In 2005, Tan Dailin was a 20-year-old computer science student at Sichuan University when his blog posts about hacking Japanese targets caught the eye of China's People's Liberation Army (PLA). Recruited after winning a military hacking contest, Tan—later known by handles like Wicked Rose—founded the NCPH group and orchestrated unprecedented attacks against U.S. entities using custom zero-day exploits. His journey from patriotic hacktivist to a U.S.-indicted operative epitomizes a broader, systemic shift: China's co-opting of the 'Honkers' hacker community into its state espionage machine.

The Birth of Cyber Patriots

The Honkers movement ignited in the mid-1990s as China connected to the internet, with university students flocking to bulletin boards like Xfocus and China Eagle Union. Initially driven by curiosity and camaraderie, these groups adopted ethical codes forbidding attacks on Chinese infrastructure. But geopolitical flashpoints—such as Indonesia's 1998 violence against ethnic Chinese—transformed them into digital vigilantes. They launched coordinated denial-of-service attacks and website defacements against perceived adversaries, including Taiwan and Japan, under banners like "Green Army" and "Honker Union of China.

"This wasn't just hacker culture aligning with national interests," says Eugenio Benincasa, a researcher at ETH Zürich. "It built personal networks that still define China's APT groups today."

Patriotic fervor unified the Honkers, with pledges vowing to "put the interests of the Chinese nation above everything else." Yet by 2001, after a U.S.-China aerial collision sparked retaliatory hacking, Beijing grew wary of uncontrolled cyber vigilantism. State media condemned the attacks as "web terrorism," prompting a fracture. While some Honkers joined firms like Alibaba or founded cybersecurity startups (e.g., NSFocus), others—like Tan—were recruited by state intelligence.

State Co-Option and Toolbuilding

Around 2003, the PLA and Ministry of State Security (MSS) began systematically absorbing top Honkers talent. Tan's NCPH group, paid $250 monthly by the state, developed GinWui—one of China's first homegrown remote-access trojans. This set a pattern: Honkers created foundational hacking tools later weaponized by state groups. Key innovations include:

  • Glacier (1999): A remote-access trojan by Green Army's Huang Xin.
  • X-Scan (2000): A network vulnerability scanner still used today.
  • HTRAN (2003): A traffic-obfuscation tool deployed in state ops.
  • PlugX (2008): A backdoor attributed to Tan and Zhou Jibing, now used by over 10 Chinese APTs.

Recruitment intensified after China's 2009 Criminal Law Amendment VII criminalized unauthorized hacking, driving Honkers into state service or shell companies. Tan allegedly cut a deal with the MSS after a prison sentence, later founding Anvisoft as a front. Similarly, former Green Army members launched firms like i-Soon and Integrity Tech—both implicated in MSS operations and sanctioned by the U.S.

The Modern APT Playbook

Honkers alumni now dominate China's cyber-espionage landscape. Zhou Jibing evolved PlugX into ShadowPad, a modular backdoor leveraged by APT 41 in attacks on healthcare and telecom sectors. In 2020, the U.S. indicted Tan and APT 41 members for breaching over 100 targets. Recent leaks from i-Soon exposed contracts for hacking Asian governments and dissidents, leading to March 2024 indictments against its employees.

Adam Kozy, a former FBI analyst tracking Chinese threats, notes a critical distinction from Western models: "China compels collaboration through whole-of-society pressure. These hackers were told, 'You’re serving the nation'—and many got rich doing it." Unlike U.S. hacker-to-government pipelines, China's approach blends patriotism with coercion, turning grassroots innovation into state power.

The Honkers' legacy is a double-edged sword: They birthed China's cybersecurity industry while enabling its most aggressive espionage. As zero-days like those behind the Anthem Insurance breach trace back to their tools, the world faces a sobering truth. Beijing's cyber dominance was built not just by spies, but by idealists who traded keyboards for a place in the machine.

Source: Wired