Chinese hacking industry linked to the state through connections, alcohol, and sex, leak reveals

FILE - The interior of the I-Soon office, also known as Anxun in Mandarin, is seen after office hours in Chengdu in southwestern China's Sichuan Province on Feb. 20, 2024. (AP Photo/Dake Kang, File)

BEIJING (AP) — China's hackers-for-hire take government officials out for lavish banquets, binge drinking and late-night karaoke with young women in a bid to win favor and business, as revealed in a highly unusual leak last month of internal documents from a private contractor linked to Chinese police.

China’s hacking industry is vast in size and scope but also suffers from shady business practices, disgruntlement over pay and work quality, and poor security protocols, the documents show.

Private hacking contractors are companies that steal data from other countries to sell to the Chinese authorities. Over the past two decades, Chinese state security’s demand for overseas intelligence has soared, giving rise to a vast network of these private hackers-for-hire companies that have infiltrated hundreds of systems outside China.

Though the existence of these hacking contractors is an open secret in China, little was known about how they operate. But have pulled back the curtain, revealing a seedy, sprawling industry where corners are cut and rules are murky and poorly enforced in the quest to make money.

Leaked chat records show I-Soon executives colluding with competitors to rig bidding for government contracts. They pay thousands of dollars in “introduction fees†to contacts who bring them lucrative projects. I-Soon has not commented on the documents.

Mei Danowski, a cybersecurity analyst who wrote about I-Soon on her blog, , said the documents show that China’s hackers for hire work much like any other industry in China.

“It is profit driven,†Danowski said. “It is subject to China’s business culture — who you know, who you dine and wine with, and who you are friends with.â€

Though I-Soon boasted about its hacking prowess in slick marketing PowerPoint presentations, the real business took place at hotpot parties, late night drinking sessions and poaching wars with competitors, leaked records show. A picture emerges of a company enmeshed in a seedy, sprawling industry that relies heavily on connections to get things done.

I-Soon’s founder and CEO, Wu Haibo, is one of China's so-called “red hackers†— patriots who offer their services to the Chinese Communist Party. With the spread of the internet, China’s hacking-for-hire industry boomed, emphasizing espionage and intellectual property theft.

Today, hackers such as those at I-Soon outnumber FBI cybersecurity staff by “at least 50 to one,†FBI director Christopher Wray said January at a conference in Munich.

China boasts world-class hackers, many employed by the Chinese military and other state institutions. But documents reveal that I-Soon and other hackers-for-hire often engage in sketchy business practices. I-Soon leadership discussed buying gifts and which officials liked red wine. They swapped tips on who was a lightweight, and who could handle their liquor.

I-Soon executives paid “introduction fees†for lucrative projects, chat records show, including tens of thousands of RMB (thousands of dollars) to a man who landed them a 285,000 RMB ($40,000) contract with police in Hebei province. To sweeten the deal, I-Soon’s chief operating officer, Chen Cheng, suggested arranging the man a drinking and karaoke session with women.

“He likes to touch girls,†Chen wrote.

The source of the I-Soon documents is unclear, and executives and Chinese police are investigating. And though Beijing has repeatedly denied involvement in offensive hacking, the leak illustrates I-Soon and other hacking companies’ deep ties with the Chinese state.

For example, chat records show China’s Ministry of Public Security gave companies access to proofs of concept of so-called “zero daysâ€, the industry term for a previously unknown software security hole. Zero days are prized because they can be exploited until detected. I-Soon company executives debated how to obtain them. They are regularly discovered and surface at an annual Chinese state-sponsored hacking competition.

Many of I-Soon’s clients were police in cities across China, a leaked contract list showed. I-Soon scouted for databases they thought would sell well with officers, such as Vietnamese traffic data to the southeast province of Yunnan, or data on exiled Tibetans to the Tibetan regional government. At times, I-Soon hacked on demand.

I-Soon proclaimed their patriotism to win new business. Top executives discussed participating in — one of Chinese leader Xi Jinping’s signature initiatives — to make connections. In interviews with state media, I-Soon's CEO Wu quoted Mencius, a Chinese philosopher, casting himself as a scholar concerned with China’s national interest.

Despite Wu’s professed patriotism, the leaked records depict a competitive man motivated to get rich. “If you don't make money,†he wrote in a private message, “being famous is useless.â€

But I-Soon has been hit by , leading to thin profits, low pay and an exodus of talent, the leaked documents show.

Low salaries and pay disparities caused employees to complain, chat records show. Leaked employee lists show most I-Soon staff held a degree from a vocational training school, not an undergraduate degree, suggesting lower levels of education and training. Sales staff reported that clients were dissatisfied with the quality of I-Soon data, making it difficult to collect payments.

The company’s troubles reflect broader issues in China’s private hacking industry. , and of top hacking talent, four cybersecurity analysts and Chinese industry insiders told The Associated Press.

“China is no longer the country we used to know. A lot of highly skilled people have been leaving,†said one industry insider, declining to be named to speak on a sensitive topic. Under Xi, the person added, the growing role of the state in China’s technology industry has emphasized ideology over competence, impeded pay and made access to officials pivotal.

In recent years, Beijing has heavily promoted China’s tech industry and the use of technology in government, part of a broader strategy to facilitate the country’s rise. But much of China’s data and cybersecurity work has been contracted out to smaller subcontractors with novice programmers, leading to poor digital practices and .

Despite the clandestine nature of I-Soon’s work, the company has surprisingly lax security protocols. I-Soon’s offices in Chengdu, for example, have minimal security and are open to the public. The leaked files show that top I-Soon executives communicated frequently on WeChat, which lacks end-to-end encryption.

Still, Danowski, the cybersecurity analyst, at the end of the day, she added, it may not matter.

“It’s a little sloppy. The tools are not that impressive. But the Ministry of Public Security sees that you get the job done,†she said of I-Soon. “They will hire whoever can get the job done.â€

___

Soo reported from Hong Kong. AP Technology Writer Frank Bajak in Boston contributed to this report.

ºÚÁϳԹÏÍø. All rights reserved.

More Science Stories

Sign Up to Newsletters

Get the latest from ºÚÁϳԹÏÍø News in your inbox. Select the emails you're interested in below.