Growing Awareness of the Darknet in China following Huge Domestic Database Breaches

Growing Awareness of the Darknet in China following Huge Domestic Database Breaches

In recent weeks, we have identified a growing awareness on Chinese security blogs and mainstream media, to the existence of the Darknet, and the activities of Chinese users on its platforms. The focus is mostly on the sale of leaked data, mainly of Chinese citizens. One of these leaks pertained to the Huazhu hotel group and was one of two major data breaches which occurred simultaneously in China, raising awareness to this issue. The second breach was the database of SF Express, a delivery service company based in Shenzhen, Guangdong Province. The whole database, containing 300 million pieces of personal data, such as full names, addresses and telephone numbers, was offered for 2 BTC (~ US$ 4,000), while a test sample of 100,000 lines was charged 0.01 BTC (~ US$ 40).

 A Chinese Darknet forum user offers the SF Express database for sale

A Chinese Darknet forum user offers the SF Express database for sale

These two incidents received much attention on official Chinese media, as well as in web security blogs, and coverage has sparked unprecedented discussions regarding the Darknet and its perils in general. For example, the web security blog Security Geek, dedicated its quarterly report, published in late October, to the Darknet, offering various measures of protection.

Activities on a prominent Chinese Darknet forum that we monitor, which functions as a black online marketplace, have indeed intensified in recent months, facilitating the sale of personal data in a designated section dedicated to “leaks and databases.” All types of personal information found in breached, leaked or stolen databases from different sectors can be found in that section, including, but not limited to, banking (accounts and loans), education (student lists at schools and universities, including parents’ lists), health (personal data of patients and doctors), government (personal information of officials) and property related data (houses and vehicles.)

“Big customers” of the four largest Chinese banks, containing 212,000 lines of data

Personal data of government officials

The fact that the overwhelming majority of these databases contain domestic data, namely personal information of citizens of the People’s Republic of China, and only a fraction of those is personal data of non-Chinese nationalities, could explain the wide attention the subject is currently receiving in China. Judging from previous government reactions to online trends, and based on the growth in public attention to the topic, and criminal activities on the forums, the authorities are more than likely to take measures and halt activities on these forums.

Furthermore, online chatter about the Darknet outside of the Darknet, whether it be in mainstream media, social networks, clear web forums or designated QQ or Telegram groups, is also on the rise. The term 暗网 (a shortened abbreviation for the term “Darknet”) has also become an idiomatic word in modern Chinese, used more and more by people not directly involved in Chinese Darknet forums.

The increase of both media and public attention to the Darknet is a relatively new phenomenon in China. State control over the Internet is probably the strictest in the world, which results in relative inaccessibility to non-Chinese networks in general and to the TOR network in particular. This results in a noticeably small amount of online activity in the Chinese language over the Darknet, especially when considering the huge size of China’s Internet market and Chinese, as one of the most commonly-used languages on the Internet.

Furthermore, many users who write in Chinese on Darknet platforms and/or are active on Chinese-language Darknet platforms are not citizens of the People’s Republic of China. They are members of other Chinese communities around the world (Hong Kong, Taiwan and more), which makes the current change even more striking.


Author: Verint Cyber Threat Intelligence Research Team

Verint’s Cyber Threat Intelligence (CTI) research team (formerly SenseCy) is comprised of handpicked expert analysts, many of whom are ex-military intelligence, with years of experience in cyber threat intelligence and analysis. Our research team monitors, analyzes and validates threat actors’ malicious activities on platforms such as social networks, mobile applications, Deep Web sites, Dark Web marketplaces, hacker forums, IRC channels, global CVEs and external threat intelligence generated by leading security providers. The Research team regularly produces threat alerts and intelligence reports based on region, industry and organization-specific threats, including in-depth analysis, actionable recommendations, IoCs and more, to proactively identify and mitigate threats before they materialize, to enhance resilience and prevent future attacks