Deciphering the Chinese Underground Economy

This blog post by Taylor Roberts, former research fellow at the Global Cyber Security Capacity Centre, was first published on the website of the China Policy Institute in July 2016.

The US Department of Justice indicts five members of the alleged People’s Liberation Army (PLA) Unit 61398 advanced persistent threat unit. Operation Aurora ties Chinese hackers to a series of attacks on American companies that impacted Google’s decision to withdraw from China. Last year, one of the largest data breaches on record occurred within the US Office of Personnel Management, a breach that was attributed to… the list goes on. These are the types of headlines that often dominate the cybercrime spotlight. And the Chinese response has been, until recently, relatively scripted: There is never sufficient proof that China committed these attacks, and, in fact, it is a major victim of cybercrime.

While I will not attempt to address the technical and political complexities of cyber-attack attribution, it is certainly worth digging into the second claim, that the Chinese people are subjected to malicious online criminal activity. What drives cybercriminal activity in China? What sorts of markets are set up to drive Chinese cybercrime? What elements of cybercrime are unique to the Chinese context? And finally, what is the damage done to the Chinese economy through such behaviour? It is these questions I will directly address in this post. I will be pulling some of the information in this post from a chapter I co-authored entitled “Investigating the Chinese Online Underground Economy” in the book China and Cybersecurity: Espionage, Strategy, and Politics in the Digital Domain. And while the stats and figures raised here will be a little out of date, the fundamental aspects of this market remain the same.

What drives cybercriminal activity in China?

Profit. A simple answer to a complex problem, I acknowledge, but one that is vital to understanding criminal behaviour. From what we observed from trawling Baidu Post Bar and Tencent QQ chat groups, most of these criminals have day jobs, resorting to cybercrime as a means of making an extra buck. Now you might think that engaging in criminal activity as a pastime is not necessarily a prudent thing to do. However, the alluring combination of misaligned incentive structures between defenders and the defended, asymmetries in effort favouring the attacker, and inadequate legislation and law enforcement all provide ample motivation for even your run-of-the-mill script kiddie to take part in the online underground economy without much fear of repercussions.

You don’t even need to know how to access the “dark net” in order to get the tools necessary to engage in cybercrime. Open forums, like Baidu Post Bar mentioned earlier, enable pretty much anyone to gain access to the market, provided they have a rudimentary understanding of the value chains and jargon used in such fora. The cost of unsophisticated attack tools and techniques starts around as low as 100 RMB ($15 USD), meaning it is relatively cheap to take part in the market. And finally, given there are nearly 700 million Internet users in China, the attack landscape is massive.

What kind of value chains comprise the Chinese cybercrime market?

Then what are the value chains that facilitate cybercriminal activity? According to our research, there are four value chains through which most of the online criminal activity is conducted. These are as follows:

Real asset theft: stealing money from bank accounts or credit cards
Network virtual assets theft: Stealing virtual currency or equipment from online gaming accounts and selling them for real money
Internet resources and services abuse: taking advantage of hacked resources, such as compromised hosts, hacked servers and infected smartphones, with the intention of abusing these resources for profit.
“Blackhat” techniques, tools, and training: malicious hackers selling Trojan horses and attack tools to provide technical support for cybercriminals, as well as training services to “newbies”

These value chains all contain unique roles and responsibilities, from the technologically sophisticated actors within the “blackhat” community, to actors who buy the materials in order to orchestrate an attack, money-launderers who transfer the money, and individuals who will either physically or virtually commit the act. Crimes include, but are not limited to: fraud, investment manipulation, counterfeiting, physical and virtual theft, and others. These value chains are also related to one another, with one “blackhat” potentially providing training and tools to actors in other chains, or actors stealing virtual gaming assets and entering the real assets value chain by selling these coins for cash.

Which elements of cybercrime are unique to the Chinese context?

While the above value chains are not necessarily distinct to China, the network virtual assets theft chain is one that is much more prolific in China than in other countries. This is primarily due to the sheer scale of the industry, with an estimated value of 140.70 billion yuan (US$21.71 billion). Chinese gamers, in order to acquire virtual currency, equipment, or membership, must either pay real cash, or otherwise invest considerable time to acquire these assets. This way, virtual assets have a real world value. Thus, criminals have access to a very lucrative source of financial gain through stealing account and password information from gaming accounts, and either manipulating the account or stealing assets from it.

In addition to this particular chain, the jargon used in China is particularly unique to the country. For example, stolen information containing bank card details is often referred to as 轨道料 (track material), and criminals who launder the money are called 洗料人 (material washing man). Knowledge of such unique jargon allows criminals to both evade detection by law enforcement and to verify whether someone seeking certain services truly “belongs to the community”.

What is the damage done to the Chinese economy through such behaviour?

Through a review of existing literature, an exhaustive process of data collection and extrapolation, we found the estimated damage to the Chinese economy in 2012 to be around 852 million USD. According to trends observed in market activity, the scale of the underground economy is only set to rise, as more participants are entering the market leaving it. Combatting cybercrime is a huge problem for domestic law enforcement in China. As Xingan Li points out, there are still several issues with Chinese cybercrime-related legislation, such as legal overlap, gaps in legislation, the narrow scope of criminalisation and legal constituents, and lagging penalties.

Not all is doom and gloom, however. There are several positive signs that China is stepping up its game in combatting cybercrime. For instance, the Chinese government claimed that it arrested a handful of hackers related to the OPM hack in the US, and the FBI seems to be increasingly encouraged by Chinese efforts to cooperate in combatting cybercrime. So as hacking allegations continue, it is important to remember that no country is immune from cybercrime. Enhancing global capacity to combat these threats is vital to providing a safe and secure Internet, as the attempt to fight cybercrime with a solely domestic focus or with scattered international cooperation, which excludes parts of the world, will never be fully effective.


This article gives the views of the author, and does not represent the position of the Cybersecurity Capacity Portal, the Global Cyber Security Capacity Centre nor of the University of Oxford.