Cold Open

A quick note before we get started. This is part two of a four-part series, which charts how China built one of the world’s most advanced cyberwarfare programs. You don’t necessarily have to listen to these episodes in order, but you’ll get more out of it if you do. And now…on with the show.

The following presentation is not suitable for young children. Listener discretion is advised.

Tan Dailin was riding his bike back to his dorm room when he noticed a crowd of people outside an electronics store. He pulled over, curious.

The crowd was watching a wall of televisions, which were all tuned to a state news program.

Today, Japanese Prime Minister Junichiro Koizumi pledged to make yet another visit to Tokyo’s Yasukuni shrine later this fall, the anchor said. This so-called memorial commemorates Japan’s war dead, including 14 war criminals who committed unspeakable atrocities against our comrades in Nanking during the Second World War.

The news cut to photos of Japanese soldiers standing next to piles of bodies of Dailin’s fellow Chinese. Then it cut back to Koizumi laying a wreath on the shrine.

It was a slap in the face. Dailin was furious. And he was going to do something about it.

Dailin pumped the pedals and sped through the streets of Chengdu. He began planning his attack. Surely the Yasukuni shrine had a website. He could hit it with a DDoS attack. Or deface it with the Chinese flag. Maybe add a patriotic slogan, too.

Dailin arrived at his dorm, locked up his bike at the bike rack, and walked into the lobby. There, he saw two uniformed military officers.

Mr. Dailin? Can you come with us please?

Dailin was confused. What the hell did the military want with him? But he knew he couldn’t refuse the request.

He tried not to panic. The officers escorted him to a car that was waiting outside. The three men got in the back seat, and the driver pulled the car into traffic.

Twenty minutes later, the car arrived at a military facility. The sign outside read “1st Technical Reconnaissance Bureau.” What the hell was going on?

The officer brought Dailin inside to an office, where a colonel was waiting. The colonel motioned for him to take a seat.

You’re quite the hacker! You know that crime carries the death penalty, yes?

Dailin’s heart nearly stopped. I only hacked enemies of the state! I’m a patriot!

The colonel smiled.

You’re not in trouble.

So…why am I here?

We’re putting together a little competition next month.

But I’m no soldier.

Not yet. But we’d like you to participate, along with your friends. There’s a big cash prize.

Dailin knew he didn’t have a choice here, either.

A month later, Dailin and his hacker friends found themselves inside a cavernous room at the Reconaissance Bureau. It was filled with rows and rows of computers—some with red stickers, some with blue. Most were occupied by soldiers in uniform, but there were a handful of civilians like Dailin.

Dailin and his hacker friends took their seats at a bank of computers with red stickers. Next to them was another hacking team, all soldiers in uniform.

You guys from around here? Dailin asked. But the soldiers just smirked and said nothing.

Soon, the colonel walked up to a podium and addressed the group.

Welcome. This is a Network Attack and Defense Competition.

He pointed to a bank of nearby servers.

For the purposes of this exercise, these servers are controlled by the Taiwanese government. Those of you on the red team are tasked with hacking into it. Those of you on the blue team are tasked with defending it. Good luck.

With that, the competition began. Dailin and his team began typing furiously at their keyboards. They barely had time to think.

Their enemies, the blue team, were good. Dailin was no slouch—one of the best hackers at Sichuan University, in fact. But Team Blue’s members were professionals who’d spent years in intensive training.

The day went on like that—Dailin and his buddies cracking their way into the servers, then getting kicked out, then doing it all over again.

After eight exhausting hours, Dailin and his friends watched the colonel walk up to the podium.

The winner is…the Network Crack Program Hacker Group and Tan Dailin!

They let out a surprised cheer.

Dailin knew this was just the beginning of a new journey in his life—a journey that would see him become one of the most wanted hackers in the world.

On this episode: diplomatic incidents, patriotic hackers, the Chinese military, industrial espionage, online heists, and the civilian side of China’s hacking program.

I’m Keith Korneluk and you’re listening to Modem Mischief.

You're listening to Modem Mischief. In this series we explore the darkest reaches of the internet. We'll take you into the minds of the world's most notorious hackers and the lives affected by them. We'll also show you places you won't find on Google and what goes on down there. This is the story of Wicked Rose and part two of our series on Chinese hacking.

Act One

Lieutenant? Two F-8’s inbound.

In April 2001, US Navy Lieutenant Shane Osborne was behind the controls of his EP-3 spy plane, which had been intercepting signal intelligence from Hong Kong.

Copy. We’re just about done with the outbound leg. Let’s just turn her around and head back to Okinawa.

Osborne put the plane on autopilot. Then, two Chinese fighter jets appeared on the radar. They were quickly gaining on the EP-3 from the rear. At 100 ft away, the jets maintained speed.

But then, one of the F-8’s gunned its engine and accelerated right at the EP-3’s tail.

SFX: jet acceleration

It pulled to a stop just ten feet away, close enough for the crew to see the pilot. He saluted. They recognized him, though they didn’t know his name. He’d pulled stunts like this before.

The pilot eased the throttle and dropped back to join his wingmate.

SFX: jet deceleration

But a few moments later, the F-8 gunned its engines again.

SFX: jet acceleration

This time, the pilot pulled up alongside the EP-3. The space between the wings was just five feet, narrow enough to jump across.

Shit! He almost hit us!

Osborne saw the Chinese fighter pilot mouth something to them but couldn’t make it out. Then the F-8 decelerated back to its trailing distance.

SFX: jet deceleration

Maintain course. He’s probably going to try it again

SFX: jet acceleration

SFX: warning siren

SFX: plane collision

The F-8 smashed into the EP-3’s propeller. The jet was instantly sheared in half. The pilot didn’t have time to react. Osborne watched it plummet into the sea below. He felt sick to his stomach, but there was no time to think about that now.

Wind rushed through the cabin. The instruments were out. The plane was losing altitude.

PREPARE TO BAIL!

Osborne yanked back the controls. The rest of the crew of 24 began lining up, ready to jump into the sea. None expected to survive.

Finally, at just 7,000 ft., Osborne stabilized the plane.

Back to your positions. Status report!

We’re down two propellers and an engine.

Osborne went over his options. Too far to make it back to Okinawa. Vietnam was 180 miles away, but they’d have to limp along at low altitude the whole way. He thought about ditching over the ocean, but that was suicide. The plane was over-laden with fuel, and he had no flaps to slow it down.

The closest landing spot was Lingshui Air Base on Hainan Island. Chinese territory.

He reached for the radio.

Lingshui? We’re in bad shape. Request permission to land.

After a long pause, there was finally a response.

Granted.

Osborne addressed the crew.

OK people. I need you to get rid of anything on this plane that we don’t want falling into Chinese hands.

The crew jumped into action. One opened the emergency hatch and began tossing documents into the sea. Another picked up an axe and began smashing everything in sight—computers, briefcases, cryptography keying materials. It was the best they could do.

The “Hainan Island” incident started the first of many hacker wars between China and its enemies. The pilot of the F-8 fighter jet that collided with the EP-3, Wang Wei, died in the crash. Both countries blamed each other. China detained the American crew while its Chinese investigators combed through the wreckage of the plane.

In response, outraged American patriotic hackers defaced over 65 Chinese websites.

But China had its own patriotic hackers, thousands of young men raised on state propaganda, with access to computers and the skills to circumvent the country’s censorship tools. The Chinese government turned a blind eye to these hackers so long as their hacks coincided with China’s foreign policy goals. Mostly.

In response to the American cyberattacks, China’s patriotic hackers conducted an all-out “Hack the USA” week” in May 2001, during which they assaulted more than 1,000 US government websites, including the White House, the US Air Force and the Department of Energy. They would use DDoS attacks, or they would replace a website’s front page with the Chinese flag. Or, they might upload a tribute to Wang Wei. Or, they might put up a slogan like, “Down with American Imperialism.”

Over the next few years, more hacker wars would follow …patriotic Chinese hackers would volunteer their time to attack in Indonesia, in Taiwan, in Japan.

Tan Dailin was one of them.

Most of Tan Dailin’s biographical information comes from his personal blog—that’s right, like many hackers we’ve covered, Dailin kept a public record of his hacks, as well as his life.

He was born in 1984, probably in Sichuan province. He grew up poor. His parents couldn’t afford a computer. Even so, he was fascinated with coding and programming. He borrowed instruction manuals from the school library, and he wrote out his code on pencil and paper. He didn’t actually get to use computers until college.

At just 16 he began attending universities around Sichuan province. He thought of them as “third-rate.” He had no interest in academics, just computer programming. But soon, he discovered that these “third-rate universities” were also home to a large and thriving patriotic hacking scene.

During Daillin’s undergrad years, he quickly distinguished himself in programming competitions. Soon, he was invited to join a crew of patriotic hackers, called “the Evil Octal Security Team.”

Dailin began using a hacker alias, Wicked Rose. It also can be translated as “Withered Rose.”

Little is known about the Evil Octal Security Team’s early activities. They likely participated in the US-China hacker war in 2001, and probably some after. They also claimed that Evil Octal hacked “40%” of other Chinese patriotic hacking groups, a claim that seems farfetched.

While these biographical details are still uncertain, they do point to a recurring theme in Tan Dailin’s life: conflicting motivations.

On the one hand, he was a patriot who volunteered his computing skills to defend his country’s honor. On the other, he was still a hacker. And like hackers everywhere, he wanted to prove himself to his peers.

One way he did that was by using his coding expertise. Dailin was friends with another student named Zhou Jibing, a coding expert. Together, they developed a specialized hacking tool.

Hidden inside the code of a harmless-seeming Word document were several lines of code called a rootkit, which would allow backdoor access into whichever computer downloaded that document. All Dailin needed to do was email their target an infected document and entice them into opening it. They called their rootkit GinWui.

In 2005, Dailin enrolled in graduate school at the Sichuan University of Science and Technology, where he lived in a dorm with several other grad students, all computer programmers and part-time hackers.

They called themselves the Network Crack Program Hacking Group—yeah, it’s a mouthful for me too.

Besides Tan Dailin/Wicked Rose, we’ve never known their real names. They went by aliases like “KuNgBim,” “Charles,” and “Rodag”.

In the summer of 2005, Tan Dailin’s activities got the attention of the People’s Liberation Army. As we covered in part 1, this was just six years after the publication of Unrestricted Warfare, which encouraged the military to use all kinds of hackers for their own ends—military, patriotic, and even criminal.

The Chinese military “invited” Tan Dailin and the NCPH to participate in a Network Attack and Defense Competition, which they won. Then, they competed in a regional competition, which they also won. After that, the Chinese military put Dailin and his pals through an intensive 30-day hacking training course, where they practiced hacking techniques and sparred with Chinese military hackers for 16 hours a day. By the end, they were fully-fledged hackers ready to work for the government.

Their next step was to start a company, which they called CNASM. Officially, it was a software company that provided hacking tools for the Chinese military—and Dailin and his friend Zhou Jibing did do that. They developed a variation of their GinWui rootkit tool called PlugX. It would later be used by dozens of hacking groups affiliated with the Chinese military.

But unofficially, CNASM was a front company that contracted with the Chinese government.

For Dailin, contract hacking on behalf of the Chinese government was quite different than his patriotic hacking. No more website defacements or DDoS attacks. Now, they’d be penetrating computer systems and stealing documents.

Overall, Dailin and his pals were making a few hundred dollars a month—in China, a full-time salary. In the spring of 2006, Dailin dropped out of Sichuan University to pursue government hacking full-time.

In May 2006, the NCPH had its first target: a “large entity within the Department of Defense,” most likely the Pentagon.

Dailin and his team found Pentagon employees’ email addresses by Googling them. Next, Dailin and his team sent emails with Microsoft Word attachments, all with the same innocuous title: “Planning document 5-16-2006.doc.” In reality, these fake planning documents were laced with PlugX.

A handful of unwitting Pentagon employees opened the document, and that was all Dailin needed to steal thousands of American government documents.

After their first wave of attacks was successful, the Chinese army tripled Dailin’s funding. Dailin developed even more attack vectors into Microsoft Office, 35 in all. Then they developed Microsoft Excel and Powerpoint exploits, too.

But while some DoD employees were duped, others didn’t fall for it. Almost immediately, the US government began an investigation into these mysterious emails.

One day in late fall 2007, an email arrived in Dailin’s inbox.

Mr. Dailin, my name is Simon Elegant. I’m a correspondent for Time Magazine and I’d like to interview you about your hacking.

Dailin’s blood froze. Who the hell was this journalist, and how had he found him?

He considered ignoring the email, but that was too risky. He had to find out what this journalist knew.

So, weeks later, Dailin and seven members of the Network Crack Program Hacker Group were sitting around a table in the back of a Chengdu hot pot restaurant, next to a middle-aged British journalist with thinning hair and glasses.

Nice to finally meet you…er, shall I call you Mr. Dailin, or do you prefer Wicked Rose?

Dailin grimaced. Wicked Rose is fine.

What shall I call the rest of you?

His friends agreed to use codenames only. They went around the table and introduced themselves:

Blacksmith

Firestarter

Fisherman

Floorsweeper

Chef

Plumber

and Pharmacist.

Elegant looked amused.

Why don’t you start with a rundown of your hacking activities?

Dailin told Elegant about the formation of the NCPH, how they’d hacked 40% of other Chinese patriotic hacking groups, how their hacking tools were top sellers.

Ah, so you’re paid to do this. Do your clients include the Chinese military?

Dailin swallowed.

We don’t disclose our clients.

The report also covered a series of hacks against the Department of Defense. Do you know anything about them?

Whoa, hang on, Floorsweeper interrupted. We read about arrested terrorists, about Guantánamo. Who gets away with messing with the U.S. government?

Wicked Rose, are you aware that the US government ha s identified you as one of those responsible for these hacks?

Elegant slid a folder across the table. Inside was a report from a cybersecurity company called iDefense. In it, Dailin saw his hacker alias Wicked Rose, and even their pictures!

Dailin gasped.

The pictures were screenshots, all taken from the blog. That fucking blog. A rookie mistake, one he vowed never to make again.

Is…the FBI going to spend special agents to arrest me?

Elegant smiled. Relax, you’re outside their jurisdiction.

But Dailin couldn’t relax. He’d been identified. He knew the Network Crack Program Hacking Group was finished.

In the days after their meeting with Elegant, Tan Dailin and his friends scrubbed every trace of themselves from the Internet—the blogs, the NCPH website, and the website for their software company, CNASM.

They weren’t finished hacking—far from it. But now they’d have to figure out their next move.

And soon, Dailin would cross a line that would find him in deep trouble.

Act Two

About two years later, the now 25-year-old Tan Dailin was sitting in his cramped Chengdu apartment.

Since the Network Crack Program Hacking Group dissolved, things…hadn’t gone well. While he and his pals still made some income by selling their hacking tools, the contracts with the Chinese military dried up. The military didn’t look favorably on hackers who were publicly identified in American magazines.

So, without government work, Dailin was forced to get his hands dirty.

He’d spent months hacking a network of servers to get them under his control. Today, he used them to launch a Distributed Denial of Service attack against the website for HackerXFiles, a popular Chinese hacking magazine. Dailin launched a tsunami of meaningless data at the site, effectively shutting it down.

Next, he wrote an email to the editor-in-chief.

I’m the one who’s pwning your site. If you want me to take my foot off your throat, pay me 13,000 yuan.

He hit send, but he didn’t feel satisfied. Shaking down other hackers was a far cry from being a valued hacker contracting with the military.

Suddenly, there was a knock at his door. Strange, he wasn’t expecting visitors.

He opened the door to find two police officers.

Mr. Dailin? You need to come with us.

Shit. Not again.

The cops cuffed him and took him downstairs to a squad car. As they drove through the city, Dailin thought about how much trouble he might be in.

At the station, he was brought to an interrogation room and made to wait for what felt like hours. Finally, two detectives entered and took their seats.

Mr. Dailin, are you familiar with Hackbase or 3800hk? Or the magazine HackerXFiles?

Nope, he lied.

Two are hacker forums, and the third is a popular hacking magazine. And we’ve received multiple complaints that you’ve extorted them.

Why do you care what happens to a hacking forum or a hacking magazine?

All forms of hacking are illegal, Mr. Dailin.

Look, I used to work for the army. I’m sure if you get in touch with them, they’d vouch for me.

That won’t be necessary. Someone’s here to see you.

With that, the door opened. A middle-aged man in a suit entered and sat down. His expression gave away nothing.

Mr. Dailin, I’m with the Ministry of State Security. There are two ways this can go. Either you spend the next seven and a half years behind bars…or, you can cooperate with us.

Just like that, he was back in the game.

China’s Ministry of State Security is essentially the country’s top domestic spy agency and secret police. In terms of running hacking programs, it was the People’s Liberation Army’s top rival within the Chinese government.

The army might have cast Dailin out, but the MSS was happy to scoop him up. The MSS knew all about his blackmail, yes, but also his work with the army. Creating and selling hacking tools, hacking the Pentagon, and stealing intellectual property.

The MSS could use that.

By 2009 and 2010, China was several years into its ongoing cyberwar against the west. While earlier campaigns had focused on stealing American and European military secrets, these days the program was targeting most sectors of the economy—technology, healthcare, travel, automotive, energy, telecommunications, media, and even video games.

For Dailin, it was a second chance at lucrative government contracts. He wasn’t going to pass it up.

Like before, he didn’t go to work directly with the MSS. He got a job at a company called Yanlong Tech, where a few of his old hacker friends were already employed. The company was founded in 2007 and claimed to be a video game developer and publisher located in Shanghai.

In reality, Yanlong tech was a front for cybercrime—specifically, hacking online video games. It wasn’t even located in Shanghai. That was another smokescreen. Its real offices were in Chengdu.

Dailin only spent one year at Yanlong Tech, but it was a pivotal year in his life. Before, Dailin had been a patriotic hacker, a government spy, and a blackmailer. Now, he was evolving into something else entirely: a cybercriminal.

Dailin left Yanlong Tech and started his own company, Anvisoft. It claimed to be an antivirus company, but just like Yanlong Tech and CNASM before it, this was a front for cyberespionage—and now, cybercrime.

Dailin worked the standard “996” lifestyle: working from 9am to 9pm, six days a week. It was common for those in China’s tech sector, as well as for Chinese hackers. During work hours, he did contract hacking for the Chinese government.

In 2013, they began taking on government-sponsored hacking projects. Part of China’s 12th Five Year Plan, which was enacted in 2011, was to develop high-end technologies—or in reality, to steal them from companies that had already developed them.

They targeted companies that made computer components like motherboards, processors, and server solutions, as well as those used for machine-learning. They hacked companies that made autonomous vehicles, and that provided cloud computing services.

But in his off hours, Dailin and his coworkers would conduct cybercrimes. Like they had at Yanlong tech, they often targeted video game companies. Once again, Dailin was following conflicting motivations, which changed depending on the time of day.

Typically, they would Trojan horse their way into a game company, then target its production servers. There, they could steal the game’s source code, then analyze it to discover security flaws.

Often, their goal was to nothing more than manipulating in-game currency. Lots of online video games have currencies that players can either earn through playing or purchasing through the online store—these unlock upgrades, better powers, alternate outfits, and all kinds of other things.

Since these in-game currencies cost real-world money, that made them valuable. All a hacker had to do was hack the in-game currency and deposit an unlimited amount of it into their account. They could then turn around and sell that currency to other gamers for easy profit. They could often clear hundreds of thousands of dollars at a time.

Dailin and his crew didn’t sell the currency themselves. Too risky. Instead, they sold the stolen video game currency to third parties in places like Malaysia, who would then sell it on the black market.

One of their first targets was mgame, a South Korean video game publisher behind titles like the MMO RPG “Knight Online,” or “Online Bomberman.” In their first year, Dailin and his team would hack into 35 different video game companies—or, at least we think he did. It’s impossible to prove that Dailin was actually behind the keyboard for any of these attacks.

In 2015, one year after founding Anvisoft, Tan Dailin founded yet another tech company called Chengdu 404. It claimed to be a white-hat network security company that served the public and military sectors. In reality, it was another front for their hacking.

Dailin put a computer programmer named Qian Chuan in charge. Like Dailin, Chuan was a graduate of Sichuan University. Was he one of Dailin’s roommates from

the Network Crack Program Hacking Group days? Possible, but never proven.

The cybersecurity community was well aware of these attacks. It hadn’t forgotten about Wicked Rose and the Network Crack Program Hacking Group’s attacks in 2006 and 2007. The community knew that Wicked Rose/Tan Dailin was likely still active, and it tried to follow him across cyberspace.

But Dailin made that difficult. He’d learned from his mistakes. He no longer kept a blog of his hacking activities, and he covered his online tracks.

All the cybersecurity community knew was that a new group of Chinese hackers was breaking into video game and tech companies—and given their level of sophistication, it was likely state-sponsored. Many cybersecurity companies opened investigations into them. As usual, each company gave the group its own name.

Kaspersky Labs called it “Winnit.” Microsoft called it “Barium.” Crowdstrike called it “Wicked Panda.” FireEye gave it two names: Advanced Persistent Threat Group 41, and “Double Dragon,” thanks to the seemingly dual motivations of the group: espionage and crime.

From 2015 to 2019, the cybersecurity community watched as APT 41/Double Dragon continued its reign of terror against video game companies and tech companies, and more.

In one case, they hacked into an American retail company that was negotiating a partnership with a Chinese company—most likely, that company hired the hackers to dig up intel on their potential American partner.

The group dabbled in ransomware, too—essentially, infecting a computer with malware that locks up its hard drive, then demanding a ransom to unlock it. One of Double Dragon’s ransomware targets was a nonprofit group that aimed to alleviate global poverty.

Occasionally, Double Dragon even participated in real-life espionage operations, likely for the Ministry of State Security. When a group of Chinese diplomats was scheduled to visit a hotel, the hackers broke into the hotel’s reservation weeks in advance to keep tabs on the guest list.

Then, there were the pro-democracy activists in Hong Kong.

In China, Hong Kong is an anomaly. A former British colony, it was handed over to the Chinese in 1997, under several conditions. Hong Kong would preserve its capitalist economy. It would continue to be a democracy. It would observe the rule of law, freedom of speech, and the right to protest.

All of this was guaranteed until 2047. Naturally, this created tension between Hong Kong and the Chinese Communist Party

In August 2014, Hong Kong’s National People's Congress passed a law that gave Beijing the final say on who could be Hong Kong’s top elected official. This was met with widespread outrage.

On September 26, 2014, at about 10:30 p.m., one of these students, Nathan Law, was addressing a crowd of about 100 of his fellow protesters, along with his fellow organizers, Joshua Wong and Alex Chow.

Congress’s decision is a disgrace! And now, the government has blockaded Civic Square! That is a public meeting place. I say we march over there right now and occupy it!

The group cheered. Nathan hadn’t planned any of this. They certainly didn’t have a permit for a public protest. But it just came out of his mouth. There was no going back now.

They marched through the streets of Hong Kong, inviting others to join them. White collar workers, blue-collar workers, and other activists followed the crowd.

They arrived at Civic Square, where police erected barricades around the space.

Scale the fences! Nathan shouted. The protesters climbed over the barricades and took seats on the raised circular platform in the center of the plaza.

Nathan was elated. It was working! The government would have to take notice of them now.

But then, he noticed several protesters coming towards him, taking handcuffs out of their pockets. Undercover cops!

It was too crowded to run away. The cops soon caught up to him. They dragged him away, along with Joshua and Alex, and slammed them against the wall.

More cops descended on the scene and pepper sprayed the crowd.

Disperse! Disperse!

The protests continued for another few months, and came to be known as the Umbrella Movement. The three ringleaders were put on trial in 2017. All three were sentenced to several months in prison. Anyone who participated in the protests was also barred from holding public office for the next five years.

And throughout it all, Double Dragon was monitoring the whole thing. During the trial, the hackers successfully spearphished their way into the accounts of several Umbrella Movement members. They used these to anticipate when the Umbrella Movement would stage its protests—and stop them before they could get started.

From 2012 to 2019, Tan Dailin and his colleagues achieved success after success. But the American government was watching–and now, it was willing to act.

Act Three

Boss? There’s a problem.

Come in and close the door.

32-year-old Ling Yang Ching did as he was told. Then, he took a seat, opened his laptop, and showed it to his boss—46-year-old Wong Ong Hua.

The Malaysian businessman didn’t like what he saw. He was the CEO of SEA Gamer Mall. It’s an e-business that provides all kinds of digital services for popular video games like PubG and World of Warcraft—these services include everything from selling playing time on the games’ servers, to selling gift cards that can be used to purchase in-game items and currency, to selling CD keys, music, special avatars, and more. It also traded in in-game currency.

But Ling wasn’t looking at SEA Gamer’s main site. He was looking at a secondary site that Yang had built for a special purchase. A site known only to them.

Ling had come to Yang a few months earlier in confidence. A mysterious supplier could provide him with stolen video game currency. Ling could sell it on the black market at a huge discount. He just couldn’t use SEA Gamer Mall’s main site. He needed Wong to build one.

All Wong knew was that the supplier was some kind of hacker. Wong never questioned where this stolen video game currency came from. He’d known not to—Ling had sworn him to secrecy, and promised him a healthy cut of the earnings. That was fine with Wong.

But right now, things weren’t fine. On the laptop, Wong was displaying the account where they kept the cryptocurrency the hacker paid them. And right now, it was empty.

Ling swore. Have we been hacked? Those bastards wouldn’t hack us, would they?

You would know better than I would!

We have to stay calm. We’ll get to the bottom of this.

Before they could think of what to do next, there was a knock at the door. Ling got up and opened it. Standing here was the company’s top lawyer, as well as a group of plainclothes police officers. The lawyer looked nervous.

Sir, these gentlemen and ladies are from the Bukit Aman.

The Bukit Aman is Malaysia’s federal police. And now, Ling and Wong knew why their account had suddenly been emptied.

The head of the Criminal Investigation Department, Huzir Mohamed, stepped forward.

Would you come with us to the station please?

The rest of the employees watched in shock as the police led their CEO and their chief product officer out of the building.

At the station, Ling and Wong were brought to separate interrogation rooms. Huzir Mohamed took a seat across from Wong, the younger product officer.

Let’s talk about your side business selling virtual coins on the black market.

Look, I was ordered to do it, OK? My boss said I could lose my job.

That’s no excuse. We know you’ve defrauded dozens of companies.

But none of them were in Malaysia!

That’s the thing. We’re not the ones charging you. America is. The Ministry of Home Affairs has already agreed to cooperate. You’re going to be extradited to face trial in America.

Mohamed slid a piece of paper across the table, outlining the extradition agreement.

Yang’s knew legal ordeal was just beginning.

But let’s back up a bit and track how we got here.

The cybersecurity community had been monitoring the group known as APT 41, or Winnti, or Barium, or Wicked Panda, since at least 2012. Various cybersecurity companies, like Kaspersky Labs, Crowdstrike, and Microsoft’s Threat Intelligence Center, had published reports detailing this group’s hacks.

But FireEye’s 2019 report was by far the most comprehensive, and the Trump Administration was all too eager to use its information.

The US government has worked closely with cybersecurity companies for years, often relying on its research as the starting point for its criminal investigations. George W. Bush and Barack Obama’s Justice Departments had both shown a willingness to prosecute Chinese hackers and spies, but the Trump Administration took things up to another level.

By 2019, Donald Trump had spent years characterizing China as not just America’s enemy, but a threat to freedom and democracy everywhere. Trump even picked a trade war with the country early in his presidency. Prosecuting hackers was just another way to punish China.

The US had wanted to prosecute this group for years. And when a tip arrived from an ally, it gave the US the evidence it needed to begin a criminal prosecution.

Taiwan’s Investigation Bureau received a complaint that three Taiwanese companies had been hacked by Chinese hackers. Taiwanese law enforcement analyzed the malware they were using and determined it was likely APT 41.

The Taiwanese knew the Americans were keen on punishing Chinese hackers these days. So, they tracked the hacks and discovered that the hackers used American servers as go-betweens to conduct their criminal activities. This gave the America jurisdiction over the case. Taiwan, always happy to earn favor from the US, passed along the tip.

The American justice system launched a subsequent investigation. It was coordinated by the U.S. Attorney’s Office for the District of Columbia, the National Security Division of the Department of Justice, and the FBI’s Washington Field Office, with assistance from the FBI’s Cyber Division.

Investigators combed through the tangled mess of proxy servers and go-betweens the Chinese hackers used to cover their tracks until they landed on Chengdu 404, the white-hat network security company that served the public security and military sectors—and the front company for much of APT 41’s activities.

Soon, they were able to identify five of its members: Tan Dailin, his possible former associate at the Network Crack Program Hacking Team Qian Chuan, and three others: Zhang Haoran, Jiang Lizhi, and Fu Qiang.

They also identified Ling Yang Ching and Wong Ong Hua, the SEA Gamer Mall CEO and product manager from Malaysia who were selling the stolen video game currency.

It’s not clear how exactly the FBI identified them—but given how the cybersecurity community had been able to connect Tan Dailin and others to their various front companies throughout the 2010’s, it probably wasn’t too hard.

The question was, what to do about them? It was all-but impossible that they would actually be able to arrest Tan Dailin or any of his associates. The Chinese government would never hand them over. The next best thing to do was name and shame them by issuing criminal charges.

In August 2019, the Justice Department handed down its first indictments: Zhang Haoran and Tan Dailin were charged with 25 counts of conspiracy, wire fraud, aggravated identity theft, money laundering, and violations of the Computer Fraud and Abuse Act.

The following year it charged Jiang Lizhi, Qian Chuan, and Fu Qiang with nine counts of racketeering conspiracy, conspiracy to violate the CFAA, substantive violations of the CFAA, access device fraud, identity theft, aggravated identity theft, and money laundering. That month, it also issued a third indictment against Ling Yang Ching and Wong Ong Hua.

Altogether, these indictments identified over 100 victims of APT 41/Double Dragon.

Besides the United States, Double Dragon’s hackers compromised targets in Australia, Brazil, Chile, Hong Kong, India, Indonesia, Japan, Malaysia, Pakistan, Singapore, South Korea, Taiwan, Thailand, and Vietnam.

While putting together their case, the FBI worked closely with multiple Internet service providers and telecommunications companies to shut down the hackers’ channels. It also worked with Microsoft to close some of the zero-day exploits the hackers used in their malware.

For the DoJ, it was a banner day, exposing the hackers’ crimes to the world. But of all those indictments, the only people actually arrested were Ling Yang Ching and Wong Ong Hua.

The five Chinese hackers named in the indictments remained out of reach, and it was likely to stay that way. In fact, the indictment itself noted that the DoJ had intercepted communications between the hackers. In one exchange, a hacker bragged about their close relationship with the Ministry of State Security.

I’ve been working with them for years, he said. I’m basically untouchable.

Act Four

In June 2020, Tan Dailin walked into his home office. He still wasn’t used to working from home, but the global COVID-19 pandemic made that a necessity.

He sat at his computer and booted up. He started his day by scanning the news—both Chinese and American. Soon, something caught his eye.

It was an article about the United States’ plan to issue unemployment benefits for those who lost their jobs due to the COVID shutdowns.

Dailin sensed an opportunity. He emailed the link to his team, along with a note.

Let’s look into this.

Or, maybe Tan Dailin did none of that. Like we said earlier, ever since he stopped writing his blog in 2007, it’s difficult to pin specific crimes on him.

What we do know is that after the American indictments, the group known as APT 41, of which Tan Dailin is allegedly a key member, continued its activities.

Beginning in early 2019, around the time the first indictments were issued, APT 41 began yet another extensive intellectual property theft campaign—something it hadn’t done since 2015.

This time, they targeted over 30 multinational companies within the manufacturing, energy and pharmaceutical sectors. Altogether, they stole hundreds of gigabytes of intellectual property. These included everything from diagrams of fighter jets, helicopters, and missiles, to formulas for drugs to treat diabetes, obesity, and depression.

The cybersecurity firm Cybereason first discovered these attacks in April 2021. A group of representatives from a software company were in the office to pitch a new product Cybereason could use in its arsenal.

But during their pitch, the representative’s computer detected an intrusion attempt.

Cybereason launched an investigation, which it called Operation CuckoBees. Two years later, it finally named APT 41 aka Double Dragon as the culprit

Then there was the theft of those COVID benefits. Beginning in mid 2020, members of APT 41 broke into more than a dozen states and made off with over $20 million dollars in COVID relief. In December 2022, the Secret Service announced the theft, but admitted that it had only recovered half the money. It also admitted that it didn’t know if the hack was ordered by the Chinese government, or if the hackers were acting on their own initiative.

Once again, we’re left with many unknowns. This is typical of a hacker story like Tan Dailin’s, and Tan Dailin’s story is a typical one for a Chinese hacker.

Like many first-generation Chinese hackers, Dailin grew up loving computers as much as he loved his country. But soon, he learned that hacking itself could be extremely lucrative. For the rest of his hacking career, Dailin followed these twin impulses—hacking for country, and hacking for profit.

Thousands of Chinese civilian hackers have a similar story. And as long as they’re hacking for the Chinese government, the Chinese government looks the other way on their criminal activities.

Above all, the story of Tan Dailin illustrates just how difficult it can be to successfully prosecute Chinese hackers—difficult, but not impossible, as we’ll see in our next episode.

I’m Keith Korneluk and you’re listening to Modem Mischief.

CREDITS

Thanks for listening to Modem Mischief. Don’t forget to hit the subscribe or follow button in your favorite podcast app so you don’t miss an episode. This show is an independent production and is wholly supported by you, our listeners and the best way to support the show is to share it. And another way to support us is on Patreon or as a paid subscription on Apple Podcasts. For as little as $5 a month you’ll receive an ad-free version of the show plus bonus episodes exclusive to subscribers. Modem Mischief is brought to you by Mad Dragon Productions and is created, produced and hosted by me: Keith Korneluk. This episode is written and researched by Jim Rowley. Edited, mixed and mastered by Greg Bernhard aka Withering Sausage. The theme song “You Are Digital” is composed by Computerbandit. Sources for this episode are available on our website at modemmischief.com. And don’t forget to follow us on social media at @modemmischief. Thanks for listening!