Fallout from massive Shanghai Police data breach reverberates on dark web

A surge in Chinese activity on a popular data breach site followed the June 30 post offering information on 1 billion residents of China.
A Chinese paramilitary policeman gestures on the promenade of the Bund along the Huangpu River in Shanghai on April 16, 2021. (Photo by HECTOR RETAMAL/AFP via Getty Images)

The availability of supposedly hacked Chinese data on the dark web appears to have surged in recent weeks on the heels of the massive Shanghai National Police breach, which was one of the largest ever recorded.

There were an average of 14 monthly leaks from Chinese entities posted to BreachForums between March and June, according to Naomi Yusupov, a Chinese intelligence analyst at threat intelligence firm Cybersixgill. But in the first 15 days of July, the total jumped to 25, setting a pace for more than 50, Yusupov reported in findings published Thursday.

The surge in activity is just one piece of the fallout after a BreachForums user named ChinaDan posted on June 30 what they said was nearly 23 terabytes of data gathered by the Shanghai National Police. The database contained information on roughly 1 billion residents of China, and “several billion case records,” the original post said, and was for sale for 10 bitcoin (roughly $200,000).

The surge in Chinese data posted to the forum came alongside “a significant increase in the quantity of Chinese-language activity on the predominantly English-speaking forum,” Yusupov reported. Other users on the site complained to the forum’s administrators, and the administrators took action.


“Hello, dear Chinese users, welcome to our forum,” a site administrator said in a message posted July 8. The Shanghai database was no longer being sold, the message said, and “posts related to this topic have been deleted.” The Chinese users were welcome to stay, but they were asked not to post Chinese characters, and to use translation software to talk to others.

Message posted July 8, 2022 (Cybersixgill)

Yusupov concluded that the massive breach may have encouraged others with Chinese data to bring it to the forum to sell. One user, who joined after the June 30 post of the Shanghai police data, shared a leaked “police database from 2016 as a meeting gift,” and promised additional data in the coming days.

ChinaDan offered a sample of 750,000 users as part of the June 30 post, which itself “could have been keys to hacking and social engineering attacks to extract information from additional databases,” Yusupov concluded. “We anticipate that we will be seeing the reverberations of this breach on the underground for quite some time.”

Yusupov added that the increased Chinese activity on the forum was “notable, as the Chinese and English underground are generally separate communities. It is worth following up on this incident to [gauge] if it leads to increased communication and collaboration between these two groups.”

Latest Podcasts