China's clampdown on Tor pushes its hackers into foreign backyards

Comparing Middle Kingdom's hacker forums to Russia's? Apples and pears


Underground hacker forums in China and Russia are as different as each country's regular shopping bazaars, according to research from Recorded Future.

Both Russian and Chinese forums host a wide variety of international content. Russian forums rarely if ever feature data dumps from Russian firms. By contrast, data dumps and malware sourced from Chinese firms are usually only found on Chinese forums.

Chinese speakers are internationalists that are often active on Chinese, English and Russian forums. Perhaps unsurprisingly, because of the difficulties in learning the Chinese language, few if any native Russian or English speakers use Chinese forums.

Access to hacker forums within China is getting steadily more difficult because of sustained efforts to restrict Tor and VPN services. This is pushing Chinese hackers towards foreign forums, Recorded Future said. The result of this migration is that data and malware once unique to Chinese forums is more easily available internationally.

Recorded Future's research is based on a comparative analysis of underground markets and forums tailored to Russian and Chinese audiences over the past year. The researchers uncovered differences in the content hosted, as well as forum organisation and conduct.

Russian hacker forums tend to be more geared towards sales of illicit goods whereas their Chinese counterparts place more of an emphasis on building a community. By contrast there's little room for socialising on Russian-language forums.

Hacker bazaars in both China and Russia sell goods and services for regional users, although this is far more prevalent on Chinese forums.

Hacktivism began in China following politically sensitive international events and this kind of activity has continued even after the collapse of the original patriotic hacking groups. ®

Similar topics

Broader topics

Narrower topics


Other stories you might like

  • Interpol anti-fraud operation busts call centers behind business email scams
    1,770 premises raided, 2,000 arrested, $50m seized

    Law enforcement agencies around the world have arrested about 2,000 people and seized $50 million in a sweeping operation crackdown of social engineering and other scam operations around the globe.

    In the latest action in the ongoing "First Light", an operation Interpol has coordinated annually since 2014, law enforcement officials from 76 countries raided 1,770 call centers suspected of running fraudulent operations such as telephone and romance scams, email deception scams, and financial crimes.

    Among the 2,000 people arrested in Operation First Light 2022 were call center operators and fraudsters, and money launderers. Interpol stated that the operation also saw 4,000 bank accounts frozen and 3,000 suspects identified.

    Continue reading
  • Cloud services proving handy for cybercriminals, SANS Institute warns
    Flying horses, gonna pwn me away...

    RSA Conference Living off the land is so 2021. These days, cybercriminals are living off the cloud, according to Katie Nickels, director of intelligence for Red Canary and a SANS Certified Instructor.

    "It's not enough to pay attention to the operating systems, the endpoints, said Nickels, speaking on a SANS Institute panel about the most dangerous new attack techniques at RSA Conference. "Adversaries, a lot of their intrusions, are using cloud services of different types."  

    And yes, living off the land (or the cloud), in which intruders use legitimate software and cloud services to deploy malware or spy on corporations and other nefarious activities, isn't a new type of attack, Nickels admitted. "But what's new here is the levels to which using cloud services [for cyberattacks] has risen." 

    Continue reading
  • Microsoft seizes 41 domains tied to 'Iranian phishing ring'
    Windows giant gets court order to take over dot-coms and more

    Microsoft has obtained a court order to seize 41 domains used by what the Windows giant said was an Iranian cybercrime group that ran a spear-phishing operation targeting organizations in the US, Middle East, and India. 

    The Microsoft Digital Crimes Unit said the gang, dubbed Bohrium, took a particular interest in those working in technology, transportation, government, and education sectors: its members would pretend to be job recruiters to lure marks into running malware on their PCs.

    "Bohrium actors create fake social media profiles, often posing as recruiters," said Amy Hogan-Burney, GM of Microsoft's Digital Crimes Unit. "Once personal information was obtained from the victims, Bohrium sent malicious emails with links that ultimately infected their target's computers with malware."

    Continue reading

Biting the hand that feeds IT © 1998–2022