Illegal Activities Endure on China’s Dark Web Despite Strict Internet Control

Editor’s Note: The following post is an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.

This report analyzes the structure of internet sources used by Chinese-speaking threat actors to facilitate cybercriminal activities, specifically Chinese-language dark web sources, clearnet hacking forums and blogs, instant messaging platforms, and well-established criminal sources. This report aims to provide a general understanding of the Chinese-speaking cybercriminal landscape and the threat it presents under the context of its distinct cultural, political, and legal characteristics. Findings in this report include results from the Recorded Future Platform® and dark web and open sources.

Executive Summary

Chinese-language dark web sources are predominantly driven by financially motivated cybercriminals operating on marketplaces. Due to the government’s low tolerance of cybercrime and frequent crackdowns, maintaining good operational security and anonymity is essential for these cybercriminals. Although there is a wide variety of offerings in the Chinese-language dark web marketplaces, they are generally dominated by leaked data and virtual goods, which are easy to buy and sell while remaining anonymous. For the same reason, Bitcoin is the dominant currency on these marketplaces, and the marketplaces are generally integrated with messaging platforms, particularly Telegram. Due to constant law enforcement actions, lower-tier marketplaces commonly shut down and reopen; some of the more experienced threat actors are possibly migrating to international, well-established dark web sources to conduct business. The Chinese-speaking cybercriminal underground will almost certainly find ways to survive and thrive despite government crackdowns, however.

Key Judgments

• Due to frequent government crackdowns on cybercrime, offerings on the Chinese-language dark web marketplaces are dictated by the preservation of anonymity. As a result, virtual goods such as compromised data and tutorials are the most popular products as they can be delivered anonymously online. Due to the need for delivery to physical addresses, physical goods such as weapons and drugs, widely offered in other cybercrime ecosystems, are less common in China.
• Unlike Russia and other cybercriminal ecosystems where domestic entities are not targeted, the offerings on the Chinese-language dark web marketplaces are dominated by domestic offerings. Advertised items can range from exfiltrated data from China-based financial conglomerates to gambling and loan applications (apps). This could be due to the large domestic attack surface and the relative ease of access without the need to get around the Great Firewall of China.
• Compared to mature cybercriminal ecosystems such as those in Russia, the Chinese-language underground lacks a hierarchical structure. Highly collaborative and structured ransomware affiliate programs or infostealer malware-as-a-service (MaaS) programs are absent. In addition, the general lack of trust between cybercriminals as well as between cybercriminals and marketplace operators further prohibits such collaboration. For this reason, cybercrime know-how is often monetized and passed along through tutorials instead of personal working partnerships.
• China-based threat actors with foreign language skills, hacking skills, and access to exfiltrated data are migrating toward established international cybercrime forums as well as messaging platforms due to concerns over privacy and fraud on domestic platforms and to gain greater access to the global cybercrime market.

Editor’s Note: This post was an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.