The man who may be one of China’s top hackers likes grain alcohol and Heineken

We may earn a commission from links on this page.

It turns out Chinese military hackers are way sneakier than anyone had realized. This is evident in a new report (registration required) by a security company called CrowdStrike. Throughout the last seven years, the People’s Liberation Army hackers have baited their targets—including foreign companies and governments involved in the space and satellite industry—with email attachments advertising French yoga retreats, project manager job openings and industry conferences.

While all that is alarming, it’s not exactly surprising. The details of the report that are perhaps more intriguing emerge in the rare glimpse of the day-to-day life of one of its alleged top hackers—from what he did on his birthday to what he likes to get drunk on.

Clearly, it’s not a life of James-Bond-like glamour. The star of the report is ”cpyy,” a hacker that CrowdStrike concludes was employed by the PLA whose real name is probably Chen Ping.

(How did CrowdStrike determine this? The report says researchers first traced the domain names associated with the malware to several of cpyy’s email addresses. They then found that’s domain name lists one “Chen Ping” as the registrant, and then found still more domains registered to a Chen Ping being used to control malware. These domains were also registered to the physical address of the Shanghai headquarters of Unit 61486, a hacking division. CrowdStrike found blog and photo sites registered to the name Chen Ping with identical birthdate and occupational info; some featured the same photographs. However, CrowdStrike can’t be certain Chen Ping is the real name of these website owners, nor that the owner is a PLA hacker. Quartz has sent requests for comment to email accounts mentioned in the report, but neither Chen nor cpyy could be reached.)

So who is Chen Ping?

A Shanghai resident who just celebrated his 35th birthday and listed the military as his profession, Chen clearly spends a lot of time online; the researchers found two blogs, a now-defunct Picasa site, and a large body of commentary on the bulletin boards of a car forum. Here he is (photos included in the CrowdStrike report are no longer available online):

hacking china crowdstrike
A portrait of the man believed to be cpyy, found on a Picasa site from 2005.
Image: CrowdStrike

He also included images that appear to be shots of his dorm room:

china hacking cyber attack dorm room crowdstrike baijiu, erguotou
An image from cpyy’s Picasa folder labeled “dorm.”
Image: CrowdStrike

The report focuses on the hats in the background, which appear to be Type 07 PLA Army officer hats. But equally eye-catching are the open Heineken can and 12 bottles of a Chinese rice wine (a.k.a. baijiu) called Erguotou.

Shaken not stirred it ain’t. The Chinese equivalent of Everclear, Erguotou is not only cheap—it costs about 8 yuan ($1.28) for one of those bottles—but it’s more than 60% alcohol. Erguotou may or may not be involved in what Chen tagged as his 2002 birthday:

china hacking cyber attack dorm room crowdstrike baijiu, erguotou
Cpyy’s 23rd birthday.
Image: CrowdStrike

Based on his Picasa photos, CrowdStrike concludes that Chen may have gotten his start in the PLA pretty young. Here’s a photo from his blog that was tagged “high school,” which seems to involve more rigor than the usual mandatory ROTC-style military trainings:

china hacking cyber attack dorm room crowdstrike baijiu, erguotou
An image labelled “high school.”
Image: CrowdStrike

A previous profile of an ex-PLA hacker made the lifestyle seems pretty dreary—which Chen Ping’s pics seem to confirm. But that’s evidently not hurting recruitment much.

Just few weeks ago, the US government indicted five PLA members, charging them with hacking US companies and stealing trade secrets. Those guys worked for Unit 61398, whereas CrowdStrike’s report focuses on the work of a totally different unit, Unit 61486. Though they sometimes shared computing resources and communicated with each other, these are just two of the more than 10 elite PLA hacking units (paywall) with distinct missions.