Fellows Feature: How Hacktivists in China Are Using Data Leaks for Dissent

A look at the grassroots, up

Welcome to our OCPL Fellows Feature series, brought to you by our current cohort of talented researchers. These pieces explore key challenges at the intersection of U.S.-China and global emerging technology competition.

BLUF:

• Massive leaks of information stored in government-owned databases have become increasingly common in China throughout the 2020s.

• Chinese hacktivists likely executed some of these leaks to call attention to the scope and pervasiveness of state surveillance.

• Hackers in China have previously been prevented from organizing into groups and carrying out both nationalist and apolitical hacking. It is plausible that hackers would have little to lose by pivoting to hack to express dissent.

Introduction

What comes to mind when you think about data protection? Perhaps the right to privacy or cybersecurity, but almost certainly not “streaking.” However, Chinese netizens commonly use this term (裸奔, luǒbēn) to describe the sense of embarrassment an individual feels when their personal data has been unintentionally exposed. The use (and censorship) of this phrase has only increased as large-scale data leaks have risen dramatically in China throughout the 2020s.

When these data leaks occur, commentary is quickly taken down to prevent Chinese internet users from uncovering the scope of state surveillance practices. That’s partly because retrospective analysis of these incidents often reveals that they resulted directly from Chinese government bodies’ lax data management practices. These incidents have proved shameful for party leaders; while not directly acknowledging these leaks, high-ranking officials like the late Li Keqiang call for heightened “information security” standards in their aftermath.

What’s causing such a dramatic increase in these mass data leaks? Rather than directly petition the state or another authority to seek redress, a growing number of Chinese netizens are turning to hacktivism as an accessible channel for political expression. Hacking – and exposing these databases and their contents – serves as a way for Chinese citizens to share their frustrations with the party-state and reclaim some degree of political independence.

Patriotic Hacktivists / The “Honkers”

To understand the dissident hacktivists of the 2020s, we must first contextualize their emergence within the history of hacking in China. Hacktivism in China began in 1997, only three years after the country gained permanent, stable Internet access. The first generation of hacktivists organized themselves into large collectives headed by high-profile leaders – among them Lin “Lion” Yong, Gong “Goodwell” Yu, and Wan “Eagle” Tao. Rather than critique the state, many of these hacktivist groups were formed with the explicit goal of shielding China from cyberattacks or retaliating against actions perceived as damaging China’s reputation.

Patriotic hacktivists thrived from the late 1990s through the early 2010s. They were commonly referred to as “honkers, (红客, hóngkè), a play on the Chinese translation of “hacker.” The first character – “hong” – means red, representing the nationalist motivations of these hackers.

Early “honkers” thus focused their efforts on bolstering China’s reputation in the wake of tense international incidents. Hacktivists took action to protest anti-Chinese riots in Indonesia; statements from Taiwanese president Lee Teng-hui calling for the island nation to be treated as a country; the US-led NATO bombing of the Chinese embassy in Belgrade; the collision of an American reconnaissance plane with a Chinese fighter jet; and Japan’s efforts to assert control over disputed islands. While these hacktivist groups successfully recruited tens of thousands of participants to take part in their campaigns, the hacks they carried out were not particularly technically complex. They defaced websites or temporarily pulled them offline through distributed denial-of-service (DDoS) attacks. DDoS attacks occur when hackers attempt to take down or seriously weaken a website’s performance by overwhelming it with traffic from multiple sources.

Hacking was one of the few forms of uncensored political expression available to Chinese netizens in the late 1990s and early 2000s. Wan Tao, one of the most prominent hackers of this generation, explicitly stated in interviews that patriotic hacking against other nations “was the only acceptable way to be angry in China.” However, the party-state could not tolerate allowing large groups of Chinese citizens to organize for collective action. Over the following decade, nationalist hacktivist groups were gradually disbanded. Many of these hackers came to work for information technology firms that maintained close ties to the People’s Liberation Army, the Ministry of State Security, and the Ministry of Public Security.

As former hacktivists became embedded in China’s state security apparatus, China’s leadership likely thought that it had successfully defused the destabilizing threat posed by independent, autonomously organized hackers. However, they failed to understand or address the underlying function of hacktivism to its participants. As alternative channels for free expression were foreclosed, activist hacking offered – and continues to provide – China’s technologically skilled citizens with a rare, safe channel for expressing anger, frustration, and a desire for political change.

Narrowing Opportunities for Self-Expression / The “White Hats”

After suppressing former hacktivist groups, China’s government continued to restrict the actions of remaining hackers’ participation in online forums and international competitions throughout the 2010s. These spaces once served as apolitical hubs for “white hat” hackers to congregate, building community and refining their craft. Rather than use hardware or software vulnerabilities for personal gain or criminal activity, white hat hackers often develop exploits with the intent of strengthening a product or service’s overall security. Over time, it appears that China’s government also came to see these independent hackers as a threat to state security.

China’s premier white hat hacking website, Wuyun (乌云), was active between 2010 and 2016. Wuyun connected white hat hackers in China with businesses to directly report weaknesses they uncovered. The site suddenly became inaccessible in the early morning of July 20, 2016, with a single message promising that the service would soon return; Wuyun has never been reactivated. Subsequent media reports offered contending theories for the platform’s sudden closure, alleging that it had either been closed in the wake of a prominent case in which a white hat hacker who used Wuyun was arrested, or in retaliation for other hackers reporting vulnerabilities affecting the United Front Work Department.

Chinese white hat hackers were also carefully kept from developing ties with overseas hackers or businesses. Chinese hackers used to be a dominant force in international white hat hacking competitions, earning hundreds of thousands of dollars per year in prize money. But in 2017, a top executive at prominent cybersecurity firm Qihoo 360 unexpectedly accused participants in these competitions of jeopardizing China’s national security by sharing exploits they discovered with other countries. Within a year the Chinese government no longer allowed its nationals to take part in international hacking tournaments. Instead, Chinese hackers were encouraged to participate in a new competition, the Tianfu Cup, sponsored by cybersecurity firms with close ties to the state. Prize-winning iPhone exploits developed in the inaugural Tianfu Cup were almost immediately deployed to surveil Uyghurs, prompting a response directly from Apple.

As both nationalist and apolitical hacking groups were subject to crackdowns, hackers likely realized that they could not attempt to formally, autonomously organize through online or in-person communities regardless of their goals. Given that the crackdown on independent hackers continued regardless of ideological leanings, some Chinese hackers likely felt they had nothing to lose by using their hacking skills as an act of protest.

State-Critical Hacking

Chinese hacktivists have adopted innovative strategies to make their voices heard. They rely on carrying out carefully timed data leaks to call domestic and international attention to discrete, specific issues without attribution. Given China’s lack of data leak reporting obligations, it is impossible to know how many of these incidents occur per year. But it seems likely that some of the most high-profile leaks – like the June 2022 Shanghai police database leak, the August 2022 Shanghai health code leak, an alleged August 2023 leak of Ministry of State Security data, and the February 2024 i-Soon leak – were all carried out by hacktivists within China seeking to call attention to issues they believed merited widespread public awareness. It’s worth examining each in turn.

July 2022 - Shanghai Police Database

The Shanghai police database leak was the first large-scale data leak not explicitly attributed to a whistleblower, like the earlier Zhenhua incident and previous disclosures about the detention of Uyghurs in Xinjiang. A hacker who gained access to the database claimed it contained personal information on one billion Chinese citizens and offered to sell it on online hacking forums for 10 Bitcoin (around $200,000 at the time).

While noting that the leak was an invasive breach of personal privacy for the hundreds of millions of Chinese people who had been confronted with the sheer amount of information collected about them by their government’s mass surveillance apparatus, news reports acknowledged that the leak’s "political harm would probably outweigh" its other consequences.

Analysts further noted that the technical skill required to access the information disclosed in this leak was relatively low. As the database required no authentication to access, any Internet user who knew its IP address could view all information contained within it.

While the database was eventually placed for sale on a hacking forum, the individual who first discovered the hack did not immediately try to sell the data overseas. They instead offered to sell it back to Shanghai’s police department for a ransom. The initial hacker who gained access to the database may have done this in an attempt to quietly express opposition to state surveillance practices, showing that an ordinary citizen could easily access data held by local government bodies.

August 2022 - Suishenma

One month after the Shanghai police database leak, an app operated by Shanghai’s municipal government, Suishenma (随申码), was also hacked. A hacker offered to sell the information held by the city government on some 48.5 million residents for only $4,000. Suishenma had originally been developed during the COVID-19 pandemic to assist with contract tracing efforts and prevent the disease’s spread; afterwards, it had become a touchpoint for accessing city services and necessary for using public transit. The hacker went by the name “XJP,” a nod to Xi Jinping. The public disclosure of the leak led to criticism of Shanghai’s government for not encrypting the data it collected.

August 2023 - Alleged Ministry of State Security leak

The next leak was very poorly documented and discovered within a document maintained by the Center for Strategic and International Studies. The hacker alleged that they had stolen a database from the Ministry of State Security containing personal information about half a billion Chinese citizens and offered to sell it for $235,000. This leak was especially notable because of the hacker's attempt to emphasize the rarity and importance of the data they had collected. They appeared to be courting foreign intelligence agencies, assuring them of the value they would obtain from the information contained in this leak. Despite this framing, industry reports corroborate that the information revealed also seemed to be non-confidential – listing peoples’ names, dates of birth, addresses, and contact information.

This leak almost certainly originated from a hacker within China, as hackers working on behalf of a foreign state would have no reason to attempt to peddle non-confidential information they accessed to other countries’ intelligence agencies.

February 2024 - i-Soon / Anxun

To date, the most high-profile leak has been the February 2024 leak of internal communications from Chinese cybersecurity firm Anxun (安洵), also known as i-Soon in English. Roughly "190 megabytes of data" were released that implicated the company’s involvement in surveillance operations targeting the United Kingdom, Taiwan, India, and Indonesia. The released documents not only described the precise "methods used by Chinese authorities to surveil dissidents overseas, hack other nations and promote pro-Beijing narratives on social media,” but also contained extensive documentation of poor working conditions and complaints about i-Soon's business practices from employees.

While the leak ended up being a pivotal piece of evidence that was later used to pursue criminal investigations in the United States, its provenance remained unclear. Reporters covering the leak noted that it could have been carried out by many different actors with varied motivations, including the United States and its allies, rival cybersecurity companies, or a disgruntled employee.

Reflection

Although most of these incidents were highly embarrassing to the party-state and appear to have emerged from hacktivists within China, it is not possible to entirely rule out other actors’ involvement in these mass data leaks. It is plausible to propose that the United States and its allies would be involved in at least some of the hacks and subsequent data leaks that have occurred. It is also reasonable to suggest that unscrupulous cybercriminals based in China could consider occasionally hacking government databases and ransoming their compatriots’ sensitive personal information as simply another way to make a profit.

Future research could productively build on this initial sketch of hacktivism in China by parsing how frequently cybercriminals and foreign states appear to be involved with large-scale data breaches. It could also probe the motivations expressed by hackers when they publish data leaks online.

However, the actors responsible for the leaks discussed above all maintain a continued focus on exposing poor data handling practices in China. When not censored, their actions have subsequently catalyzed public discussion about data privacy and calls for local government bodies to encrypt Chinese citizens’ sensitive personal information.

In contrast, other hacking groups that have claimed to carry out attacks against China’s government also have a much different modus operandi that differentiates them from likely hacktivists based in China. For example, a group named “AgainstTheWest” pivoted from hacking Chinese companies to targeting firms in other countries, including Russia and Iran. They expressed outright contempt for Chinese nationals rather than recognizing that they are the most vulnerable to the Chinese government’s systems of mass surveillance.

Conclusion

The increase in state-critical hacktivism demonstrates that a new generation has returned to hacking to freely share sentiments that would otherwise be unacceptable. Through carefully coordinated leaks, these hacktivists can draw international attention to the scale of China’s surveillance apparatus.

This is particularly important as the amount of personal data the Chinese government stores about its citizens will only grow. China is rapidly adopting devices connected to the Internet of Things (IoT). Entering the IoT refers to incorporating sensors, cameras, and software into tools we interact with daily – from the home to the workplace. China has simultaneously moved to implement smart city initiatives that justify increased urban surveillance with a promise to efficiently govern and administer public services.

As Chinese news outlets boast about their country having “more IoT connections than its total population,” they fail to acknowledge that using these technologies will produce massive amounts of information tracking Chinese nationals’ health, movement, biometric data, and social relationships. The lack of security-by-design principles built into IoT-connected devices and smart cities means that sensitive personal data about Chinese citizens will be ever more vulnerable to both capture by the party-state and non-state cyber-attacks.

As alternative channels for free expression narrow, and an increasing amount of personal information about Chinese citizens is caught in a surveillance dragnet, mass data leaks will only become more common and damaging.