From the World of “Hacker X Files” to the Whitewashed Business Sphere
Jiang Jintao’s journey from hacker to infosec entrepreneur illustrates the blend of ambition, skill, and changes in China's cybersecurity industry
Previously, the Natto Team briefly explored the history of renowned Chinese hacker Zhou Shuai, who has been sanctioned and indicted by the US government for alleged APT27-linked malicious cyber activity since 2011. We find that stories of Chinese hackers are often fascinating, as they not only help us to understand the motivations and intents of those behind the keyboard but also reveal how China’s information security industry has evolved and how this evolution connects with Chinese cyber operations. Recently, the Natto Team came across a Chinese hacker story published in 2016 by PingWest, a Chinese media and marketing company founded in Silicon Valley in 2012 and headquartered in Beijing, which claims to “connect resources between China and the Silicon Valley.” Although this article is nine years old – and we know the technology world in China changes constantly – the Natto Team believes it remains relevant for understanding the connections between the world of Chinese hackers, the information security industry, and China's hacking operations. We also discovered that the article's descriptions of the Chinese hacker scene from 2004 to 2016 and the development of China's information security industry during that period align with our own observations. Therefore, we would like to share what we have learned from the article and our insights into the hackers and the company discussed in the article.
The center point of PingWest’s article, “Becoming a Chinese Hacker: Now I Want to Be a Good Guy” (中国黑客养成记: 现在我想做一个好人), is about self-proclaimed hacker Jiang JinTao (江金涛), also known as Jing Calm, and his company SOBUG, which offers “a security testing platform that provides vulnerability detection and security protection solutions.”
When Jiang JinTao was Known as Cold Flame
Jiang Jintao considered himself and others who entered the hacker world around 2005 as second-generation Chinese hackers. Jiang Jintao was known by his online persona: LengYan (冷焰), which means “cold flame.” In those early years, many young individuals like him, who were purely driven by interest, learned hacking skills from hacker forums, “underground magazines” (publications without official permits), and their “qian bei” (前辈) – their predecessors, the first generation patriotic hackers.
Several highly regarded magazines adored by hackers included Hacker X Files (黑客X档案), Hacker Manual (黑客手册), and Hacker Defense (黑客防线). In addition to studying these magazines, hackers often hung out and communicated in niche hacker forums. They practiced their skills by stealing online game account information and cracking websites. Many hackers came to know each other through several large-scale patriotic hacking activities. For example, Chinese patriotic hackers routinely attacked the homepage of the Yasukuni Shrine from 2001 to at least 2008, a period during which the Chinese government repeatedly protested visits to that shrine by former Japanese Prime Minister Junichiro Koizumi.
Living in the Moment: Hackers and the Underground Cybercrime Industry
Some hackers realized that their skills could also bring them extra cash in the growing Chinese underground cybercrime industry during the mid-2000s to early 2010s.
In the summer of 2008, when Jiang Jintao was still in his freshman year of college, he undertook a project in Inner Mongolia with Gong Wei, (online name Goodwill or Goodwell), a veteran hacker and one of the founders of the earliest hacker group, the Green Army, founded in 1997. Jiang admitted that during this time, many hackers like him were involved in “hei chan” (黑产, literal translation “black industry”), referring to the Chinese underground cybercrime industry. Many hackers at that time believed that as long as they had technical skills, they could always make money from the black industry, so they enjoyed a “living in the moment” lifestyle – drink now to get drunk now ( 今朝有酒今朝醉).
However, Jiang and several of Jiang’s hacker friends run into trouble with their local public security bureaus due to their alleged cybercrime activities. In 2007, the local police visited Jiang unexpectedly, suspecting him of involvement with the infamous computer virus “Panda Burning Incense” (熊猫烧香), which attacked the Windows operating system. Jiang had received a copy of the virus code from its developer Li Jun (李俊), whom he met in a QQ chat group, a popular instant messaging and social networking platform. Fortunately, Jiang did not spread the virus further and avoided arrest, whereas Li Jun was arrested and sentenced to jail in September 2007. Li Jun’s Panda Burning Incense virus case was the first case in China that was related to developing and disseminating a computer virus.
Besides Li Jun, at least three other hacker friends of Jiang were arrested around 2012 to 2013, including Wicked Rose, real name Tan Dailin, a well-known Chinese hacker who is allegedly associated with APT41 and a member of Network Crack Program Hacker (NCPH) hacking group.
2013: From Underground Cybercrime Gigs to Entrepreneurship
The 2009 7th amendment of the Criminal Law of China with cybercrime related provisions, the crackdown on cybercrime from 2012 to 2013, and the real examples of hackers being jailed, along with booming technology development in China, have made many smart hackers rethink their paths. Looking back now, China’s cybersecurity industry leaders, including those first- and second-generation Chinese black hat hackers who became white hat entrepreneurs, portray 2013 as a turning point for the industry.
In March 2013, China established the National Security Commission (国家安全委员会) (hxxp://english.scio.gov.cn/chinafacts/2017-04/12/content_40604590[.]htm) and then in June 2013, the leaks of classified US documents by former National Security Agency contractor Edward Snowden (a.k.a the Snowden incident) shocked the world. Some Chinese industry insiders believe these events accelerated the process for the Chinese government to seriously consider software localization (i.e. reliance on Chinese-made software) and the importance of cybersecurity, as the Natto Team has noted previously.
Chen Yusen (陈宇森), a member of the well-known Blue Lotus hacking team and the founder of Chinese information security company Beijing Chaitin Technology (acquired by Alibaba Group in 2019), commented that “the Edward Snowden incident has brought the equivalent of perestroika – opening and reforms for the entire (network and information security) industry.” As a result, venture capital funds and Internet giants have coveted the industry with investment in new companies.
Like many other first and second generation patriotic hackers, Jiang Jintao took the opportunity and established his company Shenzhen Baimi Information Security Technology company (深圳百密信安科技有限公司) (Baimi Infosec) in May 2014 after working as a network security engineer at Tencent, one of the top Chinese technology companies, for two years. Since then, he was no longer “Cold Flame” or “冷焰(leng yan), hiding behind his online persona, but became Jiang Jintao, his real identify. The core product of Baimi Infosec is SOBUG, a crowdsourced vulnerability penetration testing platform.
Jiang’s Core Business SOBUG: Wannabe of China’s HackerOne
Jiang’s SOBUG platform and bug bounty program received significant media attention in 2016 after the company completed its Series A and B financing, according to the Natto Team’s research. During a product launch event, Jiang asserted that SOBUG aimed to be “China’s version of HackerOne,” a US-based company that pioneered the use of crowdsourced researchers and bug bounty programs to coordinate vulnerability disclosure. SOBUG claimed to have over 10,000 security experts dedicated to helping businesses identify vulnerabilities, with a tagline that emphasized “security testing driven by hackers.” However, as of mid-May 2025, the SOBUG website is no longer accessible. The most recent archived page of its website dates back to February 2023 (see below screenshot).
The most recent media report about Jiang Jintao that the Natto Team has seen was a recap of Jiang’s presentation with members of TGO (Top Geek’s Organization), a technologists’ club organized by online tech training company Geekbang Technology (极客邦科技), in January 2021. Jiang discussed threat intelligence and enterprise security from a hacker’s perspective and referred to himself as a “hacker pragmatist” (黑客实用主义者), a term that describes hackers who prioritize practical solutions and effectiveness over strict adherence to principles or standards. Jiang highlighted that, in his view, the weakest link in any company's security is always its employees. For him, hacking means to conduct “targeted attacks” rather than an opportunistic “spray and pray” approach. It is clear that Jiang’s hacker mentality remains unchanged.
Despite the SOBUG website being inaccessible, the Natto Team confirms that Baimi Infosec is still in operation according to several Chinese business information platforms. However, one of these platforms noted that the business address of Baimi Infosec is unreachable and its actual paid-in capital is less than half a million RMB (around US$65,000), which is less than one-third of the claimed registered capital. It appears that SOBUG is far from becoming a company akin to HackerOne. As for Jiang Jintao, we wondered if his hacker spirit remains undiminished.