The truth about the Chinese Dark web: Chinese threat actors on the Dark net

Jun 29, 2018

The truth about the Chinese Dark web is a series uncovering the findings we have made in the course of monitoring Chinese dark activity. There are lots of preconceptions surrounding Chinese threat actors, often involving industrial espionage, cyber-warfare and the so-called cyber dragon. However we have built up a slightly different picture. 

In our previous posts we have been talking about the Chinese dark activity that takes place in clear view on the visible web, in particular on the American codesharing site Github. Today we are delving into the more classic setting of Chinese cybercrime, the dark net, which remains as relevant as ever. 

If there’s one thing this blog series has taught us, it’s that you need to think further afield than the Dark net when it comes to monitoring Chinese dark activity. However that doesn’t mean you can forget about it entirely. Although many Chinese threat actors are choosing to “hide in the crowd” of the Clear web, there are many who are just as readily looking towards the shadows of anonymity provided by the Dark net in order to carry out criminal activity undetected. 

Dark forums trading illicit goods 

While conducting our research on the Dark net, we found several forums which, although not numerous in quantity, comprised large communities. These forums boasted an average of 50,000 users, individually ranging from 1,000 users right up to 450,000 users. Each group contained messages numbering anywhere between 6,000 and 28,000. While many were trading the usual goods expected on the Dark net - hitman services, organ sales and pedopornographic content - others also offered items such as fake money, fake identification, and stolen credit card details. 


Patriotic hackers 

In Mandarin, when it comes to hackers there is a distinction between a classic hacker “heike” (literally black visitor) and a patriotic hacker “hongke” (literally red visitor). While the former are guided by standard hacker motivations, the latter are guided by a more geopolitical impulse. We discovered a group of hackers who appeared to be part of the “hongke” camp, claiming to have hacked the Vietnam Airlines’ flight database in August 2016, as a reaction to the South China Sea incidents. 


Another group makes reference in it’s own name to a third type of hacker, “lanke” (literally blue visitor) which implies connections to the Chinese army. Although their website gives the impression of having ceased operations in 2011, their active domain name and MX server would suggest otherwise. When we performed a cross-check on this organization against our own records we extracted an SQL file called “蓝客” (literally “lanke”), found on Pastebin revealed a leak of more than 30,000 Chinese credentials, downloadable on the Baidu cloud platform Xiaobaipan. 

Why does it matter? 

We have shown in our previous posts that we need to understand dark activity as operating further beyond the traditional scope of the Dark net. However, our research on the Chinese web has also unearthed several examples of criminal activity taking place within a traditional Dark net setting. This activity clearly poses a risk to the information security of brands, often through stolen credentials being traded online. Although we advocate a diversified approach in mitigating dark threats, it is clear that the Dark net is ignored at a company’s own peril, no less so when it comes to Chinese dark activity. 

We hope you enjoyed our series on “The truth about the Chinese dark web”. Don’t forget to check out the other posts which have already been published in the series.

The truth about the Chinese Dark web: hiding in the crowd on the Clear web

The truth about the Chinese Dark web: dark activity on Github