Chinese Hackers' Evolution from Vandals to Strategists

Research Links Chinese Cyber Operations to 1990s Hacking Collective

A new study from ETH Zurich researcher Eugenio Benincasa traces recurring patterns in Chinese state-linked cyber operations to a network of 40 hackers who emerged from grassroots “patriotic hacking” groups in the late 1990s and early 2000s. The “Red 40,” as Benincasa terms them, originated primarily from three groups—Green Army, Xfocus, and 0x557—that conducted website defacements and denial-of-service attacks against Western targets during that period. Many members have since transitioned into leadership roles at major Chinese technology firms and cybersecurity startups, whilst maintaining interconnected professional relationships that facilitate tool and capability sharing across different operations. The research suggests these informal networks, combined with potential government coordination mechanisms, help explain the technical overlaps observed in Chinese cyber campaigns, including shared malware like PlugX and recurring infrastructure patterns. Several Red 40 alumni, including those involved in firms like iSoon, have faced U.S. indictments for alleged state-sponsored hacking activities, highlighting the evolution from early hacktivist movements to contemporary cyber espionage operations.​​​​​​​​​​​​​​​​