Growing Awareness of the Darknet in China Following Huge Domestic Database Breaches

In recent weeks, we have identified a growing awareness on Chinese security blogs and mainstream media, to the existence of the Darknet, and the activities of Chinese users on its platforms. The focus is mostly on the sale of leaked data, mainly of Chinese citizens. One of these leaks pertained to the Huazhu hotel group, and was one of two major data breaches that occurred simultaneously in China, raising awareness to this issue. The second breach was the database of SF Express, a delivery service company based in Shenzhen, Guangdong Province. Continue reading “Growing Awareness of the Darknet in China Following Huge Domestic Database Breaches”

Cyber in Chinatown – Asian Hacktivists Act against Government Corruption

Social networks are well-known tools used by activists to mobilize the masses. As witnessed during the Arab Spring and in recent incidents in Hong Kong, government opposition groups can organize dissatisfied citizens by means of a massive campaign. More closed countries, such as North Korea or China try to limit access by their citizens to international social networks such as Twitter or Facebook. We have noticed an increasing tendency toward anti-government campaigns in Asian countries and the cyber arena plays an important role in this process. We have identified this kind of activity in China, Malaysia, Taiwan, Japan and North Korea. Local cyber hacktivist groups are calling for people to unite against infringements on freedom by violating privacy rights. Hacktivists are organizing anti-government groups and events on popular social media platforms and are posting tutorials on how to circumvent the blocking of certain websites and forums in countries where such Internet activity is forbidden. Furthermore, the groups are posting provocative materials and anti-government appeals in local Asian languages, alongside to English. Thus, we can see an attempt to recruit support from non-state activists for a national struggle.

Anonymous Japan and Anonymous North Korea Facebook Posts
Anonymous Japan and Anonymous North Korea Facebook Posts

These groups are eager to reach a large number of supporters, and not only for political and psychological purposes. Together with publishing tutorials for “safe browsing” in the Internet for large masses of people the groups translate popular cyber tools for mass attacks and they disseminate instructional manuals translated into local languages on how to use these tools.

Popular DDoS Tool in Japanese
Popular DDoS Tool in Japanese

One example of exactly such an organization is Anonymous Japan – an anti-government hacking group. The group develops and uses DDoS tools and is also involved in spam activity. Furthermore, members of the group develop their own tools and publish them on Facebook for wider audiences.

#OpJapan Attack Program
#OpJapan Attack Program

Amongst the large-scale campaigns launched by this organization, you can find #OpLeakageJp – an operation tracking radiation pollution in Japan.

TweetStorm post against the Nuclear Regulatory Commission in Japan
TweetStorm post against the Nuclear Regulatory Commission in Japan

In addition to internal struggles, hacktivist groups are operating against targets in the area. One such example is operations by hacktivism groups personifying themselves with North Korean insignia and targeting sources in South Korea. Examples of such cyber campaigns are #Opsouthkoreatarget and #OpNorthKorea.

#OpJapan Attack Program
#OpJapan Attack Program

In China, we found an example of the #OpChinaCW campaign. A cyber campaign hosted by Anonymous was launched on November 2, 2014 against Chinese government servers and websites. The campaign was organized on a Facebook event page and was further spread on Twitter.

#OpChinaCW Twitter Post
#OpChinaCW Twitter Post

Hacktivists have also published cyber tools for this campaign. See below an example of a DDoS tool sold on Facebook for only US$10.

DDoS Tool for Sale
DDoS Tool for Sale

As previously mentioned, cyber activity in the Asia region is directed not only against enemy states, but also against the “internal enemy” – the government. Hacktivism groups not only organize such campaigns on underground platforms, but they also make wide use of open popular social networks to recruit supporters. Moreover, they also develop their own cyber tools.

Chinese Hackers Leverage World-Cup Buzz

On May 14th we brought you a report regarding hacktivists threatening to wage cyber attacks against the Brazilian government and FIFA. This time, we are publishing yet another World-Cup-related post, but from a slightly different angle.

China, the world’s most populous country, is also the world’s leader in terms of number of cellphone users. The smartphone revolution did not skip China, and oh boy did it make an impact! Chinese people love their phones. No, Chinese people are obsessed with their phones might be a more precise choice of words.

As you probably know, Chinese cities are not small (quite an understatement!), and commute time has to be killed somehow. That’s why riding the subway in China, except for being overwhelmingly crowded at times, is also just the perfect timing for many passengers to indulge in intensive game-playing! While some prefer to fiercely ride a digital motorcycle, shoot intruding aliens, or grow vegetables in a farm, others have a liking for sports games, perhaps as a compensation for rotting in front of a computer desk all-day-long. The latter will inevitably come across a bundle of World-Cup related game apps available on all application markets.


World-Cup is a buzz-word, no doubt about it, and as such, it attracts not only the gamers’ attention, but the hackers’ as well, and the Chinese hackers know their onions, all right. They leverage the buzz and try to con unwary mobile users into downloading and installing infected apps. The hackers use the “repacking” method – they download a legit and innocent game app, plant a malicious code within it, and upload it once again to the app market, or to a forum. The compromised app looks just the same – it has the same icon, its name is almost identical, and the user has virtually no way of noticing any abnormality after having it installed.

Actually, this is not the first time we see this method being practiced – Chinese hackers use just the same mischief whenever a national holiday is being celebrated, a major event (be it national or international) takes place, or just when some application garners a lot of popularity.

There is a famous story in China about a farmer in the Spring and Autumn Period (approx. 771 to 476 BC) who was working in the fields, when a rabbit was running by and suddenly dashed into a tree stump. The joyful farmer brought the dead rabbit home and cooked it for dinner exclaiming that there is no need for him to work any longer, as he can simply sit by that stump and wait for more rabbits to knock dead into it. This story gave birth to the idiom 守株待兔(literally “to watch the stump and wait for rabbits”) meaning “to trust chance and luck rather than go working”. The Chinese hackers who use this “repacking” method are just modern lazy farmers, patiently awaiting unlucky mobile-users to fall prey to their hands.

Even though this post is China-focused, it is important for you to bear in mind that this “repacking” method can be easily implemented anywhere. We urge you to download applications only from official sites and app-markets, and to install an antivirus on your mobile device.

Don’t be a rabbit!

And with all that being said, we wish safe-gaming to all World-Cup enthusiasts, and good luck to all participating countries!

This Little Rhino Went to the (Underground) Market…

Illegal Trade in Ivory

The Internet is the world’s largest marketplace. Anything can be bought and sold, and with Internet access available in almost every corner of the earth, many people trade and profit from this wonderful platform. What most people do not realize is that you can buy or sell just about anything online. Sure, there are some obscure memorabilia which can be bought on eBay or its Chinese equivalents, but for more hardcore items, like contraband goods, you have to delve deeper into the web  to understand the scope of the trade.

One such  item is rhino horn. This illustrious item, made of keratin (the same type of protein that makes up hair and fingernails) is surreptitiously sought after for ornamental or traditional medicinal purposes in East Asia, specifically Vietnam and China. The rhino horns are removed from slaughtered animals all over Africa, taken to central warehouses and distribution centers and then shipped to the East, toward southeast Asia.

This trade is an ancient one and certainly precedes the Internet, but what is conspicuous today is that the Internet has become an essential virtual marketplace, where distributors, buyers and sellers communicate and trade. One platform where this  is taking place is Baidu Space (百度空间) – a popular online social networking service provided by China’s Internet giant Baidu, which also runs the country’s most popular search engine. There are many active users trade in rhino horns on this platform.

One such user is “zt04010623”. Not much is known about this individual, other than the fact that he is a married male university graduate in his 30’s, living in the Beijing metropolitan area. Messages on zt04010623’s “wall” in his Baidu Space account reveal his extensive engagement in the trade – most address ivory, ivory products and rhinoceros horns. Below are some samples:

A user named ssssssdddddwww asked: “Is it true that you buy ivory carvings? Where?”

A user named SUNTORY19895 wrote: “I’m a bit confused regarding how much I should ask for my ivory necklace. Can you take a look and give me a rough estimate?” 20 days later zt04010623 answered: “Yes, I can. Send it to me and I’ll have a look.”

A user named wwlleon9 asked: “Hello, can you get ivory from abroad?” On June 1, zt04010623 answered: “Ha ha, add my QQ number XXXX (Instant messaging service, popular in China).

A user named “Dark Blue Qinqin (深蓝的钦钦) wrote: “Hello brother, I have two ivory bracelets that my father’s friend brought from Equatorial Guinea when I was little. I have had them for about 15 years now. I heard that you buy, right? I wanted to ask how much? Please let me know. Thanks.”

A user by the name “Private Ivory Art (个体牙艺)13” wrote: “If you need ivory carvings, please contact me.” On January 18, zt04010623 sent his QQ number in response.

A picture of ivory taken from “Private Ivory Art’s” profile
A picture of ivory taken from “Private Ivory Art’s” profile

zt04010623 also shared his photo albums:




In addition to his activity on Baidu Space, zt04010623 is also active on Baidu Knows (百度知道), an extremely popular Web service provided by Baidu where users can raise questions and/or answer them.

Since opening an account in Baidu Space, zt04010623 has already participated in 193 conversations and supplied 212 answers, most of which are related to ivory, ivory products and rhino horns. His intensive participation in these conversations has undoubtedly boosted his reputation as an ivory expert, and therefore many people approach him directly on his personal space with inquiries.

zt04010623 pays particular attention to the following keywords on Baidu Knows: ivory, rhino horns and ivory carvings. For instance, when a user asked: “Where can one buy genuine ivory in Tanggu district?” The next day, zt04010623 answered: “I have a friend who can help you. Please contact me.”

Some parts of the discussions clearly illustrate the illegal nature of the trade, such as a discussion where a user asked: “In which countries does the customs office not forbid importing ivory from countries that manufacture ivory?” zt040100623 answered: “Ha ha, I reckon you should have asked in which county are customs most loose. Go for small countries with unstable regimes, over there, customs exist in name only. Just give them some money and you can pass.”

As this individual shows, this kind of trade blossoms on the Internet, which has made communication between suppliers, sellers/distributors and customers so much easier, and the perceived anonymity of the web allows this illegal trade to take place interrupted, leading to large profits for all involved (all but the poor rhinos, now on the verge of extinction).