{
	"id": "0c499adf-ee8b-49ae-972b-3697cfc20304",
	"created_at": "2026-04-06T00:15:43.216437Z",
	"updated_at": "2026-04-10T03:21:50.926673Z",
	"deleted_at": null,
	"sha1_hash": "b5ec4647de793371361d6489ed2e9ac600e90480",
	"title": "No pandas, just people: The current state of China’s cybercrime underground",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 50937,
	"plain_text": "No pandas, just people: The current state of China’s cybercrime\r\nunderground\r\nBy Intel 471\r\nPublished: 2026-04-01 · Archived: 2026-04-05 17:49:57 UTC\r\nChina's internet is a lot different than the rest of the world. Yet, that hasn't stopped its population from engaging in\r\ncybercrime.\r\nDespite the various measures the Chinese government has taken to censor and surveil its residents on the internet,\r\na significant cybercrime underground full of financially motivated actors exists. Efforts like \"The Great Firewall\"\r\nor government crackdowns on content related to cybercrime force actors to put in remarkable effort to maneuver\r\naround those roadblocks in order to access, create or participate in criminal marketplaces that mirror those more\r\ncommonly known to the rest of the world.\r\nData from Intel 471 show that the Chinese cybercrime underground proliferates through use of common methods\r\nor platforms, but behaves differently in large part due to the caution that actors take with regard to their identity.\r\nWhile the average citizen must follow the heavy handed nature of the government's surveillance of cyberspace,\r\nChinese threat actors take special precautions to protect their forums, TTPs and themselves. This leads to the\r\nChinese cybercrime underground being disorderly when compared to others, particularly Russia, which tend to be\r\nmuch more organized.\r\nWhere is the Underground?\r\nForums hosted on the Tor network have barriers to entry for most Chinese users as the government blocks Tor on\r\nthe Chinese internet. In order for actors operating in mainland China to access these services, they need a VPN or\r\nsimilar measure capable of evading government detection. Guides and toolkits that allow a user to accomplish this\r\ntask are often available on the underground. However, if actors do break through — or are operating from other\r\npopular Chinese cybercriminal hubs like Hong Kong, Malaysia, Myanmar, The Philippines, and Taiwan — there\r\nare a host of forums used by cybercriminals.\r\nDeepMix Market\r\nDeepMix Market is one of the most well-known Chinese underground marketplaces, even after disappearing for\r\nseveral weeks in 2019 after a sustained DDoS attack. It eventually resurfaced in December 2019, with enhanced\r\nprotections for its users.\r\nThe marketplace's offerings are categorized into several sections, including \"data-information,\" \"service-orders,\"\r\nvirtual resources, physical goods, techniques and tutorials, and carding materials/CVVs, among others. It also uses\r\nheightened measures to ensure anonymity, such as discouraging users to post contact details, encouraging users to\r\nbuy and sell things via the in-forum system, and forcing users to use small numeric handles to identify accounts.\r\nhttps://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/\r\nPage 1 of 4\n\nActors on DeepMix have used the same handles for long periods of time in order to build brand awareness,\r\nreflecting that reputation is still paramount even as identity is a highly sensitive subject.\r\nUnited Chinese Escrow Market\r\nThe United Chinese Escrow Market, or UCEM, was established in June 2018 to sell goods and services like those\r\non DeepMix, but differs in that users can set up their own independent shops instead of relying on one central\r\npurchasing hub. Marketplace postings are listed in U.S. dollars, but bitcoin is the only accepted currency for\r\ntransactions, with an exchange rate determined by a third-party payment service provider. The site also has\r\nfunctions similar to other ecommerce sites, including sections where users can discuss their transaction\r\nexperience, an internal mailbox function to communicate with other members, a bitcoin wallet management\r\nsection.\r\nTea Horse Road\r\nEstablished in June 2019, Tea Horse Road is similar to UCEM and DeepMix in allowing for trading different\r\ngoods and services, but the site also includes a forum where users discuss or sell data, vulnerabilities or other\r\nvirtual and physical goods. Earlier this year, Intel 471 saw a number of marketplace users spin up Telegram\r\nchannels that were affiliated with the site, made in order to provide an extra layer of security when discussing\r\nlistings or other site-related matters. These channels are very active, with users heavily engaged in discussions\r\nwhile being careful not to include information that might reveal account handles on the actual site.\r\nFree City\r\nFree City is similar to Tea Horse Road, particularly due to use of Telegram channels. The marketplace has seven\r\nsections for users: data and intel, services and order replacement, virtual resources, physical goods, specialized\r\nproducts, CVV and carding, and private escrow transactions. The Telegram channels allow users to discuss what's\r\nfor sale in the forums, while also hosting tutorials and other information related to making purchases.\r\nOpen Web forums\r\nOpen web hacking forums where Chinese cybercriminals congregate do exist, but often get shut down by the\r\nChinese government. There have been numerous initiatives launched under Chinese President Xi Jinping that have\r\nled to the crackdown of what the government has deemed to be illicit internet content. In April 2020, China's\r\nMinistry of Public Security announced it punished 1,522 people for public security and notified other departments\r\nto give 433 party and political sanctions for matters related to cybercrime. Some of the more popular open web\r\nforums, like HLODAY or HZDG (华中帝国, also known as China Central Empire), have gone down during this\r\ntime.\r\nMore often, skilled Chinese actors make their way to international forums, such as Exploit, Hack Forums, Raid\r\nForums and XSS. These actors advertise tools and services like any other member: compromised payment cards,\r\ninformation or data, ransomware, cryptomining malware and more.\r\nMessaging Clients\r\nhttps://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/\r\nPage 2 of 4\n\nThe Telegram channels tied to Tor services is indicative of another trend: Chinese actors like to use messaging\r\nclients to converse with each other in the underground. This is partly due to the familiarity of the greater Chinese\r\npopulation with messaging platforms like WeChat and QQ, which are extremely popular among Chinese internet\r\nusers. However, those platforms fall under the same government restrictions as the rest of the country's internet.\r\nTherefore, we have seen Chinese actors move to non-native messaging services like Telegram. Non-native\r\nservices decrease the likelihood of linking online personas to real offline identities, as well as provide end-to-end\r\nencryption to ensure greater anonymity.\r\nHow are they accessing the underground?\r\nBecause of the anonymity and censorship circumvention needed to develop and sell malware or stolen data,\r\nChinese actors have learned to be extremely adaptable. The Chinese government's efforts to watch its population's\r\ninternet activity means there is no anonymous access, since an IP address can be tied to an actual person. This\r\nresults in the anonymity of a Chinese actor being \"thinner\" than in other areas of the world.\r\nIn order to evade detection, Chinese actors will change IP addresses by joining different WiFi networks and\r\ngetting modems to request a new dynamic host configuration protocol (DHCP) addresses, use the TOR network,\r\nleverage VPN and proxy services to bypass the Great Firewall, use codewords to avoid keyword filters, and tools\r\nsuch as shadowsocks relay (ssr) and V2Ray.\r\nAdditionally, the fact that some actors do manage to bypass the censorship measures and access international sites\r\nand services means that although the latest tools and techniques are available to the Chinese underground, not\r\neveryone has access to them. This has led to a trend of Chinese actors modifying source code of freeware and\r\nmalware families to develop their own versions for use, distribution and sale, or using popular forums such as\r\nGitHub to refine their skills, fine tune tools or access the latest malware.\r\nWhat do they sell on the underground?\r\nBecause getting around the Great Firewall can be so difficult, a lot of the malware being pushed on Chinese\r\ncybercriminal underground forums is built upon existing tools. Intel 471 has observed numerous Remote Access\r\nTrojans (RATs) that are variants of already known malware or pentesting tools, such as:\r\nAnubis\r\nAsyncRAT\r\nCobalt Strike\r\nGh0st\r\nGray Pigeon\r\nGray Wolf\r\nNjRAT\r\nSpynote\r\nWe also observed popular tools such as worms, brute forcers, DDoS tools and post-exploitation tools, as well as\r\nexploits for vulnerabilities in web servers for Apache, Oracle and Microsoft Windows. There was also interest in\r\nsoftware that mines cryptocurrencies while also attempting to steal wallets or credentials to access online wallets.\r\nhttps://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/\r\nPage 3 of 4\n\nAdditionally, both international (GandCrab, WannaCry) and domestic (FilesLocker) variants of ransomware were\r\nplaced on various forums.\r\nSpecific behavior that stood on these forums was: hacking of illegal gambling sites, QQ tools, blackhat search\r\nengine optimization services, spamming, scamming, and other actions that lead to ripping off other members of\r\nthe cybercriminal underground.\r\nWhat does the future hold?\r\nAs long as the Chinese government shows the ability and desire to crack down on its population's internet activity,\r\nhighly-skilled actors will continue to closely guard their skills and identity in an effort to avoid being caught. Petty\r\ncriminals and script kiddies may thrive while the proficient will continue to fly under the radar by avoiding public\r\nposts of high-profile breaches, access and or custom tools. With the censorship and surveillance practices carried\r\nout by the Chinese government unlikely to stop, the variety of forums, as well as different TTPs employed by\r\nactors, likely will continue to adapt and evolve in order to make as much money as possible.\r\nThe above information has been pulled from an Intel 471 whitepaper that has further in-depth information on the\r\nChinese cybercrime underground. To inquire about the whitepaper and more how Intel 471 enables proactive\r\nsecurity teams, get in contact with us.\r\nSource: https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/\r\nhttps://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/"
	],
	"report_names": [
		"china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall"
	],
	"threat_actors": [],
	"ts_created_at": 1775434543,
	"ts_updated_at": 1775791310,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b5ec4647de793371361d6489ed2e9ac600e90480.pdf",
		"text": "https://archive.orkl.eu/b5ec4647de793371361d6489ed2e9ac600e90480.txt",
		"img": "https://archive.orkl.eu/b5ec4647de793371361d6489ed2e9ac600e90480.jpg"
	}
}