From Vegas to Chengdu: Hacking Contests, Bug Bounties, and China’s Offensive Cyber Ecosystem

Reports and information disclosures by threat intelligence providers, government agencies, think tanks, and online hacktivists have exposed China’s elaborate multifaceted “hack-for-hire” ecosystem that is unlike anything we have ever seen before. The system grants Chinese security agencies exclusive access to zero-day vulnerabilities identified by China’s top civilian hackers, and allows Beijing to subsequently outsource its espionage and offensive cyber operations to private contractors. This CSS cyber defense report will look at how the Chinese cyber offensive ecosystem thrives through varying degrees of state involvement with civilian hackers by examining their participation in prominent hacking competitions and bug bounty programs.

China’s civilian hacking teams have largely remained unexplored. Presently, there is a lack of comprehensive understanding about (1) their research focus, i.e. which ones are concentrating on specifically Western products, as well as their systems makeup and organizational structure; and (2) the functioning and relationships of China's broader cyber offensive ecosystem within which these entities thrive – which includes China’s elite technical universities and hacking teams.

This report identifies China's primary civilian hacking teams and their research focuses on Western products and systems by examining their participation in prominent hacking competitions and bug bounty programs. More broadly, it explores how these initiatives perpetuate a cycle of talent development and innovation, enabling individual hackers to refine their skills, establish new companies specializing in both offensive and defensive cyber capabilities, and create new China-based hacking contests. This process sustains China’s offensive cyber ecosystem in the long run.