The truth about the Chinese Dark web: hiding in the crowd on the Clear web

Jun 21, 2018

The Information Security community is realizing that classic external malevolence is only part of the whole risk picture, which includes the negligence of internal actors and third parties. This doesn’t mean that external threat actors should be disregarded - cyber crime is as much a threat for businesses as ever - it simply means that they need to be taken into account as part of a broader cybersecurity strategy. 

Nowhere is the ongoing threat of malevolence more evident than in the workings of Chinese dark actors, which we have been following for quite some time in the course of monitoring the Dark web for our clients. There are lots of preconceptions surrounding Chinese threat actors, often involving industrial espionage, cyber-warfare and the so-called cyber-dragon. However we have built up a slightly different picture. 

This series of blog posts will explore the Chinese Dark web: the settings where Chinese dark activities are taking place; the sort of actors that are lurking there; and the kinds of deeds they are undertaking. The first in the series will focus on Chinese dark actors on the Clear web.

The truth about the Chinese Dark web: hiding in the crowd on the Clear web 

We have already mentioned that there are lot of illusions surrounding Chinese dark activity, and one of these is the misconception that the majority of it is taking place on the Dark net. China is a huge country. It numbers 1.4 billion inhabitants to be exact, and 750 million of them are using the internet. You would imagine that traffic on the Dark net would be similarly significant. However, according to statistics provided by the Tor network, Dark net activity in China is relatively sparse compared to that of the US or Russia. 



And it’s not for lack of hackers, because China has more than its fair share of those. What’s more, these hackers are doing more than just spying on the American industrial or military activities they are also dealing data, undertaking illegal transactions, watching porn, or attempting to hack systems. 

China’s activity on the Dark net is proportionately low because a lot of the country’s dark activity is taking place on the Clear web.

Chinese threat actors on the Clear web 

In the course of our monitoring Chinese dark activity, we have come across numerous Chinese threat actors on the Clear web. Many of the sites they operate completely resemble sites on the Dark net, with the difference being that they are accessible via a standard browser. The majority of the sites we will highlight here can even be found through Baidu, which is the Chinese equivalent of Google. Others can be found on Freebuff, which is the Chinese version of article-sharing website Reddit. 

Over half of the sites we investigated were designed to share information to assist in planning digital attack - intelligence that would clearly be of interest to those whose job it is to protect company networks. 

We found websites where hackers can download software to dump credentials on Linux, creating an easy marketplace for hackers to sell stolen credentials.


We also found a forum of over 250,000 members where users can access hacking tips, notably related to mobile devices. Another source taught users how to crack QQ emails, which is the Chinese equivalent of Gmail.


Finally, we found a site allowing users to publish various forms of illegal content, including footage from stolen cameras belonging to young girls. 


Dark activity on the Clear web: a contradiction of terms? 

At first, the idea of dark activity on the Clear web may seem a contradiction of terms. Why would someone choose to undertake dark activity without the anonymity afforded by the Dark net? 

On the one hand, the Chinese internet remains difficult to regulate despite the Great Firewall, mainly due to sheer traffic. Chinese threat actors seem to be of the opinion that it is just as easy to maintain anonymity in an overcrowded area. At the same time, it is more attractive to undertake dark activities on the Clear web because it is more highly frequented. The Clear web therefore represents an efficient and advantageous setting for these actors to carry out dark activity.

Why does it matter? 

Our definition of a data leak is not limited to information that has been exposed as a result of malevolence. We are also interested in leaks that have resulted from negligence, which in our experience account for the majority of highly-critical leaks. And yet, so long as dark activity remains a source of leaks - which is most certainly the case - malevolence deserves a place in every company’s digital risk strategy. 

Our findings on Chinese dark activity have shown that dark activity is complexifying, in this instance going so far as to bleed into the Clear web. Companies cannot afford to disregard the workings of malevolent threat actors, and they need to adapt their monitoring strategy in order to keep up with shifts within the threat landscape. 

What are the other surprises we have found about Chinese dark? We will continue to post on The truth about the Chinese Dark web over the next few weeks. Follow the rest of our series to find out more.