Chinese threat actor activity is usually viewed in the West through the lens of state-sponsored APT groups. But the truth is the country also has a growing cybercrime economy. However, new laws and regulations are making life tougher for Chinese cyber-criminals.
Tougher but not impossible.
In fact, the Chinese government’s obsession with data collection and analytics is proving to be a fertile source of opportunity for both homegrown and foreign criminals. Chinese fraudsters are finding increasingly novel ways to weaponize compromised personally identifiable information (PII).
The Party Cracks Down
The Chinese Communist Party (CCP) has taken several significant steps to crack down on cybercrime and enforce citizens’ rights over their PII. The Personal Information Protection Law (PIPL) is its attempt at GDPR-like legislation designed to force companies to improve baseline data security. It follows the Data Security Law (DSL), which aims to set a framework for companies to classify data based on its economic value and relevance to China’s national security. These laws have already been enforced with rigor. For example, ride-hailing giant Didi was fined $1.2bn for its data collection policies and alleged poor security practices.
The state has been busy in other areas, with a new law on telecoms and online fraud placing a heavy burden on telcos and banks to crack down on such crimes. A mooted money laundering regulation is also in the works, although it was recently postponed due to “technical reasons.”
Cybercrime Finds a Way
However, there are still ample opportunities to steal large volumes of personal information – because the state increasingly demands that it be stored for advanced big data analytics to police and manage the populace. Chinese state requirements for the mass collection and storage of COVID tracking data have only increased the desire and opportunity for threat actors to go after.
Thus, in August 2022, it was revealed that 48.5 million users of Shanghai health code app Suishenma had their PII compromised. A month earlier, a different threat actor posted a 23TB trove of stolen data on local citizens apparently taken from the Shanghai National Police.
In these two examples, breached data was sold on foreign cybercrime marketplaces. However, despite recent crackdowns, China still has a significant number of homegrown sites. Although some have gone offline this year – including Loulan City Market, Tea Horse Road Market, Ali Marketplace and Dark Web Exchange – others like Tengu Market and Chang’An Sleepless Night, have emerged to take their place. Even those sites that have gone offline still have popular Telegram channels associated with them that continue to draw thousands of subscribers.
Weaponizing and Monetizing Stolen Data
In the face of a hostile government, Chinese fraudsters have also doubled down on new ways to maximize their earnings from stolen data. One multibillion-dollar criminal lending scheme linked to 89 deaths was tied back to PII stolen from individuals with credit issues, which was subsequently sold to underground loan sharks.
In another noteworthy campaign, Chinese scammers used PII to target nationals living abroad – calculating that their net worth may be higher than the national average. In these scam calls, the fraudster impersonated a Chinese government official and accused the victim of having committed crimes that would require jail terms back home. They persuade the individual to pay up to avoid such a fate – playing on genuine fears that many Chinese have of being repatriated by the state for financial crimes.
In one case, a Hong Kong university professor was conned out of HK$4m ($500,000) after a scammer convinced him he was under investigation for flouting COVID-19 quarantine rules and being involved in a money laundering case. He was required to share his bank account details as part of the ‘investigation.’ Meanwhile, in Singapore, 476 scams involving the impersonation of Chinese officials were reported between January and August 2022, with losses topping $57m Singapore dollars (USD$42m). It’s yet more evidence that cybercrime will always find a way – and that new legislation and industry regulation alone won’t be enough to stop the rot.