This report examines cybercrimes perpetrated by Chinese-speaking threat actors in countries neighboring China over the last year. In particular, it pertains to the theft and sale of personally identifiable information (PII), cross-border gambling and money laundering, e-commerce and online romance scams, and possible advanced persistent threat (APT) actors engaging in cybercrime. This report, which used the Recorded Future® Platform, the dark web, and open sources, will be of interest to researchers of cybercrime and the region’s geopolitics.

Executive Summary

As China continues to tighten its control of the internet and crackdown on cybercrime by using methods such as internet cleanup campaigns, the banning of cross-border gambling, the tightening of anti-money laundering laws, increased pornography censorship, and the banning of cryptocurrency trading, cybercrime has been driven to many of its neighboring countries where such laws and regulations are more limited and there is less government surveillance. Furthermore, economic hardship due to a slowing economy and extremely strict COVID-19 lockdowns have forced more people to engage in scams and cybercrime to pay their bills, including traveling across borders to engage in criminality.

Given the geographical proximity, language and cultural similarities, and lack of laws and regulations, some border regions such as the Wa State of Myanmar have become fertile grounds for Chinese cybercrime. Sophisticated cybercrime syndicates have developed online romance scams through social engineering for the purposes of stealing cryptocurrency and blackmailing victims. In addition, many neighboring countries have long been targets of Chinese APT groups. Armed with technical skills and attack infrastructure, some of these APT actors take up cybercrime to supplement their regular income, and some of the obtained data and access that appear to be APT exploits are advertised on Chinese-language dark web marketplaces.

Key Findings

• Because PII data is easily monetized and can be used as a vector for other forms of cybercrime, some Chinese threat actors continue to collect, harvest, and trade compromised PII data from neighboring countries in East, South, and Southeast Asia.
• Government crackdowns on gambling and money laundering in China have pushed such activities to countries in Southeast Asia, including the Philippines, Cambodia, Vietnam, Malaysia, and Myanmar, due to their lack of related laws and enforcement. Gambling activities in these countries are usually associated with other types of criminality, specifically human trafficking, kidnapping, extortion, forced labor, prostitution, and other crimes. Unsanctioned online gambling websites are also advertised on both social media and dating platforms to lure victims into gambling and then stealing their money.
• Sophisticated cryptocurrency-stealing scams originating in China, which use social engineering tactics to lure victims from dating applications (apps) to fraudulent cryptocurrency trading platforms, are spreading from Asia to the West.
• There is growing evidence that Chinese APT threat actors, such as APT41, are engaging in financially motivated cybercrime such as cryptocurrency theft. Data and access likely obtained by APT exploits have also appeared on Chinese-language dark web marketplaces and are being monetized.

Threat Analysis

This report is based on a year-long investigation — from May 2021 to May 2022 — of a number of Chinese-speaking threat actors offering to sell compromised PII, corporate records, and other stolen items on Chinese-language dark web marketplaces. The results of that investigation, along with analysis of Recorded Future’s data sets and knowledge of crime-related activities being conducted by Chinese-speaking threat actors, revealed the most common types of cybercrime conducted by Chinese-speaking cybercriminals, both on the dark web and publicly accessible sites, specifically in countries neighboring China:

• The theft and sale of PII data, which is frequently sold on Chinese-language dark web marketplaces and can be used as a vector to carry out many other forms of cybercrime
• Illegal gambling: legal gambling that is pushed out to some neighboring countries due to its ban in China, is often tied to money laundering, and can also lead to human trafficking, kidnapping, extortion, forced labor, prostitution, and other crimes
• E-commerce scams originating in China that use a variety of tactics to acquire customer payment data
• Increasingly sophisticated online romance scams affecting victims beyond Asia

The report also presents evidence of connections between Chinese APT and cybercriminal activities in neighboring countries based on both industry reporting and data from the Recorded Future Platform.

Editor’s Note: The following post is an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.