Before Vegas: The “Red Hackers” Who Forged China’s Cyber Empire

China’s state-backed cyber operations didn’t emerge overnight—they were forged over decades by a generation of hackers who began their careers far outside formal institutions. In his July 2025 report titled Before Vegas, cybersecurity researcher Eugenio Benincasa traces the origins and evolution of China’s cyber power to a group of patriotic hackers from the 1990s and 2000s—known as the “Red Hackers” or “Honkers” (红客).

These early cyber actors, often operating independently but motivated by nationalism and technical curiosity, helped lay the groundwork for what would become one of the world’s most coordinated cyber ecosystems.

“These groups operated largely outside state structures, building custom tools and testing their capabilities on real-world targets,” Benincasa explains. “In doing so, they helped shape a distinctive hacker culture—one that combines technical ingenuity with an often implicit and sometimes explicit alignment to Chinese national security objectives.”

The birth of China’s hacker culture coincided with the country’s early internet expansion in the mid-1990s. Chinese universities played a critical role by providing internet access to students long before it became widely available to the public. These hubs became fertile ground for self-taught hackers.

Following geopolitical flashpoints such as the 1999 U.S. bombing of China’s Belgrade embassy and Taiwan’s independence rhetoric, cyber attacks on American, Taiwanese, and Japanese websites surged. These events crystallized into five “cyber patriotic wars” and inspired the formation of groups like the Honker Union of China, Green Army, and China Eagle Union.

“Within days [of the embassy bombing], Chinese hackers created the website of the ‘Red Hacker Alliance,’ symbolizing the birth of a new collective identity,” the report notes.

These loosely organized communities were driven by nationalistic fervor, status-seeking, and peer recognition. While some forums had tens of thousands of registered users, Benincasa estimates that the core technical operatives numbered only in the hundreds, with groups like the Honker Union likely having no more than 8 central figures.

Initially reliant on foreign malware, red hackers began developing their own offensive tools in the early 2000s. Notable examples include:

• Glacier: China’s first domestic Trojan
• X-Scan: A vulnerability scanner still used today
• HTRAN: A packet redirection tool later co-opted in state-sponsored APT campaigns

“This shift… signaled China’s departure from Western hacker culture and the emergence of a distinctly Chinese approach to developing offensive cyber capabilities,” the report writes.

Red hacker forums acted as informal bootcamps, fostering technical skills and experimentation in an era before capture-the-flag (CTF) competitions and formal cybersecurity programs became widespread.

The report spotlights 40 influential figures—collectively dubbed the Red 40—who transitioned from underground hacking circles to leadership roles in China’s cybersecurity sector, tech giants, and even state-linked APT groups.

“Their careers illustrate how grassroots hacking culture was absorbed into formal cybersecurity structures,” writes Benincasa.

Some Red 40 alumni:

• Wu Hanqing (ci) – Helped secure Alibaba Cloud
• Tan Dailin (wicked rose) – Linked to APT41; trained by the PLA
• Founders of Knownsec and NSFOCUS – Built leading Chinese cybersecurity firms

Red 40 veterans also contributed tools like PlugX, ShadowPad, and X-Scan, which became staples in Chinese state-sponsored APT campaigns.

As China moved to formalize its cybersecurity posture, many red hackers were recruited—sometimes coerced—into state-affiliated roles, particularly after Criminal Law Amendment VII (2009) criminalized unsanctioned hacking.

“Recruitment pathways often ran through prominent technical forums… State-linked actors posted job advertisements and engaged with top talents.”

Others voluntarily joined the booming industry, building firms like Anluo Technology, Venustech, and i-SOON, later linked to state operations.

The Snowden leaks in 2013 further catalyzed the integration of cyber capabilities into China’s national strategy, elevating cybersecurity as a matter of state defense and prompting massive investment.

While the early “Old School” hackers were self-taught rebels, today’s cyber warriors are groomed through CTF contests, bug bounty programs, and government-backed university curricula. Yet the foundational belief in “defense through offense”, espoused by Taiwanese hacker Lin Zhenglong (coolfire), endures.

“At the core of Lin’s philosophy was the idea of ‘defense through offense’—the belief that mastering offensive techniques is essential for building strong defenses.”

The Red 40’s legacy persists in today’s APT toolkits, industry frameworks, and elite red-teaming competitions—cementing their place as architects of a cyber empire.

Eugenio Benincasa’s Before Vegas report offers a rare, deeply researched window into the formative years of China’s cyber landscape.

Related Posts:

• New Vega Stealer malware used Microsoft Word as an attack vector
• Qakbot Mastermind Indicted: Russian Architect of $50M Malware Empire Charged
• Hacker forged Windows 11 upgrade website to trick users to download the virus
• Best Practices for Data Governance in 2023