From Self-taught Patriots to Total Weaponry: The Chinese Method for Global Cybernetic Domination

Th new report “BEFORE VEGAS” by Eugenio Benincasa (CSS, ETH Zürich) unmasks China's meteoric rise to global cyber power, orchestrating an aggressive cyber espionage campaign through intelligence agencies and private contractors. From the roots of the Honkers, self-taught patriotic hackers of the 1990s , Beijing has forged a doctrine of “Liminal Warfare” that integrates political espionage, sabotage of critical infrastructure and systematic theft of intellectual property on a planetary scale. This program, catalyzed by Snowden's revelations and the advent of Xi Jinping, absorbs elite cyber-talents trained in an increasingly sophisticated and militarized ecosystem, revealing the ubiquitous threat and the Chinese will to redefine global balances through cyber dominance.

A silent but relentless cyber assault is redefining global power dynamics, with China at the center of a digital strategy that Christopher Wray, then director of the FBI, called in 2023 "bigger than that of every other major nation combined." This is not a conventional war, but a "Liminal War"—an incremental and pervasive conflict, where every sector, from politics to economics, from critical infrastructure to intellectual property theft, becomes a global battlefield. At the heart of this ambitious vision is the evolution of China's "red hackers," known as Honkers (红客, Hong Ke), whose origins, transformations, and current integration with the state apparatus have been meticulously revealed in the report "The “Red Hackers” Who Shaped China’s Cyber Ecosystem" by Eugenio Benincasa, Senior Researcher at the Center for Security Studies (CSS) at ETH Zurich.

The Chinese government coordinates actively operations cyber espionage through its agencies intelligence, mainly the Ministry of State Security (MSS) and the People's Liberation Army (PLA), increasingly making use of contractors private. These attacks target critical infrastructure, intellectual property theft, and the surveillance of sensitive communications, posing a growing and multifaceted threat to international security. A further worrying development, highlighted by Google Threat Intelligence Group, sees China increasing its espionage operations by combining the deployment of ransomware with intelligence gathering. This deliberate "mixing" supports the Chinese government's public efforts to confuse attribution, masking activities of cyber espionage behind operations of ransomware.

China's concerns about domestic national security, particularly in the technology sector, were significantly accelerated by Edward Snowden's revelations in 2013. This turning point coincided with Xi Jinping's rise to power and triggered a series of unprecedented political and institutional changes. Beijing profoundly reformed its cyber governance, creating new entities such as the Leading Small Group on Network Security and Informatization, chaired by Xi himself, and the Cybersecurity Administration of China (CAC). Key laws such as the National Security Law (2015) and Cybersecurity Law (2016) were adopted, and critical overseas supply chains were identified and protected. Snowden's revelations confirmed China's fears that security agencies intelligence Americans operated in a "God Mode" with nearly unlimited access to global communications.

It will reveal how China has evolved from a community of self-taught tech enthusiasts, driven by fervent patriotism in the early days of the Internet, to a cyber powerhouse employing "trans-military" and "non-military" strategies to weaken states and foster a new world order. The roots of this phenomenon will be explored, as will the ingenious "on-the-job" learning methodology that has shaped generations of cyber fighters, their gradual professionalization and the disturbing integration with the services of intelligence and the Chinese armed forces. The main areas of attack will be highlighted: from political espionage conducted by the Ministry of State Security (MSS) — as in the case ofSalt Typhoon, comparable to Snowden's revelations in its audacity — to the sabotage of critical infrastructure by the PLA (People's Liberation Army), exemplified byThere was Typhoon, up to the massive theft of intellectual property on a global scale that cost the U.S. economy hundreds of billions of dollars. The Honkers' journey, culminating in the "Red 40," an elite group of cyber-talents integrated into key state and corporate roles, reveals not only Beijing’s impressive ability to cultivate and exploit its digital human resources, but also the ubiquitous and increasingly sophisticated nature of the Chinese cyber threat we face today.

Origins: The Birth and Consolidation of Chinese Hacker Culture (Mid-1990s - Early 2000s)

According to Benincasa, theThe dawn of Chinese hacker culture coincides with China's official connection to the Internet on April 20, 1994, via a dedicated data transmission line through the U.S. telecommunications company Sprint. A few months later, China Telecom launched ChinaNet, ushering in public Internet services across the country.But it was universities in particular that played a pioneering role. The creation, also in 1994, of networks such as the China Education and Research Network (CERNET) and the Chinese Academy of Sciences' CSTNET connected academic institutions and promoted knowledge sharing among students and researchers, years before Internet access became commonplace for the general public.These university environments were real "incubators" for hackers, encouraging technical experimentation and the emergence of a native hacker culture.

Early Chinese hackers were largely self-taught, technology enthusiasts who gathered on bulletin boards (BBSs) and early websites to exchange tips on programming, network security, and hacking techniques.Initially, efforts were individual and lacked a formal group structure.They relied heavily on malware-made, such as the infamous "Black Orifice" Trojan released at DEFCON in 1998, to send spam and perform Distributed Denial-of-Service (DDoS) attacks.

The real turning point, as documented in "A Top-Secret Analysis of China's Hacker X-Files", occurred between 1998 and 2001, a period that was defined by a series of "patriotic cyber wars" that solidified the collective identity of Chinese hackers. Incidents such as the violent riots against ethnic Chinese communities in Indonesia in 1998 and the bombing of the Chinese Embassy in Belgrade by the United States in 1999 have sparked waves of nationalism and anger.In response, Chinese hackers organized themselves, creating the "Chinese Hacker Emergency Conference Center" (中国黑客紧急会议中心) and launching coordinated operations, including website defacements and DoS attacks against Indonesian government targets.The Belgrade event, in particular, led to the rapid formation of the "Red Hacker Alliance" (RHA), a broad coalition of groups including the Honker Union of China (HUC) and the Green Army. According to the report, the term "Honker" (红客) has become a common reference for patriotic hackers, a label still in use today to describe the act of patriotic hacking. These Honkers are best categorized as "hacktivists," individuals who use digital tools to promote political or social causes.Their activities were largely aligned with Beijing's geopolitical interests, targeting entities in the United States, Taiwan, and Japan.

While tens of thousands of members are often cited, such as the alleged 80,000 of the Honker Union or the 3,000 of the Green Army, Benincasa's report makes clear that these figures masked a crucial distinction between a small "core" of active members and a much larger base of registered users on the forums.. Gong Wei (Goodwell), founder of the Green Army, cited only 40 core members, while some sources suggested that the core of the Honker Union consisted of only eight.These core members were responsible for technical operations and strategic decisions, possessing significantly higher levels of technical skill than the larger registered user base who primarily engaged in forum discussions.

Learning by Doing: The Birth and Development of Live-Fire Skills (Early 2000s - Early 2010s)

For Chinese hackers in the early 2000s, the lack of formal educational pathways for developing technical skills was a significant obstacle.Chinese universities offered very few dedicated cybersecurity programs, and the infrastructure for practical training, such as Capture the Flag (CTF) competitions or cybersecurity programs, was lacking.bug bounty, were scarce or absent.

According to Benincasa, inIn this institutional vacuum, hacker groups have become real training academies in factCollectives such as the EvilOctal Security Team, the Green Army, and the China Eagle Union have established structured, self-managed communities focused on collaboration, knowledge sharing, and skills development.For many, hacking real targets was the primary means of gaining practical experience.

A key influence on this first generation was Taiwanese hacker Lin Zhenglong (林正龙), known online as "coolfire"His "Hacker Entry-Level Tutorial Series" (黑客入门教程系列), published in 1995 and consisting of eight articles, became the first structured hacker training resource available in Chinese.Benincasa's report highlights that key figures such as Wang Yingjian (Casper) of Xfocus and Gong Wei (Goodwell) of Green Army attributed Lin's writings a decisive role in their education and way of thinking.Coolfire's philosophy was based on "defense through offense"—the idea that mastering offensive techniques was crucial to understanding and improving one's defensive capabilities.. This often involved practice on real systems, as noted by Wang Junqing (la0wang), founder of 0x557, who described how the environment of the late 1990s and early 2000s offered ample room to hone offensive capabilities on "real targets."^.Coolfire also established an informal code of ethics, its "13 Rules" (Appendix A), which emphasized minimizing damage, avoiding government systems, and restoring affected machines, treating hacking as a means of learning rather than destruction.

Between 1997 and 2002, the Chinese hacker community began developing its own offensive tools. Initially dependent on malware foreign ones such as the infamous "Black Orifice" Trojan released at DEFCON in 1998, Chinese hackers created "Glacier" [the first domestic remote access Trojan (RAT) developed by Huang Xin (glacier) in 1999]and "X-Scan" [a network vulnerability scanner developed in 2000 by Huang Xin and Yang Yong (coolc) that is still widely used today and praised as "the brainchild of many hackers in China"]These tools lowered the barrier to entry for aspiring hackers and marked a turning point, leading to the creation of a distinctive domestic ecosystem and a break from Western hacker culture.. However, around the mid-2000s, there was a shift towards the exploitation of zero-day vulnerabilities, signaling the emergence of a distinctly Chinese approach to developing offensive cyber capabilities.

Talent identification was often informal and driven by personal networksOne example cited is that of Yang Jilong (watercloud) of Xfocus, who was recruited through a CTF-like challenge in 1999.Conferences like XCon, founded in 2002 by Wang Yingjian (casper) of Xfocus and modeled after international events like DEFCON, have become crucial platforms for skills demonstration and informal recruitment.Even state agencies, such as the PLA, have begun using hacking competitions to evaluate and recruit qualified individuals, as in the case of Tan Dailin (wicked rose) in 2005, who was recruited by the Sichuan Military Command for an attack-defense competition.

Benincasa's report introduces the concept of the "Red 40," a group of 40 influential individuals chosen from the approximately 200 core members of the most important hacker groups.These individuals have played significant roles in the evolution of China's cyber landscape over the past two to three decades, founding groups, launching patriotic campaigns, and developing key tools, before assuming senior positions in government and industry.

From outside to inside: professionalization and state integration (2000-2010)

The end of the Honker groups era was gradual, influenced by a combination of factors: the decline of large-scale politically motivated attacks, the dissolution or transformation of many groups, the launch of the first commercial initiatives, and a tightening of the Chinese regulatory framework.

The Chinese government, which had initially tolerated the Honkers' activities as they promoted national unity without direct involvement in international conflicts, began to show discomfort with the lack of oversight and potential unpredictability of these actions.. As early as May 1, 2001, following the China-US "Cyber War" (triggered by the collision between a US reconnaissance aircraft and a Chinese jet near the island of Hainan), thePeople's Daily(人民日报), the official organ of the Chinese Communist Party, condemned the young hackers' campaigns as "unforgivable" and akin to "web terrorism."In 2002, on the first anniversary of the China-US Cyber War, the head of the Internet Society of China issued a statement via Xinhua News Agency formally opposing cyber operations launched by any organization or individual "for any reason and in any form."

Faced with these pressures, many groups have begun to fragment or reinvent themselves.The Green Army was the first major Chinese group to disband, following an internal dispute in 2000.The Honker Union briefly dissolved in 2004 due to declining enthusiasm among senior members, general disillusionment with China's cybersecurity environment, and a shortage of technically qualified members.Other groups, such as the Ph4nt0m Group, posted their last update on Blogger in 2008, citing censorship (due to the Great Firewall of China blocking Blogger) and "adult responsibilities" as reasons for disbanding, with members complaining about lack of time to update technical materials due to work.These financial problems have prompted some groups, such as EvilOctal, to reorganize to generate profit through the sale of books and training materials, or even media deals.

The decline of hacker activism coincided with the rise of China's cybercrime industry, which expanded rapidly in the mid- to late-2000s.In the absence of a mature cybersecurity industry, some former patriotic hackers have turned to illicit activities, including the sale of malware, the commission of banking fraud and online gambling scamsThis period marked a transitional phase between the decline of grassroots hacker activism and the emergence of a more organized cybersecurity industry, which only began to accelerate in the early 2010s.

A legal turning point came with the adoption in 2009 by the Standing Committee of the National People's Congress (NPCSC) of Criminal Law Amendment VII, which expanded the penalties for unauthorized intrusions into computer systems, including provisions targeting those who provided tools that facilitated such intrusions.This has led to the shutdown of platforms like Black Hawk Security Network and the arrest of key figures like Tan Dailin (wicked rose), founder of NCPH.In response, in 2011, prominent Honkers, including Gong Wei (goodwell) and Wan Tao (eagle), promoted the "China Hacker Self-Discipline Convention" (中国黑客自律公约) to define community standards and deter cybercrime.In 2012, the Chinese monthly magazine Hacker X-Files ceased operations, symbolizing the end of an era for the Chinese hacker community.

The members of the Red 40, in this changing context, turned to the business world, seizing opportunities in a Chinese cybersecurity sector then perceived as "weak" and "deteriorating."Many have taken on key roles at established cybersecurity firms like Venustech and Topsec, or at tech giants like Baidu, Alibaba, Tencent, and Huawei.Some have founded their own startup cybersecurity, such as NSFOCUS (founded in 2000 by Shen Jiye (沈继业), a former member of the Green Army)and Knownsec (founded in 2007 by Zhao Wei (icbm), Yang Jilong (watercloud), and Fang Xing (flashsky), former members of 0x557 and Xfocus).

At the same time, collaboration with government agencies has intensified. In 2009,U.S. diplomats have raised concerns that the PRC is "harvesting its private sector talent to strengthen its offensive and defensive network operations capabilities."Topsec and Venustech, among the few mature cybersecurity firms at the time, had close ties to the PLA and the Ministry of State Security (MSS).In 2006, the Network Crack Program Hacker (NCPH) group, led by Tan Dailin (wicked rose), conducted a series of hacking campaigns.cyber espionage successful, probably on behalf of the PLAThese "hackers-for-hire" were often paid to complete intrusions.

Where Are They Now? The Rise of Red 40 and Their Enduring Legacy (2010–Present)

The 2010s and early 2020s saw an explosion of exposures of China-linked threat groups, shedding further light on the evolution of China's offensive cyber ecosystem. While early operations were often attributed to PLA units, subsequent disclosures increasingly pointed to the activities of the MSS, which increasingly relied on intermediaries in the private sector.This approach has been strengthened by the rapid expansion of the Chinese cybersecurity industry, which has fueled the growth of a mature market of hack-for-hire.

The trajectories of the Red 40 members illustrate this shift. According to Benincasa, their contributions range from direct roles as front-line operators within "front companies" to managing espionage-oriented companies linked to APT groups, to maintaining and adapting legacy tools from the 2000s that remain active in China's cyber arsenal.. Notable examples include Tan Dailin (wicked rose), linked to APT41; Zeng Xiaoyong (envymask), a central figure in APT17 (MSS-related group)and Zhou Shuai (coldface), Green Army veteran, linked to APT27The 2024 U.S. sanctions have revealed that Chinese state-sponsored operations are increasingly relying on legitimate, for-profit businesses, such as i-SOON and Integrity Tech, where former Honkers hold executive positions.Wu Haibo (shutdown), former member of Green Army and 0x557, founded i-SOON in 2010.Cai Jingjing (cbird), a Green Army and 0x557 veteran, founded Integrity Tech in 2010..

The "New School" and the Evolution of Talent (2010 - Present)

According to the Benincasa report, the"New School" emerged in a context of proliferation of hacking contests, platforms bug bounty and cyber range, which have redefined the scope and quality of cybersecurity training in China. These developments, formalized in the Ministry of Education's "4+3" model in 2022 (which includes combat effectiveness assessment, software vulnerability discovery, live attack-defense capabilities, and engineering development capabilities, cultivated through hacking competitions, attack-defense exercises, n crowd testing), have marked a turning point in the country's cybersecurity talent pipeline. Unlike "old school" hackers who learned on the job through real-world intrusions, this new cohort is trained in simulated and structured environments that replicate operational conditions, minimizing legal and strategic risks. Benincasa's report highlights how Wang Junqing (la0wang), founder of 0x557, has observed the shift from "hone offensive cyber skills on real-world targets" to current CTFs and security competitions.

Red 40 members have played crucial roles as mentors and judges, bridging the gap between emerging talent at the New School and the needs of Chinese industry. Examples include Operation Myth, an experimental cybersecurity training program launched in 2015 by Wang Yingjian (casper) of Xfocus and supported by Qihoo 360. Many Red 40-affiliated companies, such as Chengdu Neusoft Institute in collaboration with i-SOON, have institutionalized talent development through public-private partnerships. The preference for practical skills over academic prestige is evident, as demonstrated by i-SOON's recruitment strategy, which favors students with "live attack-defense" skills over graduates of elite universities.

China's attack-defense ecosystem is booming, with numerous startup which offer services of penetration testing, red teaming and threat intelligenceThis development reflects a broader industrial shift, where skills honed in competitive hacking environments are increasingly being repurposed to build commercial security services. This ecosystem, in turn, is poised to become an increasingly important enabler for Chinese APT actors, as its markethack-for-hireIt grows alongside a new generation of talent entering an increasingly offensive-focused cybersecurity industry. The evolution of the New School's attack-defense ecosystem, including its implications for state-sponsored operations, is explored in greater detail in the report. CSS Cyberdefense 2024 "From Vegas to Chengdu."

China's Cyberpower and the "Liminal War"

How is it written, in the last decade, the program ofhackingChina's power has grown rapidly, so much so that in 2023 Christopher Wray, then Director of the FBI, noted that it was larger than that of every other major nation combined. China's growing power and sophistication has produced successes in three main areas: politics, sabotage of critical facilities, and theft of intellectual property on a global scale. China employs integrated intelligence operations.computer network, electronic warfare, economic, diplomatic, legal, military,intelligence, psychological, military deception, and security tactics to weaken states, make them economically dependent on Beijing, and more receptive to a new authoritarian world order with distinctive Chinese characteristics. This is consistent with the so-called "Liminal Warfare," an incremental war, where the spectrum of competition and confrontation with the West is so broad that the battlefield is everywhere and the war is total, as described in the book.Unrestricted Warfare in 1999 by two Chinese PLA colonels.

Informal networks, often rooted in the origins of the Chinese hacker scene, continue to facilitate the sharing of talent, tools and operational capabilities among APT actors.

A 2025 Natto Thoughts analysis of i-SOON's leaked chat logs revealed a long-standing relationship between Han Zhengguang (TB), leader of the Pangu Team, and Wu Haibo (shutdown), CEO of i-SOON, both former core members of 0x557. Widely shared tools such as PlugX, developed in 2008 by Zhou Jibing (whg) and Tan Dailin, have been used by more than ten Chinese APT groups. Reconnaissance tools such as X-Scan (developed by Huang Xin (glacier) in 2000) and ZoomEye (developed by Knownsec), initially designed for security testing, have also been reused for offensive operations.

Political cyber espionage and surveillance operations

Currently, the cyber espionageChinese politician and surveillance operations are RELATED mainly to the Ministry of State Security (MSS), the service ofintelligenceChinese foreign. Last year it emerged that a Chinese hacker group, nicknamedSalt Typhoon, hacked at least nine American telephone companies, giving them access to calls and messages of top officials. Ciaran Martin, who headed the British agency for the cyber defense from 2016 to 2020, compared this operation to the 2013 revelations by Edward Snowden, contractor government, calling it "a strategic espionage operation of breathtaking audacity," as highlighted in its recent analysis titled “Typhoons in Cyberspace.” According to Google Threat Intelligence Group, China is increasing its espionage operations by using advanced persistent threat groups like APT41 to combine the distribution of ransomware with the gathering of information. "Deliberately mixing the activities of ransomware with espionage intrusions supports the Chinese government's public efforts to confuse attribution by confusing the activities of cyber espionage with the operations of ransomware". APT41 is said to operate from China and is "most likely a contractor of the Ministry of State Security." In addition to state-sponsored espionage campaigns against a wide range of sectors, APT41 is said to have a long history of financially motivated operations. The group's cybercriminal activity has focused primarily on the video game industry, including the distribution of ransomware.

The use of cyber espionage for electronic warfare

In the electronic warfare, l’hackingIt is used for sabotage in times of crisis or war. These efforts are led by the People's Liberation Army (PLA), the armed wing of the Chinese Communist Party. In 2023, it was discovered that a linked hacker group known asThere was Typhoon, has penetrated an extraordinary array of American critical infrastructure for several years, from ports to factories to water treatment plants, across the continental United States and in strategic American territories such as Guam. “Volt Typhoon is a military operation for strategic political and potentially military purposes,” says Ciaran Martin. Run by the People’s Liberation Army’s cyber unit, it involves the insertion of preparatory implants—“digital traps,” as some have called them—into all manner of American critical infrastructure. In addition to targeting a US electric utility in Massachusetts in 2023 in a sustained attack aimed at exfiltrating sensitive data relating to its operational technology (OT) infrastructure,There was Typhoon Gained notoriety last year for a series of attacks on U.S. telecommunications, as well as other critical infrastructure globally. The subgroup's actionsVolt Typhoon VoltziteLittle Electric Light and Water (LELWD) departments prompted the FBI and security firm Dragos to act jointly, disclosing details of the attack and its mitigation in a case study published in March 2025.

Intellectual property theft through cyber espionage

The most damaging channel for intellectual property theft is the cyber espionage. Cyber intrusions allow Chinese companies, in some cases acting under the direction of the CCP or with the assistance of the government (so-calledState cyberespionage), to access information on foreign companies' proprietary operations and project financing information, as well as to steal IP and technology. China uses government-coordinated and supported cyber espionage campaigns to steal information from a variety of foreign commercial companies, including those in the oil and energy, steel, and aviation industries. Cyber espionage is both a means of stealing science and technology from foreign states and a method of gathering information for potential attacks against military, government, and commercial technical systems of target countries.

Mandiant Threat Intelligence, one of the world's leading cybersecurity intelligence firms, states that since Xi Jinping's 2016 military and intelligence overhaul, the technology used by China-affiliated cyber espionage groups has steadily evolved, becoming more stealthy and agile. According to Mandiant, Beijing's cyber espionage operations are carried out by both the Ministry of State Security (MSS) and the PLA, but differ in terms of geographic scope, operational alignment, and victimization. While threat groups affiliated with the PLA's Theater Commands, such as Tonto Team, TEMP, and Overboard, focus their operations within their respective Commands' areas of responsibility, MSS-affiliated threat groups, such as APT41, APT5, and APT10, operate across a much broader geographic scope, including the United States, Europe, Latin America, the Caribbean, and North America. Essentially, the MSS conducts domestic counterintelligence, non-military foreign intelligence operations, and supports aspects of political security. Mandiant Threat Intelligence argues that Chinese groups, in an effort to blend in with other threat activities, are increasingly using malware publicly available.

What distinguishes China's cyber espionage activity from that of other states is the national interest pursued and the scope of its operations. Beijing has unique intelligence-gathering requirements, for example, in Hong Kong, Tibet, and the Uyghur community; and in terms of scale, China's activity is greater. Essentially, Mandiant believes that state-linked Chinese groups conducting compromises exploit more zero-days and are numerically larger than those of other states. Chinese actors use a variety of “initial access vectors” such as phishing via email and social engineering, strategic web compromise and theSQL injection. They also effectively exploited the compromises-dayan zero-day in 2020/2021 more than any other state. In early 2020, Mandiant observed that one of the most prolific Chinese cyber espionage groups, APT41, had conducted a large-scale campaign exploiting vulnerabilities in corporate networking and endpoint management devices from Citrix, Cisco, and Zoho, successfully targeting more than 75 companies in over 20 countries with operations ranging from aerospace and defense to pharmaceuticals, energy, and utilities. From January to March 2021, at least five Chinese groups exploited Microsoft Exchange “ProxyLogon” vulnerabilities to gain access to targeted networks. Mandiant also attributed several intrusions conducted between August 2020 and March 2021 in the defense, government, high-tech, transportation, and financial sectors in the United States and Europe to two Chinese clusters, one of which is suspected of having ties to the group known as APT5. The Chinese group dubbed APT10 also reportedly conducted third-party compromise activities through MSPs in North America and Europe. During an investigation into 2019 incidents involving a telecommunications network provider, Mandiant attributed the malware called MESSAGETAP to the APT41 group. Supply chain compromise incidents conducted by Chinese actors from 2013 to 2020 are nearly double those of Russia and North Korea combined. APT41 is also known for large-scale compromises of the gaming and enterprise software supply chain, such as the 2018 campaign targeting ASUS' update utility, dubbed "Operation ShadowHammer" by Kaspersky, which affected more than 50,000 systems.

In the United States, investigative data on economic espionageChinese investigations are impressive: in 2014, five PLA hackers were indicted for economic espionage. In November 2017, three Chinese hackers who had worked at the cybersecurity firm Boyusec were indicted for stealing confidential business information. In December 2018, two Chinese citizens were indicted for intellectual property theft. In May 2019, there was an investigation into the hacking of Anthem. In February 2020, four military hackers were indicted for targeting Equifax. In July 2020, two hackers associated with China's Ministry of State Security (MSS) were indicted for hacking intellectual property, including COVID-19 research. In September 2020, members of a Chinese hacking group known as APT 41 were indicted. In July 2021, additional hackers were linked to the MSS. The December 2018 indictment was part of a U.S.-led effort to raise global awareness of the cyber espionage Chinese. In that case, the campaign, known asCloud Hopper, consisted of a supply chain attack involving managed services providers such as Hewlett Packard and IBM. The Department of Justice indicted two Chinese nationals who, according to the indictment, were members of a known hacker group operating in China and allegedly worked for the Huaying Haitai Science and Technology Development Company and acted in conjunction with the Tianjin State Security Bureau of the Ministry of State Security. "The PRC has perpetrated the largest illegitimate transfer of wealth in human history by stealing technological innovation and trade secrets from U.S. and other national corporations, universities, and defense sectors," a White House panel concluded in 2020. In 2017, the Commission on the Theft of American Intellectual Property estimated that intellectual property theft costs the U.S. economy up to $600 billion annually, significantly impacting jobs and innovation. This figure approaches the Pentagon's annual national defense budget and exceeds the total profits of the top 50 Fortune 500 companies.

The Role of Universities in Chinese Cyber-Espionage

Chinese universities too collaborate with the PLA and the MSS to carry out cyber espionage State-sponsored. Shanghai Jiao Tong University helps conduct operations for the Chinese military. Zhejiang University and the Harbin Institute of Technology are recruiting grounds for Chinese hackers. Xidian University provides its students with hands-on experience at a provincial MSS bureau and also had a relationship with the Third Department of the PLA General Staff before being reorganized into the Department of Network Systems in 2015; its graduate program is jointly administered with the Guangdong Bureau of the China Information Technology Security and Evaluation Center (or Guangdong ITSEC), an MSS bureau that operates a prolific contract team in the field hacking.

Southeast University has a long-standing relationship with security services and jointly operates the Purple Mountain Lab with the PLA Strategic Support Force, where researchers work together on "important strategic requirements," computer operating systems, and interdisciplinary cybersecurity research. The university also receives funding from the PLA and MSS to support the development of China's cyber capabilities. Shanghai Jiaotong University's (SJTU) cybersecurity degree program is taught at a PLA information engineering base; its Cyberspace Security Science and Technology Research Institute, home to the Network Confrontation and Information System Security Testing program, conducts research that enables cyber operations.Under this program, SJTU says it works on “testing and evaluation of networks and information systems, security testing for smart connected networks, APT attack and defense testing, and key cybersecurity technologies.”

MSS partner universities in recruiting talent include China University of Science and Technology, Shanghai Jiao Tong University, Xi'an Jiaotong University, Beijing Institute of Technology, Nanjing University and Harbin Institute of Technology. Some Chinese cybersecurity companies, such as Beijing TopSec, cooperate with the PLA in intelligence.hacking campaigns, operator training and education of future hackers.

The global impact of Chinese cyber espionage

Such cyber intrusions therefore pose a fundamental threat to the economic competitiveness and national security of the affected states. In June 2024, the Dutch Military Intelligence Agency (MIVD) stated that Chinese cyber espionage is more extensive than initially thought and is targeting Western governments and defense companies. MIVD specifically stated that a Chinese state-backed hacker group responsible for a cyberattack on the Dutch Ministry of Defense in 2023 caused at least 20,000 victims worldwide in just a few months, and possibly many more. In 2018, the Czech National Cyber and Information Security Agency (NUKIB) issued a public warning about cybersecurity risks related to China. Since then, the country has developed one of the most stringent FDI screening mechanisms and significant cybersecurity capabilities against Beijing. It is also working on responses to foreign information manipulation and interference.

According to U.S. prosecutors, dozens of European parliamentarians have been targeted by Chinese cyberattacks in recent years. In March 2024, the U.S. Department of Justice issued an indictment alleging that Chinese hackers with ties to the nation's spy agency, the Ministry of State Security (MSS), targeted "every European Union member" of the Inter-Parliamentary Alliance on China (IPAC), a coalition of lawmakers critical of Beijing. According to the indictment, in 2021, hackers sent "more than 1,000 emails to more than 400 unique accounts of individuals associated with IPAC" in an attempt to collect data on members' internet activity and digital devices.

Conclusion

In conclusion, China's experience offers valuable insights into how decentralized cyber collectives can evolve into institutionalized resources and how governments can recognize, engage, and integrate informal talent into national cyber strategies. The Red 40 didn't just staff China's cybersecurity ecosystem; they shaped it from the ground up, demonstrating that what begins in anonymous forums can end up in boardrooms and digital battlefields.