{"id":98437,"date":"2020-02-10T21:01:33","date_gmt":"2020-02-11T05:01:33","guid":{"rendered":"\/blogs\/?p=98437"},"modified":"2025-06-02T01:00:09","modified_gmt":"2025-06-02T08:00:09","slug":"how-chinese-cybercriminals-use-business-playbook-to-revamp-underground","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/how-chinese-cybercriminals-use-business-playbook-to-revamp-underground\/","title":{"rendered":"How Chinese Cybercriminals Use Business Playbook to Revamp Underground"},"content":{"rendered":"<h2><strong>Preface<\/strong><\/h2>\n<p>Because of its longevity and technical sophistication, the Russian cybercriminal underground has long been the benchmark for threat researchers focused on studying cybercrime tactics and techniques; there is a plethora of publications dedicated to analyzing its economy and hacking forums. However, only a handful of studies have centered on the emerging threats and trends from other, less prominent, cybercriminal undergrounds.<\/p>\n<p>Recent data shows that the Chinese cybercriminal underground\u2019s profits exceeded US$15.1 billion in 2017, while causing more than $13.3 billion worth of damage relating to data loss, identity theft and fraud. Over the years, the McAfee Advanced Programs Group (APG) has observed Chinese non-state threat actor groups gradually transform from small local networks targeting mostly Chinese businesses and citizens to large, well-organized criminal groups capable of hacking international organizations.<\/p>\n<p>The development of commercial-scale exploit toolkits and criminal networks that focus on monetization of malware have amplified the growing risks of cybercrime in the Asia Pacific region to include a <a href=\"https:\/\/thediplomat.com\/2013\/12\/bitcoin-hackers-reportedly-target-peoples-bank-of-china\/\" target=\"_blank\" rel=\"noopener noreferrer\">DDoS attack against the People\u2019s Bank of China in December 2013<\/a>, a <a href=\"https:\/\/www.nytimes.com\/interactive\/2018\/05\/03\/magazine\/money-issue-bangladesh-billion-dollar-bank-heist.html\" target=\"_blank\" rel=\"noopener noreferrer\">$1 billion SWIFT hack against Bangladesh Bank<\/a> in February 2016 and <a href=\"https:\/\/www.reuters.com\/article\/us-far-eastern-fine\/taiwans-far-eastern-international-fined-t8-million-over-swift-hacking-incident-idUSKBN1E60Y3\" target=\"_blank\" rel=\"noopener noreferrer\">a $60 million theft from Far Eastern International Bank in Taiwan<\/a> in October 2017, to name just a few.<\/p>\n<p>This blog provides a rare glimpse inside the Chinese cybercriminal underground. Analyzing its current business models and techniques has yielded insights into the drastic changes in its operations, including the tactics and strategies it is borrowing from Russian cybercriminals.<\/p>\n<h2><strong>Timeline: The Rise of the Chinese Cybercriminal Underground <\/strong><\/h2>\n<p><a href=\"https:\/\/www.cnn.com\/2014\/04\/23\/world\/asia\/china-internet-20th-anniversary\/index.html\" target=\"_blank\" rel=\"noopener noreferrer\">China established its first cable connection to the world wide web<\/a> in 1994, around the same time as cybercrime syndicates from Russia and other emerging cybercriminal undergrounds were executing their <a href=\"https:\/\/www.nytimes.com\/1995\/08\/19\/business\/citibank-fraud-case-raises-computer-security-questions.html\" target=\"_blank\" rel=\"noopener noreferrer\">first major cybercrimes<\/a>. Chinese leaders have since prioritized the development and acceleration of Internet technologies and, today, the size of China\u2019s Internet use is massive and unparalleled at <a href=\"https:\/\/www.forbes.com\/sites\/niallmccarthy\/2018\/08\/23\/china-now-boasts-more-than-800-million-internet-users-and-98-of-them-are-mobile-infographic\/#47719dd7092b\" target=\"_blank\" rel=\"noopener noreferrer\">800 million users<\/a>.<\/p>\n<p>However, this growth in Internet usage is not without irony as it has been accompanied by a significant increase in cybercriminal activity. Despite the Chinese government placing high importance on running one of the world\u2019s most sophisticated Internet censorship systems, local cybercriminals are finding workarounds that contribute to <a href=\"https:\/\/ivezic.com\/cyber-kinetic-security\/cybercrime-in-china\/\" target=\"_blank\" rel=\"noopener noreferrer\">China having one of the fastest growing cybercriminal underground economies.<\/a><\/p>\n<p>China\u2019s cybercrime enterprise is large, lucrative and expanding quickly. According to 2018 Internet Development Statistics, China\u2019s cybercriminal underground was worth more than US $15 billion, nearly twice the size of its information security industry. The same Chinese-language source also shows that China\u2019s cybercrime is growing at a rate of more than <a href=\"https:\/\/www.sec-un.org\/\u7f51\u7edc\u72af\u7f6a\u8c03\u67e5\u4e0e\u7535\u5b50\u6570\u636e\u53d6\u8bc1\/\" target=\"_blank\" rel=\"noopener noreferrer\">30 percent<\/a> a year. An estimated <a href=\"https:\/\/www.sec-un.org\/\u7f51\u7edc\u72af\u7f6a\u8c03\u67e5\u4e0e\u7535\u5b50\u6570\u636e\u53d6\u8bc1\/\" target=\"_blank\" rel=\"noopener noreferrer\">400,000 people<\/a> work in underground cybercriminal networks.<\/p>\n<h2><strong>Changes in Tactics, Techniques and Procedures<\/strong><\/h2>\n<p>In order to quickly scale up their businesses and maximize return on investment (ROI), Chinese cybercriminals have continuously adapted their tactics, techniques and procedures (TTPs). One significant change is that Chinese cybercriminals are slowly moving away from a high degree of one-to-one engagement through China\u2019s popular QQ instant messaging platform to now establishing more formal cybercriminal networks. These networks use centralized advertising and standard service processes similar to Russian and other more sophisticated cybercriminal underground forums. Cybercriminals can access these centralized networks hosting on the deep web to post their products and services. A large amount of stolen data is available via automated services, where carders can order the credit and debit card information they want without having to interact with another user. With regard to hacking services, Chinese cybercriminals also offer modules for prospective clients to fill out their service requests, including types of attacks, target IP addresses, desirable malware or exploit toolkits and online payment processing. Through establishing a standardized model of sale, Chinese cybercriminals can expand their activity quickly without incurring additional overhead costs.<\/p>\n<h2><strong>Attacks-as-a-service<\/strong><\/h2>\n<p>Similar to other prominent cybercrime underworlds, Chinese cybercriminal underground markets are focused on providing excellent customer service. Many of the hackers expand their working hours to include weekends and even provide 24\/7 technical support for customers who do not have a technical background. Distributed Denial of Service (DDoS) botnets, traffic sales, source code writing services, email\/SMS spam and flooding services are available on the Chinese black markets.<\/p>\n<p>Despite government censorship, a small number of Chinese cybercriminals still use dark web marketplaces to offer their services and products. Those marketplaces are typically specialized in the commercialization of stolen personally identifiable information (PII), bank accounts with high balances, hacking services, and malware customization. However, these darknet markets or hacking forums are not easily accessible because the Chinese government blocks the Tor anonymity network. A large number of Chinese cybercriminals continue to use exclusive and opaque QQ groups, Weibo fora and Baidu Teiba for advertising and communication. Chinese cybercriminals are also active on the clearnet. To avoid government censors and crackdowns, Chinese cybercriminals extensively use slang or other linguistic tactics for communication and advertising, which can be difficult for outsiders to comprehend. For instance, Chinese cybercriminals call a compromised computer or server \u201cchicken meat.\u201d Stolen bank accounts, credit card passwords, or other hijacked accounts are referred to as either \u201cletters\u201d or \u201cenvelopes.\u201d Malicious websites and email accounts used for credential phishing attacks or spamming are referred to as \u201cboxes.\u201d Stolen information or details stored in the back of the magnetic stripe of a bank card are referred to as &#8220;data&#8221;, &#8220;track material&#8221; or simply &#8220;material.&#8221;<\/p>\n<h2><strong>Moving Operational Base Abroad<\/strong><\/h2>\n<p>Another noticeable trend is that an increasing number of Chinese cybercriminal gangs are moving their operational base abroad, using cryptocurrencies to launder money. They appear to prefer countries and jurisdictions with weak cybercrime legislation or weak enforcement, such as Malaysia, Indonesia, Cambodia and the Philippines. Since 2017, China\u2019s Ministry of Public Security has uncovered over5,000 cases of cross-border telecommunication fraud involving more than US $150 million. Some of the cybercriminal groups are highly structured and work as traditional mafia-like groups that engage delinquent IT professionals; some Chinese cybercrime gangs are well-structured with clear divisions of labor and multiple supply chains. Members are typically located in close geographic proximity, even when the attacks are transnational.<\/p>\n<h2><strong>Unique Culture and Practices<\/strong><\/h2>\n<p>Chinese hackers employ different payment methods, recruiting strategies, and operating structures from other cybercriminal undergrounds. AliPay and bank transfers are the generally accepted payment methods advertised by Chinese-language hacking forums; many other forums typically prefer Monero and Bitcoin.<\/p>\n<p>The \u201cMaster-Apprentice Mechanism,\u201d which is a form of mentorship, plays a significant role in the Chinese hacking communities. Many Chinese hacker groups utilize the strategy to recruit new members or make profits. As shown in the following graph, QQ hacking group masters, usually masterminds of an organized crime group or an administrator of a hacking community, collect training fees from the members they recruit. These members, known as \u201capprentices\u201d or \u201chackers-in-training\u201d are required to participate in multiple criminal \u201cmissions\u201d before they complete the training programs. Once training is complete, they are eligible to upgrade to full-time hackers working for their masters and responsible for downstream operations, such as targeted attacks, website hacking and database exfiltration.<\/p>\n<h2><strong>Growth of Chinese Cybercrime<\/strong><\/h2>\n<p>The Chinese cybercriminal underground has gone through drastic changes over the years. It gradually transformed from small local networks, targeting mostly Chinese businesses or citizens, to larger and well-organized criminal groups capable of hacking international organizations. My research indicates that there has been a growing threat activity targeting individuals and organizations in South Korea, Taiwan, Singapore, Germany, Canada and the United States. Chinese cybercriminals offer a wide variety of goods and services, ranging from physical counterfeit of US and Canadian driver\u2019s licenses, scans of counterfeit US and Canadian driver\u2019s licenses, US cell phone numbers, credit cards and identification cards to stolen social media and email accounts.<\/p>\n<p>As shown in the following screenshots, 1 million stolen US emails accounts with encrypted passwords are selling for US $117; 1.9 million stolen German email accounts with clear text passwords are available on the Chinese black market for US $400. Counterfeit or scans of US or Canadian passports or drivers licenses are also for sale for as little as US $13.<\/p>\n<p>As shown in the following screenshot, Chinese hackers are also selling stolen personal data, including identification cards and passports from Taiwan and South Korean citizens.<\/p>\n<p>Login credentials for banks around the world are available on the Chinese cybercriminal underground market, and the higher the available balance of an account, the higher its selling price. Packages of hacked accounts from major US social media companies and networking platforms, gaming service providers, as well as media service providers are sold for as little as US $29 in the underground cybercrime market. These social media accounts are sometimes hacked with the intention of using them as a way to generate fake accounts to ensnare even more web users. A large number of email accounts from Taiwanese (i.e., @yahoo.com.tw) and South Korean email service providers (i.e., @nate.com, @yahoo.com.kr) are being sold on the Chinese black market.<\/p>\n<h2><strong>Increasingly Difficult to Separate Cybercrime From Cyberespionage Activity<\/strong><\/h2>\n<p>As the Chinese cybercriminal underground quickly expands its scope and sophistication, it is increasingly difficult to separate cybercrime from cyber espionage activity. This is especially true as I observe that Chinese cybercriminals offer services to spy on businesses and sell commodities that can be used to target businesses or government officials for economic and political espionage purposes. One of the most interesting items I found for sale in the Chinese cybercriminal underground is a full business dossier on Chinese companies and government agencies. Some Chinese hackers sell internal employee directories from high-profile technology companies. Chinese cybercriminals appear to work with malicious insiders or hire hackers to work as undercover agents inside of telecommunications service providers, financial services and technology companies to steal company secrets or other proprietary information. Documents include detailed contact information of CEOs and senior management from China\u2019s top 50 companies. Other business proprietary information, such as credentials associated with a company\u2019s various bank accounts, funding history, marketing strategies, and Tax Identification Number (TIN) are also available for sale on the black market. Malicious actors can use the above-mentioned information to launch targeted attacks against a business or leverage third-party vulnerabilities, such as trusted financial services, staffing firms and IT service providers to infiltrate a target system.<\/p>\n<h2><strong>Conclusion<\/strong><\/h2>\n<p>China\u2019s cybercrime networks are rapidly growing in scope and sophistication. Compared to my earlier research paper on China\u2019s cybercriminal underground from three years ago, Chinese cybercriminals have begun to embrace a sophisticated business-model approach and develop complex hierarchies, partnerships and collaboration with cybercriminal groups at home and internationally. These globally operating and organized cybercrime networks are basing themselves in countries with weak legal systems and law enforcement, while taking full advantage of global Internet connectivity to attack targets worldwide. A growing number of Chinese cybercriminals from these networks leverage the deep web to host their infrastructure and sell illegal goods and services, instead of relying on traditional peer-to-peer engagement through the QQ platform. To accelerate profitability, the Chinese hacking community has adopted tactics and techniques similar to Russian and other prominent cybercriminal underground markets to become more structured and service-oriented. In contrast, the Russian cybercriminal networks have been known for their multi-faceted criminal organizational structure specialized in monetizing PII theft and financial fraud. Yet, China\u2019s cybecriminal underground, on the other hand, has placed greater emphasis on community and discipleship in achieving financial gains. Many of China\u2019s cybercriminal networks incorporate this discipleship, also known as the \u201cmaster-apprentice mechanism\u201d, into a recruiting strategy that is largely different from their Russian counterparts. As China\u2019s cybercrime continues to evolve and advance, international organizations operating in the Asia Pacific region are facing an expanding threat landscape from cybercriminal activity targeting high-value business assets. Intellectual property and identity theft can also cause substantial economic consequences.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Preface Because of its longevity and technical sophistication, the Russian cybercriminal underground has long been the benchmark for threat researchers&#8230;<\/p>\n","protected":false},"author":961,"featured_media":96368,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[],"coauthors":[5330],"class_list":["post-98437","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-mcafee-labs"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>How Chinese Cybercriminals Use Business Playbook to Revamp Underground | McAfee Blog<\/title>\n<meta name=\"description\" content=\"Preface Because of its longevity and technical sophistication, the Russian cybercriminal underground has long been the benchmark for threat researchers\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"How Chinese Cybercriminals Use Business Playbook to Revamp Underground | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"Preface Because of its longevity and technical sophistication, the Russian cybercriminal underground has long been the benchmark for threat researchers\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/how-chinese-cybercriminals-use-business-playbook-to-revamp-underground\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2020-02-11T05:01:33+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-02T08:00:09+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/08\/labs-thumbnail-3.jpeg\" \/>\n\t<meta property=\"og:image:width\" content=\"2048\" \/>\n\t<meta property=\"og:image:height\" content=\"1152\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Anne An\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@AnneAnPrincess\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Anne An\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/how-chinese-cybercriminals-use-business-playbook-to-revamp-underground\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/how-chinese-cybercriminals-use-business-playbook-to-revamp-underground\/\"},\"author\":{\"name\":\"Anne An\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/1ae37647e7acd78783243e0f0402b861\"},\"headline\":\"How Chinese Cybercriminals Use Business Playbook to Revamp Underground\",\"datePublished\":\"2020-02-11T05:01:33+00:00\",\"dateModified\":\"2025-06-02T08:00:09+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/how-chinese-cybercriminals-use-business-playbook-to-revamp-underground\/\"},\"wordCount\":1945,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/how-chinese-cybercriminals-use-business-playbook-to-revamp-underground\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/08\/labs-thumbnail-3.jpeg\",\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/how-chinese-cybercriminals-use-business-playbook-to-revamp-underground\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/how-chinese-cybercriminals-use-business-playbook-to-revamp-underground\/\",\"name\":\"How Chinese Cybercriminals Use Business Playbook to Revamp Underground | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/how-chinese-cybercriminals-use-business-playbook-to-revamp-underground\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/how-chinese-cybercriminals-use-business-playbook-to-revamp-underground\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/08\/labs-thumbnail-3.jpeg\",\"datePublished\":\"2020-02-11T05:01:33+00:00\",\"dateModified\":\"2025-06-02T08:00:09+00:00\",\"description\":\"Preface Because of its longevity and technical sophistication, the Russian cybercriminal underground has long been the benchmark for threat researchers\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/how-chinese-cybercriminals-use-business-playbook-to-revamp-underground\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/how-chinese-cybercriminals-use-business-playbook-to-revamp-underground\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/how-chinese-cybercriminals-use-business-playbook-to-revamp-underground\/#primaryimage\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/08\/labs-thumbnail-3.jpeg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/08\/labs-thumbnail-3.jpeg\",\"width\":2048,\"height\":1152},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/how-chinese-cybercriminals-use-business-playbook-to-revamp-underground\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"How Chinese Cybercriminals Use Business Playbook to Revamp Underground\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/1ae37647e7acd78783243e0f0402b861\",\"name\":\"Anne An\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/b1b866cc5ce4b6bd60e90dfc6fc4ac0b\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/12\/Anne-An-IMG_1591-96x96.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/12\/Anne-An-IMG_1591-96x96.jpg\",\"caption\":\"Anne An\"},\"description\":\"Anne An is a senior security researcher for Advanced Programs Group (APG), where she leads threat analysis projects, performs qualitative research on advanced attacks, cybercriminal threats, geopolitical intelligence, risk analysis, as well as cyber campaigns and threat groups in the Asia-Pacific region. Prior to joining the team, An held a variety of research positions in advanced threat research and strategic threat intelligence, and delivered regular briefings to senior executives in the cybersecurity field.\",\"sameAs\":[\"https:\/\/www.linkedin.com\/in\/anne-an-itil-gsec-gced-4218565\",\"https:\/\/x.com\/AnneAnPrincess\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/anne-an\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How Chinese Cybercriminals Use Business Playbook to Revamp Underground | McAfee Blog","description":"Preface Because of its longevity and technical sophistication, the Russian cybercriminal underground has long been the benchmark for threat researchers","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"How Chinese Cybercriminals Use Business Playbook to Revamp Underground | McAfee Blog","og_description":"Preface Because of its longevity and technical sophistication, the Russian cybercriminal underground has long been the benchmark for threat researchers","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/how-chinese-cybercriminals-use-business-playbook-to-revamp-underground\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2020-02-11T05:01:33+00:00","article_modified_time":"2025-06-02T08:00:09+00:00","og_image":[{"width":2048,"height":1152,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/08\/labs-thumbnail-3.jpeg","type":"image\/jpeg"}],"author":"Anne An","twitter_card":"summary_large_image","twitter_creator":"@AnneAnPrincess","twitter_site":"@McAfee","twitter_misc":{"Written by":"Anne An","Est. reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/how-chinese-cybercriminals-use-business-playbook-to-revamp-underground\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/how-chinese-cybercriminals-use-business-playbook-to-revamp-underground\/"},"author":{"name":"Anne An","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/1ae37647e7acd78783243e0f0402b861"},"headline":"How Chinese Cybercriminals Use Business Playbook to Revamp Underground","datePublished":"2020-02-11T05:01:33+00:00","dateModified":"2025-06-02T08:00:09+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/how-chinese-cybercriminals-use-business-playbook-to-revamp-underground\/"},"wordCount":1945,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/how-chinese-cybercriminals-use-business-playbook-to-revamp-underground\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/08\/labs-thumbnail-3.jpeg","articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/how-chinese-cybercriminals-use-business-playbook-to-revamp-underground\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/how-chinese-cybercriminals-use-business-playbook-to-revamp-underground\/","name":"How Chinese Cybercriminals Use Business Playbook to Revamp Underground | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/how-chinese-cybercriminals-use-business-playbook-to-revamp-underground\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/how-chinese-cybercriminals-use-business-playbook-to-revamp-underground\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/08\/labs-thumbnail-3.jpeg","datePublished":"2020-02-11T05:01:33+00:00","dateModified":"2025-06-02T08:00:09+00:00","description":"Preface Because of its longevity and technical sophistication, the Russian cybercriminal underground has long been the benchmark for threat researchers","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/how-chinese-cybercriminals-use-business-playbook-to-revamp-underground\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/how-chinese-cybercriminals-use-business-playbook-to-revamp-underground\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/how-chinese-cybercriminals-use-business-playbook-to-revamp-underground\/#primaryimage","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/08\/labs-thumbnail-3.jpeg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/08\/labs-thumbnail-3.jpeg","width":2048,"height":1152},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/how-chinese-cybercriminals-use-business-playbook-to-revamp-underground\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"How Chinese Cybercriminals Use Business Playbook to Revamp Underground"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/1ae37647e7acd78783243e0f0402b861","name":"Anne An","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/b1b866cc5ce4b6bd60e90dfc6fc4ac0b","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/12\/Anne-An-IMG_1591-96x96.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/12\/Anne-An-IMG_1591-96x96.jpg","caption":"Anne An"},"description":"Anne An is a senior security researcher for Advanced Programs Group (APG), where she leads threat analysis projects, performs qualitative research on advanced attacks, cybercriminal threats, geopolitical intelligence, risk analysis, as well as cyber campaigns and threat groups in the Asia-Pacific region. Prior to joining the team, An held a variety of research positions in advanced threat research and strategic threat intelligence, and delivered regular briefings to senior executives in the cybersecurity field.","sameAs":["https:\/\/www.linkedin.com\/in\/anne-an-itil-gsec-gced-4218565","https:\/\/x.com\/AnneAnPrincess"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/anne-an\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/98437","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/961"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=98437"}],"version-history":[{"count":3,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/98437\/revisions"}],"predecessor-version":[{"id":214801,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/98437\/revisions\/214801"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media\/96368"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=98437"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=98437"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=98437"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=98437"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}