Hacker claims to have stolen data on 1 billion Chinese citizens

China police


Image: Xiangkun ZHU/BleepingComputer


An anonymous threat actor is selling several databases they claim to contain more than 22 terabytes of stolen information on roughly 1 billion Chinese citizens for 10 bitcoins (approximately $195,000).


The announcement was posted on a hacker forum by someone using the handle 'ChinaDan,' saying that the information was leaked from the Shanghai National Police (SHGA) database.


Based on the information they shared regarding the allegedly stolen data, the databases contain Chinese national residents' names, addresses, national ID numbers, contact info numbers, and several billion criminal records.


ChinaDan also shared a sample with 750,000 records containing delivery info, ID information, and police call records. These records would allow interested buyers to verify that the data for sale is not fake.


"In 2022, the Shanghai National Police (SHGA) database was leaked. This database contains many TB of data and information on Billions of Chinese citizens," the threat actor said in his post last week.


"Databases contain information on 1 Billion Chinese national residents and several billion case records, including: Name, Address, Birthplace, National ID Number, Mobile number, All Crime / Case details."


The threat actor confirmed the data was exfiltrated from a local private cloud provided by Aliyun (Alibaba Cloud), part of the Chinese police network (aka public security network).



ChinaDan BreachForums postImage: BleepingComputer

​On Sunday, Binance CEO Zhao Changpeng confirmed that his company's threat intelligence experts spotted ChinaDan's claims and said that the leak was likely due to an ElasticSearch database that a Chinese government agency accidentally exposed online.


"Our threat intelligence detected 1 billion resident records for sell in the dark web, including name, address, national id, mobile, police and medical records from one asian country. Likely due to a bug in an Elastic Search deployment by a gov agency," Zhao said.


"This has impact on hacker detection/prevention measures, mobile numbers used for account takeovers, etc."


Zhao later added that "apparently, this exploit happened because the gov developer wrote a tech blog on CSDN and accidentally included the credentials."


If ChinaDan's claims are proven to be accurate, this would be the most significant data breach ever impacting China and one of the largest in history.