The Chinese Underground, Part 2: The Four Value Chains

This is part of a series of blog posts discussing the Chinese underground; the introductory post can be found here.

Broadly speaking, the Chinese underground operates with four distinct but inter-related value chains. These are:

Real money theft
Virtual assets theft
Internet resources and services abuse
Blackhat techniques, tools, and training

We’ll discuss each chain in its own separate blog post. For know, we will concentrate on the first: real money theft.

More and more users in China are participating in online commerce. 37.8% of Chinese Internet users, or 194 million users, have engaged in online shopping by late 2011. 167 million and 166 million users took part in online payment and online banking systems. This large volume of users engaging in commerce online, using real money and real goods, has attracted large numbers of cybercriminals.

Broadly speaking, the chain for real money theft in China is not too different from those elsewhere, as seen in the chart below:

There are many similarities between real money theft elsewhere and in China. Phishing, info-stealing malware, identity theft, and information theft are all part and parcel of information theft syndicates elsewhere. Similarly, the profit methods are not particularly different: money transfers and fake credit cards are to be found in prominence as well.

Terminology

What particularly distinguishes the Chinese underground from other countries is its use of its own unique terminology. Stolen credentials are referred to as “materials” (liao, 料). “Materials” that contain encrypted banking information is referred to as “track material” (gui dao liao, 轨道料) or “track” (gui dao, 轨道). By direct analogy, persons involved in buying and selling these “materials” are known as “material masters” (liaozhu, 料主).

The “material” theme continues to the money laundering phase, which is known as “material washing” (xi liao, 洗料). A money launderer is known as a “material washing man” (xi liao ren, 洗料人). The process of manufacturing and using fraudulent cards using ATM machines or POS terminals is known as “cargo unpacking” (shua huo, 刷货). The persons who actually withdraw money from ATMs are known as “car drivers” (che shou, 车手); they act under the control of a “car master” (che zhu, 车主).

A good example of this particular value chain can be found in the TopFox case, which was exposed in 2008-2009. The principal suspect of the case was a malware author nicknamed TopFox, who also acted as this scheme’s “material master”. Thee different “material washers” were involved in monetizing the stolen “materials”: one participated in credit card fraud, a second “washer” paid a blackhat hacker to remove transfer limits from accounts and promptly transferred funds from the stolen accounts. The third “washer” was in contact with a “car master” and his associated “drivers” The full relationship of these different operators can be seen in the following graphic:

None of the criminals knew each other personally; they only met online and only saw each other in person after their arrests by Chinese law enforcement. The Internet allowed these criminals for a loosely organized cybercrime gang to organize, communicate, and coordinate their activities. It is estimated that they made more than 1.4 milllion renminbi in illegal profits (more than 220,000 US dollars at current exchange rates.)