A Glimpse Of The Life Of Chinese Hackers: Heroes And Thieves In The Digital World

摘要: If we were to say the earliest hacker culture was all about the exploration spirit, then in today’s world the hacker culture is indeed declining. The truth is, more hackers are pursuing fame and profit through hacking.

(Chinese Version)

My personal favorite crime solving show Person of Interest ended in this summer and it has got a 9.6 on Douban, a mainstream movie rating site in China.

The main lead Finch in the show is a hacker. The day after 911 he wrote and sold a program named the machine, which can monitor human behavioral pattern and predict terrorist attack, to the U.S. government.

Finch is a behind-the-scene billionaire and a genius with a knack for hacking. His college buddy Ingram has always been his public image as a successful CEO. One day, Ingram found that the machine can not only predict terrorist attack, but also common crime. Everyday, the machine will give our figures and numbers that showcase crimes might take place, which, however, the government neglects since the government focuses more on preventing terrorist attacks from happening.

The government’s inability to prevent and stop these crimes eventually got many people killed, and this fact haunts Ingram. Crimes happen everyday and the machine continues to make predictions on them. Ingram thought about telling public the truth, but Finch thought the other way around and also neglected it, until Ingram was murdered and Finch himself was badly injured and lost control over one of his legs. After that, Finch decided to take the responsibility and do something about it. He teamed up with the depressed former CIA agent Reese to solve crimes predicted by the machine.

Of course, this show is not some kind of simple crime solving series. Dark forces eventually surfaced and they learned the government had built another evil program called Maria. Finch and Reese then started to protect the machine, who also protects them as well.

Hacker stories like that are exciting, right?

But in the real world, that’s not the story at all.

Earlier in May, hundreds of cyber security startups and individuals gathered on a hacker conference with a sole goal, that is get orders or cooperation opportunities from Internet companies like BAT, 360 and JD.com etc.

These people call themselves the white hats. A little known fact to many is that most of these white-hat hackers are not some kind of hacking geniuses. “Some publishers have approached me. They want to launch a book about Chinese hackers with the main storyline based on me,” Huang Shi said, a technical secondary school graduate that studied computer in school

“There is a clear line between white hats and black hats,” Huang Shi explained. Hackers are not all cyber criminals. Traditionally, law-abiding and ethical hackers are called the white hats, patriotic hackers are called the red hats and hackers that violate the law and engage in unethical activities are called the black hats (crackers). Huang Shi hasn't done anything illegal in his career, but he doesn't have first-class skills either. He hasn't done anything big in his hacking life.

During his early years as a hacker, Huang Shi liked to surf hacker forums. Offline security conferences started to emerge in recent years and Huang Shi would pretty much participate every time. Eventually, he became part of the community.

“The hacker culture is dead,” Alibaba’s security director Chen Shuhua stated, showing his dissatisfaction with the so called hacker culture today. “If we were to say the earliest hacker culture was all about the exploration spirit, then in today’s world the hacker culture is indeed declining. The truth is, more hackers are pursuing fame and profit through hacking.”

E-commerce, Internet finance, cloud computing, capital, and information have never been so connected by Internet technologies before, which gives hackers the chance of gaining profits, changing their survival environment.


Heroes return

If you hop on the bus to the Menlo Park, you would see the road sign No.1 Hacker Way, which is where Facebook’s headquarter is.

“When the word hacker was initially used, it contained a good connotation, which sort of means hero.”

In 1961, MIT got its hands on the very first PDP-1 computer. The TMRC (Tech Model Railroad Club) considered it as the most fashionable tech toy at that time while the most talented people called themselves hackers.

In their view point, to be a true hacker, one has to come up with high-level innovation, unique style and excellent techniques. Subsequently, these hackers became core members of the MIT AI Lab. The author of Hackers Steven Levy even calls them the heroes of the computer revolution.

As computers become more common in everyday life, computer viruses also come along. Under these circumstances, hackers are gradually connected with computer crimes. To clear hackers’ name, traditional hackers expressed that only those with high skills and ethics are qualified as hackers while those infiltrate systems without permission illegally are called crackers.

“We have clear rules for recruiting. People who have been a cracker before will never meet our requirement no matter how good of a hacker they are,” Deng Xin, director of Tencent Guanjia said. It’s very hard for crackers to change their path since they can make mad money very easily.

Tencent’s Guanjia, led by Deng Xin, and Keen Lab, led by Chen Liang, won four championships and USD 200 thousand on the Pwn2Own2016.

Pwn is a slang term for hackers, which means compromising device or systems. Pwn2Own is regarded as the World Cup in the hacker world. This year, participating teams were supposed to hack the latest version of Microsoft Edge, Safari, Chrome, and Adobe Flash. Each team has 15 minutes and 3 chances of trial run.

The loophole finding programs were programmed before the competition. However, every time companies would patch their products thoroughly one or two weeks before the competition and eliminated all the vulnerabilities they found recently. If it happened that the loopholes the teams found were then fixed, the teams’ previous efforts would be in vain.

Unfortunately, this scenario happened to Chen Liang’s team as Apple fixed two loopholes of Safari before the competition. To find new breakthroughs, Chen Liang and his team would have to re-check every material and all the information they had prepared before. One teammate even took his bed to the office and spent days and nights working. Their efforts paid off on the third day as they found that calculation error would occur in Apple’s video rendering program when two jags overlap. At that moment, Chen Liang hit the table nonstop out of excitement.

But still, codes needed to be re-written and the fact that it involved video rendering made everything more complicated. Chen Liang was still writing codes on the flight to Vancouver where the completion was held.

Their main rival is the 18-year-old genius Lokihardt from South Korea who compromised IE, Chrome and Safari on the Pwn2Own2015. In recent three years, Lokihardt won every hacker competition in the world.

“However, this time, we have luck on our side,” Chen Liang said. When everybody though Lokihardt was about to succeed, the Windows system suddenly warned that the operation is at risk. The system that Lokihardt tried to compromise in the competition was installed offline and therefore the hacking process included an extra step, that is attack user ID verification, which he didn’t discover since the system he practiced with was installed online.

Competitions are only a small part of Deng Xin and Chen Liang’ work. Most of the time they look for loopholes in systems and report them to developers. Every month they will find ten or twenty loopholes.

In April for instance, Tencent Guanjia, where Deng Xin is at, alerted Adobe Flash about 14 loopholes. “The loophole we found in the competition is very dangerous. If cracker found it, they could have control over your computer if you open the PDF he sent you,” Deng Xin said.

Loophole hunter

“Some people might think being a hacker is a very interesting experience, but that’s not the story at all,” Chen Liang stressed. “To be a hacker, one has to be really patient. Like Wu Shi in our team. He has had only a few business trips in over ten years and seldom goes overseas for traveling. Coding has become his life.”

Wu Shi is a forerunner in the Chinese hacker community. So far he has discovered and reported around 200 security flaws to IE, Safari and Chrome etc.

In 2007, when Wang Qi was in charge of the establishment of MSRC (Microsoft Security Response Center) in China, the headquarter in the U.S. called him up and asked him to look for a person for the fact that the HQ in the U.S. found that a guy named Wu Shi had reported a lot of security flaws in Windows.

But when Wang Qi finally found Wu Shi, he was shocked by Wu Shi’s difficult life. At that time, cyber security experts had a salary of three or four thousand on average. In fact, for a very long time the salary of cyber security experts had been lower than the average of the IT industry.

After graduating from Fudan University with a degree in Mathematics, Wu Shi spent his spare time looking for security flaws in computer systems. In August 2007, he received an email from security platform ZDI from security service provider HP which asked him for detail on a loophole in Microsoft’s system. After Wu Shi replied the email, ZDI again emailed him and told Wu Shi that he could sell vulnerabilities he found to ZDI. At the end of that year, ZDI gave out a reward of 20 thousand dollars to Wu Shi, a platinum reward.

ZDI would pay two or three thousand dollars for every report on vulnerabilities. However, if the platform ran out of fund it would stop purchasing Wu Shi’s reports. On average, Wu Shi sold around ten loopholes to ZDI every year.

Wu Shi would send the loopholes that were not able to sell out to the developers. At first, Google offered hackers a reward of 500 dollars for every report on vulnerabilities, but the company raised the amount to 3000 so as to encourage people to bypass security companies and give the reports directly to them. Apple originally offered no reward at all, but later set the amount at around three thousand as well.

In Wu Shi’s opinion, selling loopholes to the system’s developer is more legitimate than to security companies. However, Chinese companies are not so active in fixing loopholes like foreign companies do.

Subsequently, Wang Qi came up with the idea of establishing an independent security team in China and contacted Wu Shi for that. Wu Shi wasn't interested since people around him were either living a hard life or working in the black industry. “We don’t see the cake right now, but it doesn't change the fact that you have got the skills. We can build our own career first and make some money. At least we don’t have to enter the black industry,” Wang Qi persuaded him. The famous Kenn Team was then founded.

Three years after the establishment, Kenn Team wasn’t doing bad in the market. Every year they would sell loopholes to security platforms or developers and earn an annual income around ten million RMB, which was like 10% of how much black industry workers earned.

Things started to changed in June 2010 when 15 out of the 64 new patches Apple pushed to iPhone users were discovered by Wu Shi. In contrast to that, Apple’s staff only found six vulnerabilities. Forbes then called Wu Shi the loophole hunter for that. This successful battle gained Kenn Team the fame and made them enter the public arena. Tencent then subsequently invested in the team.

The salary surged

In 2010, when Qihu 360, Tencent and Alibaba started to compete for cyber security experts, the salary of these experts was only the average in the IT industry.

The turning point was the Snowden incident, which raised an unprecedented awareness about cyber security. In February 2014, the Central Department of Cyber Security and informatization was established. In the very same year, the TK Hierarch, Yu Yang, the Tombkeeper, left NSFOCUS for Tencent, earning over ten million per year, which marked an essential turning point for the Chinese hacker world.

In September 18th 2001, Nimda was discovered. Yu Yang then set up a honey trap on his computer and caught Nimda the day of the breakout. Yu Yang was the first technician that came out with a report that analyzed Nimda from different angles. After that, Yu Yang began to study security risks in software, hardware and wireless.

In early 2015, Wu Shi’s team officially joined Tencent and founded the Kenn Lab that focuses on the research of cloud computing and mobile client security. The lab is comprised of many core members from the Keen Team.

“The salary suddenly surged,” Qihu 360’s security director Zheng Wenbin said. In late 2006, Zheng Wenbin was invited to Beijing when he was only 19 years old. At that time the cyber security market was still in the early phase.

When you first see Zheng Wenbin, you would probably have the impression that he’s an artist. It’s hard to imagine that a fat guy with slightly curly hair and in T-shirt, shorts and wearing black framed glasses and slippers is one of the most famous cyber security engineers in China. In hackers’ world, he has a well-known code name: MJ0011. The 360Vulcan Team he leads has compromised IE and Chrome for two consecutive years on Pwn2Own.

“Security engineers, the firewall, call us whatever you want. What really matters to us is the work we do,” Zheng Wenbin said. It takes Zheng Wenbin over half an hour to commute from his place to the office. Every morning he arrives at the office at 10 and not knowing when he can get off in the evening. At the office, his work is counterattack viruses, Trojans and loopholes.

The core team is divided into several small teams. Some are in charge of the development of security products, some analyze and deal with the viruses and Trojans, while some patch complex loopholes. Zheng Wenbin is the leader the gives direction.

In 2015, when the 360Vulcan Team won the championship on Pwn2Own, the company required Zheng Wenbin to contribute the computer he used in the competition to be exhibited in the honor hall of the company.

Zheng Wenbin discussed with the team seriously about it, but no one really said anything. “They are all introverts. They like to play in low-key,” Zheng explained, saying that every time he tried to organize a KTV party or an event nobody really showed the intention to join.

There is a hacker bar run by WooYun just near 360. At the door hangs a sign that reads HACKERS INSIDE, BE CAREFUL. However, Zheng Wenbin has only been to that bar once and only because WooYun invited him.

“I am already the most extroverted person here,” Zheng said. Even so, many colleagues still got to know them more or less. Co-workers from other department would ask them: “Heard that you make millions every year and own lots of stocks. Is it true?”

There are many other people like Zheng Wenbin in 360. Besides providing core technologies for the security product department, they focus more on pure research, and most research results are hard to be commercialized.

“That’s why only giant companies have the ability to keep their own hackers. It’s actually getting more expensive than ever,” Zheng stated. Starting from 2014, the average salary of security flaw experts has soared to millions, while some might even earn over ten million RMB.

Red and black

The company had a big fight with hackers (intruders) as the intruders kept on sending messages to overwhelm the system, in an attempt to steal user information. The fight lasted for a week and the company ultimately won. However, Li Xiao is not willing to reveal much details about the incident.

“Telling the public that you have a really good defense system actually makes you a target,” Li Miao explained, who works in an Internet finance company. It’s apparent that there are always some hackers trying to steal user information from companies.

“Stories like this are too many,” Du Dongliang, vice president of AISEC said. Give him a random phone number and Du Dongliang can track down the deposit information that's linked to this number from the five major banks. AISEC is a security collaborator of some Chinese institutes whose actions are supervised and regulated by the authority.

“Crackers are like robbers and some are like thieves. The thieves might steal your money. The robbers will just beat you up for no reason,” Du said. On December 5th 2013, People's Bank of China issued the Notice On Preventing Bitcoin Risks that states the bank doesn't support bitcoins, and cyber attacks from overseas came subsequently. As the official collaborator, AISEC fought with the intruders for a really long time.

Behind the intruders stands a complete dark industrial chain, which many people call the black industry.

The security department Chen Shuhua is in is called the S.H.I.E.L.D of Alibaba. Despite the fancy nickname, the security department is the most low-key and mysterious department in Alibaba. “Everyday we deal with the black industry," Chen Shuhua said. They not only need to fix loopholes, but also stop order faking. Chen Shuhua is the founder of Alibaba’s JAQ and Money Shield, as well as one of the most experienced mobile security experts in China. Before he joined Alibaba in 2014 Chen was in Tencent responsible for the cyber security work.

Today every Internet project involves lots of capital and information. “Any loophole you find can bring more values than we expected,” Chen Shuhua said. Statistics show that the number of vulnerabilities on IOS jumped by 128% in 2015 when compared with 2014. Android system is more troubled as 97% of the apps on the app market contain loopholes. On average, every app has around 87 loopholes, many of which are highly risky ones.

Chen Shuhua has been in the mobile Internet industry for a long time. He found a few years ago that it’s not common for phones to get infected with viruses. But as the Internet industry further develops as a whole, nowadays the situation is that 18% of smart phones have been infected, 95% of which got the viruses from fake popular apps.

According to statistics, there are currently over 400,000 people working for the black industry and 1.6 million people are doing Internet fraud. The “scale” of this black industry is quite large, over 110 billion RMB.

In early 2015, Tencent made a full investigative research on the Internet black industry and released the Annual Report On The Internet Black Industry that confirms there’s a mature and professional black industrial chain in the mobile payment area.

Most of these black industry workers are unemployed individuals based in second and third-tier cities and the average age is 15 to 25 years old. According to statistics from Tencent mobile Security Lab, in the first half of 2015 29,762 more viruses appeared in the mobile platform with 11.455 million users infected. In the peak month June 68,000 users got infected every day.

The development of the black industry also brings difficulties to companies’ recruiting process.

“My team is openly recruiting talents from society. But it's really hard for us to find suitable ones,” Zheng said. In reality, many hackers are attracted to the black industry. The ones that are left are hackers that value ethics. For that, Wu Shi and Zheng Wenbin are willing to appear on hacker competitions and even give public speeches so as to encourage the young generation to choose the right path.

Kevin David Mitnick is an American computer security consultant, author and hacker, best known for his high-profile 1995 arrest and later five years in prison for various computer and communications-related crimes. He was the first hacker that was wanted by the FBI. At the age of 15 he broke into the North American Air Defense Command System and flipped through all the documents America had on the nuclear warheads owned by the Soviet Union and its allies. In 2002 after his release, Mitnick published his bestseller The Art of Deception and became one of the most popular computer security experts in the world.

“My cracker past was a mistake. If I could go back in time I would not do what I had done,” Mitnick said.

Qihu 360’s main security director Zheng Wenbin has a big codename in the hacker world: MJ0011.

Gray hats’ embarrassment

Not everyone will end up in big companies. The lone wolves sometimes will face embarrassing situations.

Recently on a security conference, a father with stacks of files in his arms broke into the venue, hoping that somebody could help his son Yuan Wei.

On December 3rd 2015, Yuan Wei attacked the SQL network vulnerabilities on jiayuan.com and posted the vulnerabilities on jiayuan.com’s collaborator WooYun. On December 4th, WooYun notified jiayuan.com about the vulnerabilities. Then here comes the twist of the story. Jiayuan.com then reported to the police and claimed Yuan Wei stole 900 effective data from them. The story ended with the arrest of Yuan Wei.

The truth is, there are many cases like what has happened to Yuan Wei.

In late 2011, a massive user information theft broke out in the Chinese Internet world. At that time, many users’ information on Tianya, CSDN, Duowan, and Zhenai were leaked. The industry calls it the Pants Gate. Even JD.com could dodge the bullet.

In April 2011, Jia Wei was shopping on JD under the ID MyHeartFlies and he bumped into JD’s “backdoor” (technical vulnerability) that led to all of the information such as personal information and password of JD’s users. He immediately reported it to JD and a technical personnel Fishball contacted him for the security loophole and stated that JD would fix it immediately.

However, after 8 months of observation, Jia Wei found that the security vulnerability hadn't been improve at its core. He then posted about it on WooYun’s platform. JD later confirmed the fact that there’s a loophole and recognized it officially. However, JD’s technicians were unable to locate the vulnerability.

For that Jia Wei told JD that if the company could hire him as a senior technical consultant and pay him 2.4 million RMB, he would fix the vulnerability for JD. In the end, JD reported to the police for being blackmailed and cyber intrusion and got Jia Wei arrested on December 30th 2011. Jia Wei then was detained for over a month until he was bailed.

“It's like there’s an open backdoor behind my house and somebody gets in and snoops on my stuff in my house without my permission. It’s reasonable for JD to get upset,” Sun Yi who works in a smart phone company as a coordinator that communicates with hackers said.

Althoug Sun Yi saw Yuan Wei’s father on the conference, he’s not sympathetic with what had happened to Yuan Wei. “WooYun is only a platform. You post something on it and if something goes wrong, WooYun would not offer help,” he explained.

Every month Sun Yi would receive tens of security vulnerabilities reports. “We would give out some supportive rewards to those hackers who found them. We will give them qualifications etc. and would even help them get a international vulnerability serial number. These are the things could be very useful when looking for a job,” he said. However, there’s no cash reward.

“We encourage white hats to build a safer ecosystem together and give out both supportive and material rewards to those who found security vulnerabilities,” Alibaba’s security director Chen Shuhua said.

After the Jia Wei incident, JD has also become conscious about cyber security and set up the security response center. Manager of JD’s information security department Li Xueqin said: “As a emergency response center, we have a common goal that’s shared by Tencent’s TSRC, Baidu’s BSRC, and JD’s JSRC, that is patch all the loopholes that might bring damage.”

However, unlike foreign companies, Chinese companies fail to offer competitive rewards. According to JD’s statistics, submitting any report on JD’s security vulnerability can earn a 1000 RMB JD shopping card as a reward. Before June 18th, JD launched a double credit activity: White hats that could find highly-risky loopholes could receive a reward up to 12,000 RMB.

Top Ten Chinese Hackers

NO. 10 IcedEmotion

Organization: EvilOctal Security Team

IcedEmotion is the webmaster of the famous EvilOctal Security Team and an emerging leader in the Chinese hacker community. EvilOctal Security Team might sound like a bit evil but the group is actually a white-hat organization.

No.9 King Xer

Organization: China Cyber Security Force, Thunder Anti Computer Virus Group

Webmaster of China Cyber Security Force and Thunder Anti Computer Virus Group. King Xer is a representative figure of the young generation of hackers. King Xer has written many technical papers such as New Solutions To Compromising Firewalls and Thunder Teach You To Fight Viruses etc. King Xer also develops many hacker tools such as WINDOWS 2000 security filtering system.

No.8 Ice Leaves

Organization: The Lanker Union of China

The president of The Lanker Union of China, the top manager in the Chinese hacker world.

No.7 Lone Swordsman

Organization: Hack Base

Webmaster of China swordsman Union, a legend in the new generation of Chinese hackers.

No.6 Hierarch

Organization: Ads League

Webmaster of the top hacker tutorial site, a leading figure in the Chinese hacker world. Hierarch has developed many all-time favorite tools that hackers like. He has a huge influence over the future of the Chinese hacker community.

No.5 Chen Sanshao

Organization: CnHack

The most powerful Webmaster in terms of techniques of a hacker tutorial site, and a forerunner in the hacker world. Chen Sanshao partnered with a talented hacker and changed the boring outlook of hacker tutorials, making his site a must-go destination for hackers.

No.4 China Eagle

Organization: China Eagle Union

China Eagle is the webmaster of the biggest hacker group in China and a leader in the Chinese hacker community. China Eagle was once with Internet Security Base and later founded CEU. He witnessed the profound changes in the Chinese hacker world and based China Eagle Union upon his understanding of hacker culture.

No.3 coolfire

Organization: Eagle Studio

Famous hacker from Taiwan and a forerunner in the Chinese hacker world. As a forerunner, coolfire has written many technical papers that guided the developmental direction of many Chinese hackers. As a Taiwan-based hacker, he has always backed the cross-strait unity between the mainland and Taiwan. His contribution to the hacker community is indispensable.

No.2 Lion

Organization: H.U.C

The founder of the largest hacker group in China, a leading figure. As the leader of the allegedly top 5 hacker group in the world and top one in China, Lion was also a battle commander who had led 80,000 red hats for several times to mount overseas attacks, which earned a name for the H.U.C. Chinese red hats have become the symbol of anti-foreign-attack campaigns although Lion has retired and the organization is dismissed.

NO.1 goodwell

Organization: Internet Security Base

As the founder of the oldest hacker group in China, goodwell has led Internet Security Base for years and gained the recognition from many industries. He and his organization opened the era of Chinese hackers. He himself is admired by the Chinese hacker community for that even though goodwell is not active anymore and Internet Security Base has also been dismissed.


(Like our Facebook page and follow us now on Twitter @tmtpostenglish, Medium @TMTpost and on Instagram @tmtpost_english.)

[The article is published and edited with authorization from the author @JUDY BUSINESS AND LIFE, please note source and hyperlink when reproduce.]

Translated by Garrett Lee (Senior Translator at PAGE TO PAGE), working for TMTpost.




Our official account in English/English Version of TMTpost.com


Oh! no