Our last article left you on a cliff edge. What did we find on the dark web which proved so illuminating? 

Well, it would seem things at Wuhan Xiaoruizhi are not all well.

In a post which was later redacted and then disappeared with the downfall of breachforums, we found a post from someone who claimed to be a representative of a disaffected hacker selling the identities of 100 of their colleagues from an ‘elite hacking team’ in Wuhan.

The poster goes on to claim that Wuhan Xiaoruizhi was a cover company for MSS hacking activity in Wuhan. The company had a few teams working for the MSS, but in 2020, teams started working under new companies.  

These are some astonishing claims, but at team Intrusion Truth we are nothing if not diligent and wanted to get to the bottom of this ourselves. Could we also link Wuhan Xiaoruizhi to the MSS? Could we link it to an APT? 

One thing was for sure, Wuhan Xiaoruizhi deserved more of our attention. We searched far and wide for months to gather more information on who works or has worked there. Inspired by our success with Xiong Wang’s insurance record, we decided to widen the net. After months of effort, we found the gem we had been waiting for: the social insurance records for Wuhan Xiaoruizhi. 

To spare the reader endless documents we have collated as many of the names we can find who have worked at Wuhan Xiaoruizhi as we can: 

曹锦芳Cao Jinfang
常振Chang Zhen
程鼎Cheng Ding
程锋Cheng Feng 
顾成武Gu Chengwu
侯强Hou Qiang
胡嘉祥Hu Jiaxiang
黄增辉Huang Zenghui
黄震Huang Zhen
黄振Huang Zhen
李海青Li Haiqing
李家诚Li Jiacheng
李圣胜Li Shengsheng
李义龙Li Yilong
刘晨成Liu Chencheng
刘宏伟Liu Hongwei
马欢Ma Huan
唐星昭Tang Xingzhao
涂梦Tu Meng
万光灿Wan Guangcan
王意军Wang Yijun
魏耀斌Wei Yaobin
熊旺Xiong Wang
鄢文龙Yan Wenlong
杨鑫Yang Xin
苑红曦Yuan Hongxi
张超锋Zhang Chaofeng
张立业Zhang Liye
赵光宗Zhao Guangzong
周鑫Zhou Xin
左鹤群Zuo Hequn 

And here are some examples of the documents which form the basis of this list: 

Cheng Ding insurance record

Zhao Guangzong insurance record

Zhang Chaofeng insurance record

Xiong Wang insurance record 

You might recognize some of the names on the larger list: 黄振 AKA Huang Zhen, 黄震 AKA Huang Zhen, and 李义龙 Li Yilong were also satisfied customers from Kerui Cracking Academy from Article 2. Don’t you just love it when things come full circle? Could it be that the ‘undisclosed private company working supporting the government’ Li Yilong claimed to work at is none other than Wuhan Xiaoruizhi itself? Could Kerui be a pipeline into Xiaoruizhi? 

Beyond getting reacquainted with our old friends above, this list of employees provided a number of interesting leads. But one of the names cracked our case wide open. Meet Cheng Feng.