Haotian: A Deepfake AI Tool Fueling Southeast Asian Cybercrime Through Scamming Networks

Overview of Haotian’s Face-Swapping Technology

The Chinese-language artificial intelligence (AI) app Haotian has gained notoriety for its advanced face-swapping technology, which it markets and sells primarily through Telegram, generating millions of dollars in revenue. The service integrates seamlessly with messaging platforms including WhatsApp, WeChat, and Telegram, offering users granular control over up to 50 facial attributes (e.g., cheekbone size, eye position) to mimic the appearance of targeted individuals. Despite its technical robustness and versatility, Haotian has been identified as a tool increasingly exploited by cybercriminals, particularly in Southeast Asia’s booming “pig butchering” scam networks and cryptocurrency fraud operations.

Targeting Scammers and Fraudulent Use Cases

Scammers leverage Haotian to create convincing deepfake personas for “pig butchering” scams—a predatory tactic where victims are lured into romantic or investment relationships via fake identities. By enabling real-time video chats with fabricated “characters,” fraudsters exploit Haotian’s ability to replicate facial features and voice, enhancing the illusion of authenticity. UN reports highlight that Haotian is among at least 10 face-swapping tools identified by the UN Office on Drugs and Crime (UNODC) as being used for cryptocurrency scams and police impersonation in Southeast Asia.

Financial Trails and Cryptocurrency Links

Cryptocurrency tracing firm Elliptic analyzed four wallets linked to Haotian, revealing the company has received at least $3.9 million in payments since 2021. Of this, $1.2 million flowed through accounts associated with Huione Guarantee, a Cambodian-based escrow service sanctioned by the U.S. in 2024 for facilitating gray-market cybercrime, including human trafficking and fraud. The majority of transactions use Tether (USDT), with over 3,007 payments exceeding $100, including multiple transactions of approximately $500. Elliptic also found that proceeds from 52 known fraud incidents were routed to Haotian-linked wallets, confirming its use by criminal networks.

Marketing and Operational Channels

Haotian operates primarily through a public Telegram channel (launched in October 2023) with over 20,000 subscribers, where it promotes new app versions, technical updates, and support. The service’s website (haotian.ai) and marketing materials reference “social engineering” techniques, particularly the Chinese term “jingliao” (“deep chat”), which specifically denotes “pig butchering” scams. Despite its Cambodia-based headquarters, Haotian advertises “same-day on-site installation” services, a detail flagged by UN researchers in their 2024 report, which noted Haotian’s logo on a suspected scam compound’s device.

Technical Capabilities and Integration

Haotian’s desktop app offers customizable face and voice models, allowing users to upload photos to build detailed personae. It supports real-time voice impersonation (male-to-female or vice versa) and AI chatbot integration, with output compatible with platforms like Zoom, Viber, and WeChat. The service’s granular controls enable users to tweak facial features (e.g., jawline, lip shape) and add dynamic elements like blinking, lip licking, or head movement, designed to evade detection. Pricing is subscription-based, with a “fully functional” annual license costing up to $4,980.

Company Responses and Regulatory Scrutiny

Haotian denies targeting scammers, claiming its “target customers are entertainment streamers or live salers” and that it “does not accept interviews.” However, its Telegram channel and website explicitly market tools for social engineering and deep chat, contradicting these claims. When WIRED inquired, the Haotian Telegram account deleted the conversation after receiving evidence of its website’s scam-focused materials. Meanwhile, Telegram declined to comment on account removals linked to Haotian’s marketing channels.

Broader Cybercrime Context and Security Challenges

Haotian is part of Southeast Asia’s sprawling cybercrime ecosystem, which includes scam compounds, forced labor networks, and cryptocurrency fraud rings. UNODC data shows face-swapping tools like Haotian have become critical for cybercriminals to bypass security checks, while Haotian’s voice and facial realism further erode trust in digital interactions. Security experts advise verifying video call authenticity by checking for glitches (e.g., unnatural hand movements), as Haotian claims to minimize such telltale signs.

Conclusion: Haotian’s technical sophistication underscores the evolving threat of deepfakes in cybercrime, particularly in Southeast Asia. While the company markets its tools for legitimate purposes, its financial and operational ties to scamming networks highlight urgent regulatory and technical safeguards needed to counter this growing risk.