Skip to content
wiki.fftac.org

Grey Hat Intelligence - Source Excerpt 02 - China

Back to Grey Hat Intelligence

Summary

This source excerpt begins near China and preserves the surrounding evidence from 2IA.org/agent-file-handoff/Archive/2026-05-16-home-psychological-warfare-improvement/Improvement/Grey-hat intelligence.md.

**Source path:** 2IA.org/agent-file-handoff/Archive/2026-05-16-home-psychological-warfare-improvement/Improvement/Grey-hat intelligence.md

### China  
China’s **Criminal Law** and **Cybersecurity Law** strictly forbid unauthorized intrusion.  Notably, Article 285 of the Criminal Law prohibits illegal access and control of “computer information systems.”  For example, illegally controlling ≥20 systems (or causing certain losses) under Art. 285(2) can yield up to 7 years’ imprisonment【64†L112-L120】.  Article 285(3) criminalizes providing tools for hacking, also punishable by up to 7 years【64†L138-L141】.  Other provisions punish data theft, sabotage, and interference.  Chinese law thus gives broad powers to criminalize grey-hat acts (though enforcement in practice may target perceived malicious actors).  

### Other / International (“Unspecified”)  
The **Budapest Convention** (Council of Europe, 2001) has been ratified by many countries (US, EU member states, India, etc.).  It urges signatories to criminalize hacking, data theft, and related acts.  Many national laws are modeled on this.  In summary, virtually all jurisdictions penalize unauthorized access regardless of intent.  

**Table 2** (below) compares key laws by jurisdiction:

| **Jurisdiction** | **Key Law(s)**                           | **Offense (unauthorized access)**                       | **Penalties**                                 |
|------------------|------------------------------------------|---------------------------------------------------------|-----------------------------------------------|
| **US**           | 18 U.S.C. § 1030 (CFAA)                  | Unauthorized access to "protected" computers【60†L104-L113】 | Fines + prison (up to 10+ yrs if damage/extortion)【60†L104-L113】 |
| **EU**           | Directive 2013/40/EU; Cybercrime Conventions【49†L100-L108】 | Illegal access to info systems, interference【49†L100-L108】   | Varies by state; typically years in prison (min. 2–3 yrs)     |
| **UK**           | Computer Misuse Act 1990 (Sections 1–3)【56†L463-L470】 | “Unauthorised access to computer material”【56†L463-L470】    | Up to 2 yrs (Section 1); up to 10 yrs (Section 3A: intent to commit further offense) |
| **India**        | Information Technology Act 2000 (Sec. 66) | Dishonest unauthorized access to computer systems           | Up to 3 yrs imprisonment or fine (repeat/fraud up to 7 yrs)   |
| **China**        | Criminal Law Art. 285, 286 (Cybersecurity Law) | Unauthorized intrusion or control of computer systems【64†L112-L120】 | Up to 7 yrs (Art.285); more for damage/extortion               |
| **Unspecified**  | Budapest Conv. on Cybercrime (2001)【49†L100-L108】 | —                                                     | — (framework for above laws)                  |

**Table 2.** Legal status of grey-hat activities by jurisdiction. All broadly prohibit “unauthorized access,” though definitions and penalties vary【60†L104-L113】【49†L100-L108】.  

## Recent Case Studies and News (2018–2026)  
In the past five years, several high-profile incidents illustrate grey-hat behavior and its fallout:

- **“Alexey” patches 100,000 MikroTik routers (2018).**  A “mysterious grey-hat” nicknamed Alexey secretly logged into unpatched MikroTik routers and applied fixes to block malware【13†L180-L188】【20†L4669-L4677】.  He told a Russian blog he patched ~100,000 routers vulnerable to cryptocurrency miners.  Reactions were mixed: some praised the altruism, others condemned the illegal intrusion.  Security analysts noted even though MikroTik had issued patches, many users failed to apply them【13†L180-L188】【20†L4669-L4677】.  Legally, the act was unauthorized hacking, albeit benevolent.  

- **Project 529 “extortion” (2023).**  Coalition (cyber insurer) described an incident where a group initially contacted a bicycle-safety firm (Project 529) with bug reports, then escalated to extortion【43†L205-L214】.  After being paid a small bounty, the hackers later demanded six-figure sums per vulnerability (and became threatening)【43†L205-L214】.  Coalition advised cutting off contact and investigating.  In that case no real breaches were found; the hackers used AI-generated personas to feign legitimacy【43†L225-L234】.  This shows how “altruistic” vulnerability reporting can morph into a scam.  

- **Facebook breach by Khalil Shreateh (2013) – noted for context.** Although older than 5 years, the well-known case of Khalil Shreateh is instructive: after Facebook ignored his responsibly-reported flaw (that allowed posting to any user’s timeline), he demonstrated it by posting on Mark Zuckerberg’s page.  Facebook patched the bug but refused bounty, deeming his act a policy violation【70†L323-L330】【73†L462-L470】.  Shreateh’s case highlights the risk of public disclosure without permission: even well-intentioned actions can be punished.  

- **Marcus Hutchins (“MalwareTech”) – dual intentions.**  Cyber-researcher Marcus Hutchins stopped the WannaCry ransomware in 2017, earning hero status.  Yet he had secretly co-authored the Kronos banking trojan (also without permission).  He later pled guilty (2019) to Kronos-related charges【70†L333-L338】.  Hutchins illustrates how a highly skilled individual straddled white/grey/black hats: altruistic defense vs. past illegal malware work【70†L333-L338】.  

- **Windows 0-day exploit dumped on GitHub (Apr 2026).**  *Cybernews* reported that an anonymous researcher (calling himself “deadeclipse666”) publicly published an unpatched Windows privilege-escalation exploit on GitHub【31†L128-L136】.  The hacker said he was angry at Microsoft (claiming to have been “stabbed in the back”) and warned that no explanations of the exploit’s mechanics would be given【31†L128-L136】【31†L199-L202】.  This is a stark example of grey-hat anger leading to full public disclosure.  It exposed Windows users before a fix existed, leaving systems vulnerable.  

- **Other examples (non-exhaustive):** Various “grey hat” scanning campaigns have surfaced. For example, in 2017 a prankster “StackOverflowin” made ~160,000 networked printers erupt in ASCII art, scanning open print ports via Shodan【28†L133-L142】. (This pre-5-year window but shows methods.)  “Grey hat” hacktivists have also attacked perceived wrongdoers (e.g. regional hacktivists defacing sites of criminals or terrorists), though such acts usually violate laws.  As seen, grey hats range from vigilantes to scammers.  

## Technical Methods and Tools  
Grey-hat operations use many of the same tools as ethical pentesters and black hats, but typically target publicly exposed systems. Common methods include:  

- **Network Scanning:** Automated scanning of IP ranges or Shodan search for devices with open ports/services (e.g. port 9100 for printers, 445 for SMB)【28†L133-L142】【70†L317-L324】.  For instance, a grey-hat script scanning printers found ~143,000 open devices on port 9100【28†L133-L142】.  Tools: Nmap, ZMap, Shodan scripts.  

- **Vulnerability Exploits:** Using known exploits (Metasploit, custom scripts) to test for unpatched bugs. Grey hats may write or share exploit code; e.g. the 2026 Windows exploit was publicly posted rather than privately used【31†L128-L136】.  

- **Web Testing:** Proxy tools (Burp, OWASP ZAP) to find web-app vulnerabilities (SQLi, XSS, auth flaws). Grey hats often probe publicly accessible websites and APIs.  

- **OSINT Gathering:** Collecting information from public sources (DNS, Pastebin, social media) to find misconfigured targets.  

- **Social Engineering:** Though more typical of black hats, some grey hats might phishing-test organizations (though without explicit permission, still illegal).  

- **IoT/Embedded:** Many grey hats focus on common IoT targets (routers, cameras, printers) which often have default creds and exposed interfaces. As seen, the MikroTik story involved adding firewall rules to protect the device【13†L180-L188】.  

These methods can be automated or manual.  Grey hats may leave benign “calling cards” (e.g. ASCII art, or notes telling owners to patch) to signal their presence.  Importantly, **they rely on lack of authorization**: even port-scanning can be considered illegal “probing” under some laws.  

## Actor Motivations and Profiles  
Grey-hat actors are diverse. Studies and reports outline various motives:  

- **Security/Altruistic Motivation:** Many grey hats claim to “improve cybersecurity” by finding flaws before criminals do【43†L186-L193】【70†L303-L310】.  For example, the MikroTik patcher “Alexey” said he “took pity” on vulnerable routers【13†L180-L188】.  Such actors often say they want to help, not harm.  

- **Intellectual Challenge / Ego:** Some hackers simply want the thrill or reputation.  As one analyst notes, grey hats may want to “show off their skills, gain publicity, or earn appreciation”【73†L451-L459】.  Demonstrating an ability to hack even big targets (like Shreateh on Zuckerberg’s page) can boost one’s hacker cred.