July 27, 2022by Naomi Yusupov

Out of breach: Shanghai police breach leads to increased Chinese underground activity

On June 30, on a popular underground forum, an actor uploaded a massive amount of data reportedly exfiltrated from the Shanghai National Police (SHGA). This included names, addresses, birthplaces, national IDs, phone numbers, and criminal records of 1 billion Chinese citizens—over 70% of China’s total population. The data, 23 TB in total, was advertised for sale for ten bitcoin ($200,000), and anyone could receive a free sample of 750,000 entries.

Cybersixgill research has picked up on two interesting trends in the weeks following this data breach:

There has been a significant increase in the quantity of Chinese-language activity on this predominantly English-speaking forum.

Subsequently there has been a notable rise in data leaks of Chinese entities shared on the forum.

Increased Chinese activity

Shortly after the Shanghai police breach was shared, some threat actors complained about a massive uptick in Chinese users active on the forum due to the data leak.

The new Chinese members seem to be interested in a wide variety of what the forum offers, including data leaks, streaming accounts, adult content, hacking courses, and cracking tools.

Watch: How threat intelligence from the dark web can increase your ROI

However, the overflow of new Chinese users had made some veteran forum actors concerned that their Chinese counterparts would overwhelm the forum. Some even suggested banning the Chinese threat actors for “disturb[ing] the original order.”

This tense situation compelled the forum administrator to address the leak in an English and Chinese message called “a letter to our Chinese users.” In the post, the administrator explained that the Shanghai police breach was no longer being sold and that the communication in the forum was to be in English only.

In the administrator’s own words, the Shanghai breach attracted a new Chinese following to the forum. Simply put, good content brought new readers. Within the Chinese internet, the Shanghai police breach also had a fair amount of attention. Since it was published, the post has been widely discussed on China’s Weibo and WeChat social media platforms over the weekend, with many users worried it could be real. The hashtag “Shanghai data leak” was blocked on Weibo by Sunday afternoon (3/7), but there are still a few discussions on Chinese social media about this incident.

As of the time of publication, the Chinese government has not publicly commented on the matter. However, the forum became inaccessible from within China, which indicates that the government is aware of the breach and considers it to be severe.

However, the Chinese authorities took actionable decisions in China to investigate the matter. Chinese authorities reportedly summoned Alibaba’s Executives to investigate this historic data theft, as Alibaba’s cloud platform allegedly hosted Shanghai’s police database and used outdated systems, making it easier for the hackers to access the data. Researchers said a dashboard for managing the database had been left open on the public internet without a password for more than a year.

Increased Chinese Data Leaks

In the weeks following the Shanghai police breach, Cybersixgill observed a sudden spike in data leaks of Chinese entities shared on this underground forum. From March through June, there were an average of 14 monthly leaks from Chinese entities. However, in the first 15 days of July, there were 25 leaks, setting a pace for 52, far exceeding the pre-breach average.

This anomaly may be related to the Shanghai breach in three ways:

First, the massive size of the breach and the high asking price for the data may have indicated that Chinese databases are highly valued, so other actors jumped on the bandwagon and shared data, hoping to gain both a reputation boost and money.

Read: Analyzing the Russian and Chinese cybercriminal communities

Second, the newly registered Chinese members may have thought this forum to be a new venue on which to share their domestic database leaks. Some evidence points to this: For example, in the post below, a Chinese threat actor, who registered to the forum in July 2022, shares a leaked police database from 2016 as a “meeting gift.”

Finally, we must consider that it is likely the Shanghai Police breach led to additional breaches. That is, personal and sensitive data contained within the free sample of 750,000 entries could have been keys to hacking and social engineering attacks to extract information from additional databases.


The data compromised in the massive breach of the Shanghai National Police exposed the personal information of one billion Chinese citizens. This major breaching event led to subsequent breaches of other Chinese entities, either directly, by providing the data needed to access more data, or indirectly, by encouraging copycats.

Read: How attackers gain access to your SMS

Either way, now that the data is out, it can be used in cyberattacks, social engineering campaigns, and other malicious activities. We anticipate that we will be seeing the reverberations of this breach on the underground for quite some time.

Moreover, this breach attracted increased Chinese participation in an English-speaking forum, as the Chinese and English underground are generally separate communities. It is worth following up on this incident, to gauge if it leads to increased communication and collaboration between these two groups.

Learn More

You may also like

February 09, 2023

The night the lights went out at the Super Bowl: A decade later

Read more

July 13, 2022

Dox of US Supreme Court Justices

Read more
Cybersixgill & ThreatQuotient logo lockup

June 20, 2024

A Conversation with Haig Colter, Director of Alliances at ThreatQuotient

Read more