Tracing a $61,000 crypto scam from Sweden to Cambodia’s Huione network

A 39-year-old lab assistant, a Libyan-born father of two with permanent residency in Sweden, had little investment experience.

What he thought was an opportunity to improve his family’s financial security instead led him into what experts called one of the world’s central fraud transaction networks, the Huione hot-wallet ecosystem, part of the wider Huione Group.

The devastating moment came in the spring of 2024, when Aimen Ali Sewe discovered he had lost nearly everything while trying to secure a better future for his family. “I realized that I had been scammed,” the hospital worker recalled.

Huione — which listed Hun To, a cousin of Cambodian Prime Minister Hun Manet, as a founding shareholder — has faced criminal allegations for years. The U.S. Treasury has alleged it served as a “critical node” in laundering the proceeds of transnational scam operations, receiving at least $4 billion in illicit proceeds between 2021 and 2025. The company has in turn issued at least one statement denying responsibility for a small number of bad actors using its services.

The scam did not start at Huione. It was perpetrated by scammers masquerading as a Singaporean financial academy. But experts tracked the flow of money through a web of cryptocurrency transfers and into Huione’s “infrastructure,” which could have been used to cash out.

Now, Aimen Ali Sewe is fighting to recover his stolen funds of nearly $62,000. Or, if that isn’t possible, he wants to at least play a role in bringing to account those responsible for the ongoing global scam scourge.

The scam

In early 2024, a woman who described herself as an experienced trader introduced Aimen Ali Sewe to sgxaex.com — a site now blocked by Google that appeared to impersonate the Singapore Exchange Academy. Over weeks of regular conversation and guidance, she built his trust.

“What made me trust the platform was the way everything appeared professional,” he said of the fraudulent SGXA website. “The trading interface appeared legitimate” and his initial small withdrawal went through without a hitch.

Between April 17 and June 13, 2024, he transferred a total of 61,817 USDT from his Binance account to a wallet address connected to SGXA.

USDT is what’s known as a “stablecoin” — cryptocurrency that’s valued roughly the same as U.S. dollars for predictable trading. Other coins, such as Bitcoin, fluctuate wildly. Binance, a currency exchange, was the service that let Aimen Ali Sewe convert real money into crypto.

In late May, he attempted a larger withdrawal from SGXA. He was told he first needed to pay additional “fees and taxes.” That was the moment his suspicions crystallized.

By early June 2024, communications from the platform grew inconsistent, then silent. He understood; he had fallen into a “pig-butchering” scam.

The digital trail

Online scams have exploded in recent years, ensnaring victims across the world. Some estimates put losses at hundreds of billions of dollars a year.

The classic method has been pig-butchering, where victims are lured into friendly — and often romantic — online relationships, and gradually fattened up with deposits into investment schemes that show apparently increasing wealth, until the day the victims are butchered.

Many scammers have operated from vast compounds newly built in countries such as Cambodia and Myanmar, importing workers who speak foreign languages. Many of these foreign workers have been trafficked under false pretenses, and violently forced to work.

From June 2024 on, Aimen Ali Sewe documented everything and filed reports with a long list of authorities: the Swedish police; the FBI’s Internet Crime Complaint Center, known as IC3; the U.K. police’s Action Fraud call center; the Financial Industry Regulatory Authority, an American self-regulatory body; the U.S. Securities and Exchange Commission; the U.S. Commodity Futures Trading Commission; the Singapore police; and the Monetary Authority of Singapore.

“Unfortunately, none of these reports have resulted in the recovery of my stolen funds,” he said. Most agencies acknowledged his complaint and took his information but with no results.

So he turned to Sicher Height, a blockchain forensics firm owned by German investigator Joe LeFever. The firm investigated Aimen Ali Sewe’s USDT accounts, and sent him two reports, which he has shared with Mekong Independent.

Joe LeFever tracked Aimen Ali Sewe’s money across the Tron blockchain, one brand of the coded ledgers that record time, date and anonymized addresses of cryptocurrency transactions. Analyzing transactions on the blockchain revealed that Aimen Ali Sewe’s cryptocurrency mixed with other receipts and passed through several wallets in the SGXA scam network before feeding a primary address that investigators labeled the “TUZ wallet,” based on its 34-letter crypto ID.

That wallet, in turn, sent “almost a million dollars” directly to Huione’s services, Joe LeFever said in an interview.

Stage 1: the pass-through. Joe LeFever found that Aimen Ali Sewe’s 61,817 USDT first landed in a wallet that served purely as a pass-through. It received funds from his Binance account and immediately forwarded the full amount to another wallet that investigators called the SGXA consolidation address.

“The pass-through wallet’s balance is now effectively zero,” the report notes.

Stage 1: Aimen Ali Sewe exchanged money for USDT at Binance, and transferred it to what he believed was an investment. But it was merely a passthrough account for SGXA scammers, according to the Sicher Height investigation. (Mekong Independent/Creative Commons)

Stage 2: the SGXA consolidation address. The SGXA consolidation account received funds from more than 600 wallets and resent them in neat batches to a small handful of accounts.

Investigators honed in on three transfers of 50,000 USDT within nine minutes on June 8, 2024.

Those transfers went to three different accounts. None of the three intermediaries made or received other transfers for at least 20 days. Then they all transferred 50,000 USDT to the TUZ wallet.

“The re-consolidation pattern — funds originating from a single scam operation dispersing to multiple intermediary wallets before re-converging — is a hallmark of layering in money laundering. The same beneficial controller almost certainly operates both,” the report says.

Stage 2: One of three SGXA consolidation wallets collected money from many accounts before funneling it mostly to the TUZ wallet. The use of intermediaries that split up then reconsolidated transfers suggests laundering and ‘almost certainly’ shows the two ends were controlled by the same people, Sicher Height says. (Mekong Independent/Creative Commons)

Stage 3: the path to Huione. Created in February 2024, the TUZ wallet has logged more than 6,000 transactions and, according to public blockchain records, was still active as recently as March 9, 2026.

Among those 6,000 transactions, the TUZ wallet received funds from and made direct transfers to Huione accounts — almost $1 million worth, Joe LeFever said. This placed it “firmly within or closely nested within Huione’s financial infrastructure,” the investigation says.

This connection could be used by SGXA scammers to cash out. The TUZ wallet is “likely operating as a service-layer wallet used by the SGXA scam operators to access Huione’s liquidity and cash-out infrastructure,” the report says.

Stage 3: The TUZ wallet sent almost $1 million to Huione services, among outgoing transfers to other accounts, and could be how scammers cashed out their stolen crypto. (Mekong Independent/Creative Commons)

Unmasking identities

As part of the investigation, Joe LeFever identified three wallets as being part of the SGXA scam. Indirectly through the TUZ wallet and other paths, they sent more than $120,000 to Huione accounts, the report says.

Transfers between cryptocurrency wallets are publicly recorded, but the accounts are anonymous.

Opportunities for tying wallets to real people come at licensed exchanges. For example, if a scam victim wants to send crypto for an investment, he must first buy it with real money. Aimen Ali Sewe used Binance, a company that originated in China and has since been used by crypto traders and businesses worldwide. U.S. President Donald Trump pardoned its convicted founder last year, and it has supported his family’s crypto venture. If a scammer wants to cash out their crypto into legal currency, they must similarly use an exchange.

Such exchanges are typically required to follow “Know Your Customer” laws as part of the licensed financial system, and verify the identities of customers.

Joe LeFever’s analysis revealed SGXA was receiving significant inflows from the licensed financial system, likely from scam victims handing over their money. Regulated exchanges contributed 47% of total USDT inflows to SGXA, amounting to more than $5.9 million USDT. These companies include Binance as well as BingX, Kraken and OKX.

But the TUZ wallet also sent out money to accounts at regulated “Western exchanges.” Joe LeFever pinpointed three transfers of victim-linked funds from the TUZ wallet to a Binance account.

“A formal request for the KYC identity behind this deposit address is recommended as the highest-priority action,” the report says, noting that Binance has previously responded to formal legal process requests. The account is unlikely to belong to the SGXA scammers themselves, but could help identify their network.

Aimen Ali Sewe contacted Binance, but it directed him to local law enforcement. He also tried contacting a Huione customer service chatbot but made no progress.

Joe LeFever said it was unlikely that funds could be recovered unless Cambodian authorities led the action.

The transfers happened while Huione entities were already under active international regulatory scrutiny. During a video interview, Joe LeFever pulled up the TUZ wallet’s transaction history.

“It’s professional. The scammers have a pretty sophisticated web of addresses. The criminals are somewhat professional people,” he said.

Half of his own clients, he found, had money that ended up in a Huione crypto wallet. “Mostly Americans with some EU nationalities like Swedes.”

Law enforcement officials stand next to an armored truck close to the entrance of the National Bank of Cambodia during a protest of Huione Pay and H-Pay customers in Phnom Penh on April 27, 2026. (Mech Dara/Mekong Independent/Creative Commons)
Law enforcement officials stand next to an armored truck close to the entrance of the National Bank of Cambodia during a protest of Huione Pay and H-Pay customers in Phnom Penh on April 27, 2026. (Mech Dara/Mekong Independent/Creative Commons)

The rise and fall of Huione

Last month, hundreds of Huione and H-Pay customers, most of them Chinese and Cambodian, gathered outside the Chinese Embassy in Phnom Penh. They held Chinese flags, photographs of Prime Minister Hun Manet as a plea for him to intervene, and posters demanding the return of their money.

It was the latest in a series of protests, and not the most violent. An earlier gathering had turned bloody when district security guards, the so-called “third hand” of former leader Hun Sen’s administration, beat the protesters with sticks; two Chinese nationals were seriously injured, with head wounds and bleeding outside the National Bank building.

Two Cambodian customers were arrested and charged for leading an illegal protest, for wanting their savings back.

For them, Huione was just an app they had used to receive money and pay people — in spite of the growing noise over the past two years that it served as a keystone for the booming criminal scam industry.

In July 2024, blockchain analytics firm Elliptic published research describing illicit activities on Huione Guarantee, linking it to Huione companies and Cambodian tycoon Hun To. Hun To, the prime minister’s cousin, has publicly acknowledged having been a 30% shareholder of Huione Pay, but denied current involvement in the company’s management or operations.

The National Bank of Cambodia conducted an inspection of Huione Pay, and in September 2024 revoked its license. But the company continued operating until December 2025 at its former headquarters located only about 1 kilometer from the NBC’s Financial Intelligence Unit. H-Pay launched in the same building on March 6, 2025, which customers saw as a rebranding.

In May 2025, the U.S. Financial Crimes Enforcement Network identified Huione as a primary money-laundering concern. The same month, blockchain intelligence firm TRM Labs alleged Huione Group was the “main financial backbone behind Telegram-based scams operating in Cambodia and across Southeast Asia.” It estimated that wallets linked to Huione had received more than $81 billion in cryptocurrency since 2021 and would reach $93 billion in 2025. It described Huione’s “sprawling ecosystem” as a “central financial conduit” for cybercrimes, and warned of Huione having re-emerged on Telegram despite U.S. actions against it.

In October,​ the U.S. Treasury cut off Huione Group from the U.S. financial system over money laundering concerns.

In March this year, H-Pay’s license was also revoked by the NBC. Both Huione Pay and H-Pay have been liquidated, with Huione’s liquidators paying out $1.2 million in total to 62,000 customers. But protests have continued. In April, the NBC told aggrieved customers that it was unlikely to intervene, and directed them to the court.

What’s left

The Singapore and Swedish police also connected Aimen Ali Sewe’s stolen funds to “Huione Pay in Cambodia,” the scam victim said.

But because the money had moved through multiple private wallets, they were unable to recover it and told him they had exhausted all available investigative leads.

The Swedish police advised him to contact Cambodian law enforcement authorities directly, as the funds were now outside their jurisdiction.

“I felt frustrated but not surprised,” Aimen Ali Sewe said. He had come to understand that the operation was organized and used deliberate money-laundering mechanisms, “not a simple scam but part of a larger network.”

He took the advice and contacted Chhay Bunrummanith, a senior officer at the Cambodian anti-cybercrime police. He provided information but nothing progressed.

Neither Chhay Bunrummanith nor Chea Pov, director of the anti-cybercrime department of the Interior Ministry, have responded to questions from Mekong Independent.

Jan Santiago, head of community mobilization at the Digital Defenders Group, which advocates for victims of financial crimes, said it was very rare for victims to recover stolen funds.

Court procedures were challenging, and even when governments seized stolen assets they rarely returned to victims.

“Little to none gets back to a victim, who is usually unaware,” he said, pointing to U.S. government seizures as the biggest of many worldwide examples.

But that was not to say that nothing had worked and everything had already been tried, Jan Santiago said. “We are working for the recovery of scammed and frozen funds for every victim.”

Aimen Ali Sewe has pursued his lost funds for two years, believing it was important to try to hold those responsible accountable.

“I remain realistic,” he said. He understood that the chances of recovering the funds were low, but he still had some hope that identifying the individuals involved could lead to action.

“Even if recovery is difficult, I feel it is necessary to continue for justice and to potentially help prevent others from becoming victims.”

This chart shows USDT transfers linked to the five orange wallets. They are the key wallets identified in Sicher Height’s investigation into the scam against Aimen Ali Sewe. The Binance, Okex and Kucoin wallets were named by the Tronscan website, which is the source of the transfer data, while five wallets are marked ‘Huione’ based on previous investigations that have been published online, and are not independently verified. (Mekong Independent/Creative Commons)

This article is published as Creative Commons.