Natto Thoughts: Roots & Early Days

No Ranges, No Bounties, No Contests: Forging Offensive Capabilities in China’s 2000s Hacker Scene

Eugenio Benincasa — Wed, 27 Aug 2025 16:03:08 GMT

This post is adapted from the Cyberdefense Report "Before Vegas: The ‘Red Hackers’ Who Shaped China’s Cyber Ecosystem," published in July 2025 by the Center for Security Studies (CSS) at ETH Zurich, Switzerland.

In our last piece, we showed how truly elite offensive cyber talent has always been scarce, even within China’s massive hacker communities of the 2000s. But how did this small circle of talent actually develop offensive capabilities? In China, these fall under the broader category of “live-fire” capabilities (实战能力),1 i.e. the ability to apply tools and techniques such as penetration testing, security operations, and incident response. As we discussed here, here, and here, hacking contests, bug bounty platforms, and cyber ranges have become core pillars of China’s modern live-fire talent pipeline. Today, these mechanisms are deeply institutionalized across universities, companies, and state-backed initiatives, serving as the backbone for identifying and training skilled operators.

Few and Far Between: During China’s Red Hacker Era, Patriotic Hacktivism Was Widespread—Talent Was Not

Eugenio Benincasa — Wed, 13 Aug 2025 16:02:26 GMT

This post is excerpted from the Cyberdefense Report "Before Vegas: The ‘Red Hackers’ Who Shaped China’s Cyber Ecosystem," published in July 2025 by the Center for Security Studies (CSS) at ETH Zurich, Switzerland.

Truly elite offensive cyber talent has always been rare. Despite the growth of cybersecurity communities worldwide, and the emergence of extensive and structured talent pipelines in countries like China – examined in Natto pieces 1, 2 and 3 – which have made high-quality talent more widely available, truly exceptional individuals remain scarce and highly sought after.

As early as 2013, the Science of Military Strategy—a foundational text published by the PLA Academy of Military Science—noted that while cyber warfare benefits from a “broad mass base,” the traditional Chinese military ideal of “all people are soldiers” does not translate to cyberspace. Instead, it emphasized that only an “extremely lean” cohort possessed the capabilities required for high-level cyber operations.1

…

Defense-Through-Offense Mindset: From a Taiwanese Hacker to the Engine of China’s Cybersecurity Industry

Eugenio Benincasa — Wed, 11 Jun 2025 16:03:00 GMT

Across the globe, a core tenet is gradually gaining traction in the cyber domain: passive defense alone is not enough. A limited but growing number of states have embraced some form of active defense—the idea that effective cybersecurity requires not just detection and response, but also preemptive action to disrupt adversaries.1

In the United States, this principle is formally codified in the 2018 Department of Defense Cyber Strategy under the doctrine of “Defend Forward,” authorizing U.S. Cyber Command and the NSA to proactively disrupt threats within adversaries’ own networks. Variations of this approach have since been adopted by other governments. In China, the concept of active defense is grounded in longstanding military strategy. Although this principle extends to cyberspace - as outlined in China’s 2015 military strategy - China has not yet articulated a dedicated active cyber defense doctrine comparable to that of the United States.

Yet in practice, China’s cyber ecosystem refl…

From the World of “Hacker X Files” to the Whitewashed Business Sphere

Natto Team — Wed, 14 May 2025 16:02:56 GMT

Previously, the Natto Team briefly explored the history of renowned Chinese hacker Zhou Shuai, who has been sanctioned and indicted by the US government for alleged APT27-linked malicious cyber activity since 2011. We find that stories of Chinese hackers are often fascinating, as they not only help us to understand the motivations and intents of those behind the keyboard but also reveal how China’s information security industry has evolved and how this evolution connects with Chinese cyber operations. Recently, the Natto Team came across a Chinese hacker story published in 2016 by PingWest, a Chinese media and marketing company founded in Silicon Valley in 2012 and headquartered in Beijing, which claims to “connect resources between China and the Silicon Valley.” Although this article is nine years old – and we know the technology world in China changes constantly – the Natto Team believes it remains relevant for understanding the connections between the world of Chinese hackers, the …

Chengdu: Teahouses, Hotpots, Universities and … Hackers

Natto Team — Wed, 08 Jan 2025 17:02:31 GMT

In the past 20 years, a variety of cyber threat intelligence (CTI) analyses have pointed out that Sichuan Province is a “known hot spot for hacking” and that Chengdu, the capital of Sichuan Province, has “become a hub for Chinese advanced persistent threat (APT) activity.” From late 2023 to 2024, “Chengdu” has appeared in research and analysis reports from Natto Thoughts close to 200 times. The Natto Team’s “obsession” with Chengdu has led us, among the first, to identify publicly that Chinese information security company i-SOON was linked with China-based threat group APT41 and likely worked for the state as a hacker-for-hire. Other than i-SOON, the Natto Team also discussed some Chengdu-based companies, such as Chengdu 404, the company behind APT41, the US Department of Treasury sanctioned

Sichuan Silence Information Technology company, and the rising Chengdu tech-star company NoSugar Tech. Lastly, we gave a full review of the Chengdu-based hacking competition Tianfu Cup 2023. Our …