How China’s Patriotic ‘Honkers’ Became the Nation’s Elite Cyber Spies

How China’s Patriotic ‘Honkers’ Became the Nation’s Elite Cyber Spies

In the early 2000s, a group of young hackers in China, known as the Honkers, gained notoriety for their patriotic cyberattacks against Western targets. The Honkers were self-taught tech enthusiasts who formed groups and shared programming and computer hacking tips on electronic bulletin boards (dial-up forums). They soon became known as Red Hackers or Honkers, a name derived from the Mandarin word “hong,” for red, and “heike,” for dark visitor—the Chinese term for hacker.

The Honker community largely began when China joined the internet in 1994, and a network connecting universities and research centers across the country for knowledge-sharing put Chinese students online before the rest of the country. Like US hackers, the Honkers were self-taught tech enthusiasts who flocked to electronic bulletin boards (dial-up forums) to share programming and computer hacking tips.

The groups were self-governing with loosely formed hierarchies and even had codes of ethics shaped by influential members like Taiwanese hacker Lin Zhenglong (known by his handle “coolfire”). Lin believed hacking skills should be cultivated only to strengthen cyberdefenses—to learn the ways of hackers in order to thwart them—and wrote an influential hacking manual “to raise awareness about the importance of computer security, not to teach people how to crack passwords.”

There were no simulated environments for hackers to build their skills at the time, so Honkers often resorted to hacking real networks. Lin didn’t oppose this—hacking wasn’t illegal in China except against government, defense, or scientific research networks—but he published a set of ethical guidelines advising hackers to avoid government systems or causing permanent damage and to restore systems to their original condition after Honkers finished hacking them.

But these guidelines soon fell away, following a series of incidents involving foreign affronts to China. In 1998, a wave of violence in Indonesia broke out against ethnic Chinese there, and outraged Honker groups responded with coordinated website defacements and denial-of-service attacks against Indonesian government targets.

The next year, after Taiwanese president Lee Teng-hui announced his Two-States Theory challenging the Communist Party’s One China doctrine, the Honkers defaced Taiwanese government sites with patriotic messages asserting the existence of a unified China. In 2000, after participants at a conference in Japan denied facts around the Nanjing Massacre, in which an estimated 300,000 Chinese were killed during Japan’s 1930’s occupation of the city, Honkers circulated a list of more than 300 Japanese government and corporate sites, along with email addresses of Japanese officials, and prompted members to target them.

The so-called patriotic cyberwars gave the Honkers a common cause that forged an identity unique from Western hacking groups, which the Honkers had emulated until then. Where Western hackers were primarily motivated by curiosity, intellectual challenge, and bragging rights, the Honkers bonded over their common cause to help China “rise up.”

In 2005, Tan Dailin was a 20-year-old grad student at Sichuan University of Science and Engineering when he came to the attention of the People’s Liberation Army of China. Tan was part of this growing hacker community known as the Honkers—teens and twentysomethings in late-’90s and early-’00s China who formed groups like the Green Army and Evil Octal and launched patriotic cyberattacks against Western targets they deemed disrespectful to China.

The attacks were low-sophistication—mostly website defacements and denial-of-service operations targeting entities in the US, Taiwan, and Japan—but the Honkers advanced their skills over time, and Tan documented his escapades in blog posts. After publishing about hacking targets in Japan, the PLA came calling. Tan and his university friends were encouraged to participate in a PLA-affiliated hacking contest and won first place.

The PLA invited them to an intense, monthlong hacker training camp, and within weeks Tan and his friends were building hacking tools, studying network infiltration techniques, and conducting simulated attacks. The subsequent timeline of events is unclear, but Tan, who went by the hacker handles Wicked Rose and Withered Rose, then launched his own hacking group—the Network Crack Program Hacker (NCPH).

The group quickly gained notoriety for winning hacking contests and developing hacking tools. They created the GinWui rootkit, one of China’s first homegrown remote-access backdoors and then, experts believe, used it and dozens of zero-day exploits they wrote in a series of “unprecedented” hacks against US companies and government entities over the spring and summer of 2006.

They did this on behalf of the PLA, according to Adam Kozy, who tracked Tan and other Chinese hackers for years as a former FBI analyst who now heads the SinaCyber consulting firm, focused on China. Tan revealed online at the time that he and his team were being paid about $250 a month for their hacking, though he didn’t say who paid or what they hacked.

The pay increased to $1,000 a month after their summer hacking spree, according to a 2007 report by former threat intelligence firm VeriSign iDefense. At some point, Tan switched teams and began contracting for the Ministry of State Security (MSS), China’s civilian intelligence agency, as part of its notorious hacking group known as APT 41.

And in 2020, when Tan was 36, the US Justice Department announced indictments against former Honkers Zeng Xiaoyong (envymask) and Zhou Shuai (coldface) for conducting state hacking operations and sanctioned Zhou over links to APT 27. In addition to engaging in state-sponsored hacking, he allegedly also ran a data-leak service selling some of the stolen data to customers, including intelligence agencies.

This isn’t unlike early-generation US hackers who also transitioned to become cybersecurity company founders and also got recruited by the National Security Agency and Central Intelligence Agency or hired by contractors to perform hacking operations for US operations. But unlike the US, China’s whole-of-society intelligence authorities have compelled some Chinese citizens and companies to collaborate with the state in conducting espionage, Kozy notes.

“I think that China from the beginning just thought, ‘We can co-opt [the Honkers] for state interests,’”” Kozy says. “And … because a lot of these young guys had patriotic leanings to begin with, they were kind of pressed into service by saying, ‘Hey you’re going to be doing a lot of really good things for the country.’ Also, many of them started to realize they could get rich doing it.”

Many tools used by China APT groups were built by Honkers, and the PLA and MSS mined them for vulnerability research and exploit development. The latter include i-Soon and Integrity Tech, both launched by former Honkers. Wu Haibo (shutdown), formerly of Green Army and 0x557, launched i-soon in 2010.

In March this year, eight i-Soon employees and two MPS officers were indicted by the US for hacking operations that targeted US government agencies, Asian foreign ministries, dissidents, and media outlets. Integrity Tech, founded in 2010 by former Green Army member Cai Jingjing (cbird), was sanctioned by the US this year over ties to global infrastructure hacks.