Hooked! #5: From patriotic hackers to ‘red expert’ militias

Welcome to the fifth edition of Hooked!, Binding Hook’s monthly current events newsletter. In Hooked!, we draw on our latest publications and growing archive of expert research, analysis, and commentary to reflect on a recent security and technology event.

I’m back in the Netherlands after a few months in the Caucasus and Central Asia, fascinating places where you can actually see the Chinese competition for influence with Russia, Europe, and the United States play out as you drive across them. 

Waiting for me on my return was an engrossing set of recent, in-depth reports on non- and semi-governmental cyber actors in China, from hackers and leakers to vulnerability vendors and corporate militias. 

Virtual Routes fellow Eugenio Benincasa published ‘Before Vegas: The “Red Hackers” Who Shaped China’s Cyber Ecosystem’, a detailed anthropological look at the development of China’s hacker community in the early 1990s and their paths from curious, technically minded individuals to cyber professionals. (There’s a nice summary in Wired, with some added details.)

A report on ‘Mobilizing Cyber Power: The Growing Role of Cyber Militias in China’s Network Warfare Force Structure’ from Margin Research’s Kieran Green continues the story. Green examines how the Chinese military transformed its cyber militia system, composed of civilian volunteers under military and local government leadership, from a patchwork of loosely organised groups into a strategically significant force more tightly integrated into professional military operations. As a non-specialist, I particularly appreciated Green’s detailed notes on the translations and nuances of Chinese government terminology. 

Together, these reports chart the dramatic rise of the companies and individuals who have shaped China’s digital defences. For example, Benincasa traces the trajectory of one man, Yuan Renguang, from early involvement in the patriotic hacker group ‘Green Army’ in the 1990s to a Ministry of Public Security cyber defence team for the 2008 Olympics in Beijing, Green-Army-founded cybersecurity company NSFOCUS in the early 2000s, top antivirus firm Qihoo 360, and beyond.

Green picks up the thread, delving into the development of corporate cyber militias, including the process of building one at Qihoo 360 beginning in 2020, including photographs and details about composition, ideology, and activities. He highlights the centrality of public-private partnerships (with Chinese characteristics) in cyber militias, arguing that ‘the Party-state explicitly encourages provincial governments and military organs to support the formation of cyber militia units within large-scale cybersecurity and internet firms. These cybersecurity and internet companies, in turn, are expected to contribute personnel, training facilities, and threat intelligence capacity in exchange for political favor or access to government contracts’. 

Winnona DeSombre Bernsen’s Atlantic Council report ‘Crash (exploit) and burn: Securing the offensive cyber supply chain to counter China in cyberspace’ then places the development of the Chinese hacking industry in a helpful comparative context with the US. For DeSombre Bernson, the US market is centred on large defence contractors, underpinned by risk-averse policy and extensive regulation, and must battle countervailing incentives for better cyber defence. 

In contrast, as Benincasa and Green demonstrate, China has decentralised procurement and use of offensive cyber capabilities, relying on a vast domestic talent pool and using regulation to ensure a constant supply of high-value vulnerabilities. DeSombre Bernsen’s analysis, focusing specifically on the acquisition of ‘zero-day’ vulnerabilities, nonetheless intersects extensively with the other reports, including discussions of NSFOCUS and Qihoo360.

Bringing the narrative right up to date, Binding Hook has just published some timely research from Wiz’s Ben Read on how China has been using attribution of cyber operations to pressure Taiwan, with crucial support from the private sector. Read’s piece shows how smaller law enforcement divisions can partner with more technically advanced private sector actors to increase the number of attributions – including a recent May 2025 attribution from a local police department, in partnership with none other than Qihoo 360.

A few other recent events have shed even more light on the business of Chinese offensive cyber – and its counterparts elsewhere. Data leaks analysed by SpyCloud Labs from two hack-for-hire companies provided details on Chinese government customers and their intended victims. QiAnXin, one of the military-connected Chinese cybersecurity companies discussed by Read, took the stage at a Malaysian cybersecurity conference to reveal yet another attribution – this time a cyber-espionage campaign conducted by an unnamed ‘North American’ group operating on Pacific time zones.

Meanwhile, in Italy, one alleged hacker may have reached the end of his China cyber story: Xu Zewei landed in Milan expecting to enjoy a holiday with his wife, but was arrested on suspicion of involvement in the 2020 Silk Typhoon cyberattacks. He now awaits possible extradition to the US, which accuses him of being part of ‘an extensive network of private companies and contractors in China to hack and steal information in a manner that obscured the PRC government’s involvement’ and has charged him with offenses ranging from wire fraud to identity theft, with a combined potential sentence of perhaps 80 years in prison. 

But for now, the Italian courts are likely to keep Xu in Milan – it’s summer break. 

Until next month,

Katharine Khamhaengwong

Binding Hook Editor

---

For more Binding Hook on China:

• Joseph Christian Agbagala looks into the ways ‘smart cities’ and regional actors contribute to both cybersecurity and cyberattacks.
• Daniel Moore revisits the arguments of his book ‘Offensive Cyber Operations: Understanding Intangible Warfare’, and finds that China has built a cyber force to be reckoned with, but that is as yet largely untested.
• Rogier Creemers examines how Chinese censorship and regulation are handling the challenges of AI.
• This excerpt from a Virtual Routes report explores how states, including China, are using ransomware for their own ends.