{ "id": "b54783c3-f10e-4425-845c-b5d024833cbd", "created_at": "2026-04-06T00:18:16.921745Z", "updated_at": "2026-04-10T03:25:23.406092Z", "deleted_at": null, "sha1_hash": "727c9ec550d43f327b9103edb63b1101c2f3720d", "title": "Trouble in Paradise", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3521675, "plain_text": "Trouble in Paradise\r\nBy intrusiontruth\r\nPublished: 2023-05-15 · Archived: 2026-04-02 12:19:53 UTC\r\nOur last article left you on a cliff edge. What did we find on the dark web which proved so illuminating? \r\nWell, it would seem things at Wuhan Xiaoruizhi are not all well.\r\nIn a post which was later redacted and then disappeared with the downfall of breachforums, we found a post from\r\nsomeone who claimed to be a representative of a disaffected hacker selling the identities of 100 of their colleagues\r\nfrom an ‘elite hacking team’ in Wuhan.\r\nhttps://intrusiontruth.wordpress.com/2023/05/15/trouble-in-paradise\r\nPage 1 of 6\n\nThe poster goes on to claim that Wuhan Xiaoruizhi was a cover company for MSS hacking activity in Wuhan. The\r\ncompany had a few teams working for the MSS, but in 2020, teams started working under new companies.  \r\nhttps://intrusiontruth.wordpress.com/2023/05/15/trouble-in-paradise\r\nPage 2 of 6\n\nThese are some astonishing claims, but at team Intrusion Truth we are nothing if not diligent and wanted to get to\r\nthe bottom of this ourselves. Could we also link Wuhan Xiaoruizhi to the MSS? Could we link it to an APT? \r\nOne thing was for sure, Wuhan Xiaoruizhi deserved more of our attention. We searched far and wide for months to\r\ngather more information on who works or has worked there. Inspired by our success with Xiong Wang’s insurance\r\nrecord, we decided to widen the net. After months of effort, we found the gem we had been waiting for: the social\r\ninsurance records for Wuhan Xiaoruizhi. \r\nTo spare the reader endless documents we have collated as many of the names we can find who have worked at\r\nWuhan Xiaoruizhi as we can: \r\nChinese Pinyin\r\n曹锦芳 Cao Jinfang\r\n常振 Chang Zhen\r\n程鼎 Cheng Ding\r\n程锋 Cheng Feng \r\n顾成武 Gu Chengwu\r\n侯强 Hou Qiang\r\n胡嘉祥 Hu Jiaxiang\r\n黄增辉 Huang Zenghui\r\n黄震 Huang Zhen\r\n黄振 Huang Zhen\r\n李海青 Li Haiqing\r\n李家诚 Li Jiacheng\r\n李圣胜 Li Shengsheng\r\n李义龙 Li Yilong\r\n廖绪良 LiaoXuliang\r\n刘晨成 Liu Chencheng\r\n刘宏伟 Liu Hongwei\r\n马欢 Ma Huan\r\n唐星昭 Tang Xingzhao\r\nhttps://intrusiontruth.wordpress.com/2023/05/15/trouble-in-paradise\r\nPage 3 of 6\n\n涂梦 Tu Meng\r\n万光灿 Wan Guangcan\r\n王意军 Wang Yijun\r\n魏耀斌 Wei Yaobin\r\n熊旺 Xiong Wang\r\n鄢文龙 Yan Wenlong\r\n杨鑫 Yang Xin\r\n苑红曦 Yuan Hongxi\r\n张超锋 Zhang Chaofeng\r\n张立业 Zhang Liye\r\n赵光宗 Zhao Guangzong\r\n周鑫 Zhou Xin\r\n左鹤群 Zuo Hequn \r\nAnd here are some examples of the documents which form the basis of this list: \r\nCheng Ding insurance record\r\nhttps://intrusiontruth.wordpress.com/2023/05/15/trouble-in-paradise\r\nPage 4 of 6\n\nZhao Guangzong insurance record\r\nZhang Chaofeng insurance record\r\nXiong Wang insurance record \r\nYou might recognize some of the names on the larger list: 黄振 AKA Huang Zhen, 黄震 AKA Huang Zhen, and\r\n李义龙 Li Yilong were also satisfied customers from Kerui Cracking Academy from Article 2. Don’t you just love\r\nhttps://intrusiontruth.wordpress.com/2023/05/15/trouble-in-paradise\r\nPage 5 of 6\n\nit when things come full circle? Could it be that the ‘undisclosed private company working supporting the\r\ngovernment’ Li Yilong claimed to work at is none other than Wuhan Xiaoruizhi itself? Could Kerui be a pipeline\r\ninto Xiaoruizhi? \r\nBeyond getting reacquainted with our old friends above, this list of employees provided a number of interesting\r\nleads. But one of the names cracked our case wide open. Meet Cheng Feng. \r\nDiscover more from Intrusion Truth\r\nSubscribe to get the latest posts sent to your email.\r\nPost navigation\r\nSource: https://intrusiontruth.wordpress.com/2023/05/15/trouble-in-paradise\r\nhttps://intrusiontruth.wordpress.com/2023/05/15/trouble-in-paradise\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://intrusiontruth.wordpress.com/2023/05/15/trouble-in-paradise" ], "report_names": [ "trouble-in-paradise" ], "threat_actors": [ { "id": "a3687241-9876-477b-aa13-a7c368ffda58", "created_at": "2022-10-25T16:07:24.496902Z", "updated_at": "2026-04-10T02:00:05.010744Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "ETDA:Hacking Team", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62", "created_at": "2023-01-06T13:46:39.018236Z", "updated_at": "2026-04-10T02:00:03.183123Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "MISPGALAXY:Hacking Team", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434696, "ts_updated_at": 1775791523, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/727c9ec550d43f327b9103edb63b1101c2f3720d.pdf", "text": "https://archive.orkl.eu/727c9ec550d43f327b9103edb63b1101c2f3720d.txt", "img": "https://archive.orkl.eu/727c9ec550d43f327b9103edb63b1101c2f3720d.jpg" } }