operated on the sanctioned Huione Guarantee platform—tech entities that often processed a few hundred thousand dollars or a few million. The amounts are small compared with the scale of the Southeast Asian scam economy overall, but Fierman says that these incremental transactions to tech sellers help prop up the illicit ecosystem overall.
“A few thousand dollars goes a long way,” he says. “We’re not talking about technology that’s costing a hundred thousand dollars to get a pig butchering scam up and running. A buyer is likely not only buying AI voice and facial recognition software, they’re looking to get data and to build websites and do the other aspects of the scam tech ecosystem.”
The post The Ultra-Realistic AI Face Swapping Platform Driving Romance Scams appeared first on Wired.
