03. Pandora's Box
privacy online (or the lack thereof), social engineering database, love in times of an earthquake
Hi there. Welcome to Active Faults.
Every 15th of March China becomes the most democratic version of itself, phantasmagorically, like Cinderella at the ball in her crystal slippers. On this Consumer Rights Day (消费者权益日), critical, effective journalism springs into existence and exposes businesses of their malpractices. Every restaurant chain and milk tea store across the country waits on bated breath like it’s Judgement Day. CCTV hosts a literal ball for it, the 315 Gala, and the country watches it religiously in the same way that we watch Chinese football, which is with full preparedness of rage and disappointment. Afterwards, a list of brands would trend on Weibo from which we should divest.
This year’s headliner is the menstrual pad, diaper and disposable underwear industry. Big, big names like PurCotton, Sofy, and Babycare have employee “moles” who are reselling defective products to illicit factories, who then sell them to unknowing customers for profit. Other whistles blown include toxic frozen prawns and a handymen hailing platform that overcharges the homeowners.
At the very end of the list, something else was tacked on almost like an inconsequential sidenote. It’s as if they must include this for integrity purposes, but are trying to let it slip through unnoticed. I noticed. It’s Big Data Customer Procurement software (大数据获客软件), and the data pool behind it is also the reason why celebrities as well as their fans can never have any privacy online, ever again.
Today, let’s talk data security, fraud and criminality in fanquan.
If you search Customer Procurement (获客) on Xiaohongshu, hundreds of advertisements would pop up that promise quick and easy capture of your demographic. What this means is that businesses can name a target customer group, and the procurement company will use their crawler software to illegally obtain those people’s contact information for the business to directly promote to (meaning harass).
Different procurement companies specialise in different kinds of data capture. Companies like 云企智能 scan the comments sections of short-video platforms. Businesses can supply a series of keywords that profile their target customers, like “female”, “single” and “university students”, and the software scours people’s comments for anything that typifies that group. If it’s a match, the software will continue to crawl and find those commenters’ contact information, stored across the web, for the business to call or text. Another company, 企腾网络, brags of owning over 2 billion “precise individual profiles” (精准人物画像) through their application “火眼云”, which traces whoever follows a business’ official WeChat account and captures their contact information. Anyone who has ever clicked on, reposted or liked the business’ post is available to the business to stalk, at a ridiculously low cost, along the lines of 6 RMB per person. That’s less than a dollar.
More powerful companies built software that can give you everyone’s contact information within any desired radius in a city. Draw a random circle on the map and 1.3 million people’s phone numbers are at your fingertips. They can even capture data on the three major mobile networks, and provide businesses with details as fine-grained as “anyone who has called a certain landline or visited a certain website” in the past how ever many days. Allegedly, they process over 10 billion lines of statistics every day and have coverage over 20 million websites. They’ve categorised users into 9 groups using over 3,800 keyword labels. Their systems are probably on par with the ones used by the police, and probably with a better UI. 1
This is only the B2B side of things. This is dental clinics looking to sell to those with teeth problems, or plastic surgeons looking for anyone in need of a nose job, and contracting another business for it. If this isn’t frightening enough, the databases formed by procurement software can be further mined and exploited by a larger industry. They can feed into what’s known as “社工库”.
Short for “社会工程学数据库”, “Social Engineering Database”, it is a place where you can, simply, find out everything about everyone. It is a mega information hub built upon years of leaked confidential facts and figures, not maintained by any particular entity, but used by various crime rings for scams, extortions and more. It’s the closest thing to what I’d imagine God would have on a funky-shaped handheld device, a complete census of the populace.
SED sounds too powerful for the average human to access, but it is actually so simple a tech-savvy child could do it. It’s on fucking Telegram. You get into the right kind of group chats by the right kind of search words, and you send someone something you already know about the person. A fragment of their lives like their name, phone number, QQ number or email address. You will get everything else in return, including but not limited to their residential address, Weibo account, alma mater, student ID number, marriage status, car model, license plate and insurance policy number. And it’s free. 2
Every group chat member has one free search a day when they log in. If you want an unlimited number of searches, you can pay for it with crypto (70 USDT, which is about 500 RMB). If you invite new members into the chat, you can get more free searches, like in a pyramid scheme. Group admins would constantly try to entice insider staff to become their “moles”, and this is their call for expression of interest:
Looking for people working in law enforcement, bank, delivery or [mobile network] customer centres to collaborate with. If you’re authorised to do national searches, and want to earn money with your power, please get in contact! [...] You will be able to earn 5 digits a day with the most lucrative projects like bank statements generation, hotel confirmations checks etc. We can teach you how to avoid the risks of getting caught at work and having your authorised access revoked. Salaries are paid with crypto and hence completely off the grid.
It is through 社工库 that the 13-year-old daughter of Baidu’s VP stalked and attacked a rival in a fan war. 3 When I said a child could do it, I meant it quite literally. News came out late last month that the young girl, while defending her idol Jang Wonyoung, had “开盒” another woman on Weibo. The term translates to “box-opening”, which is the hostile disclosure of another person’s private information on the internet. Referencing Pandora’s Box to describe how this disclosure is evil and irreversible, “开盒” is one level up from “人肉” (human-meating), which is what internet stalking-and-disclosing used to be called.
In this case, the daughter found the rival’s national ID number and the fact that she was pregnant to terrorise her in the altercation. In an official statement released by Baidu, the VP Xie Guangjun claimed that this is not indicative of a data leak from the search engine’s end. She did not use her nepo baby privileges, but instead obtained the information via those aforementioned organised crime groups on Telegram who are tapped into the SED. The market price for the information package she likely bought is somewhere around 80 RMB. That’s like, two strawberries from Erewhon. What I want to emphasise here is not just how “hysterical” a fangirl could be, but how this is such a readily available option.
Experts have confessed that “开盒” as a crime is incredibly difficult to prosecute and the industry revolving around the SED is impossible to eradicate. “开盒” involves multiple guilty parties at different stages, which requires collaborative sentencing from the criminal as well as civil courts, and also administrative authorities. As with SED, it is a transnational platform with overseas servers that is too complicated to map out. A lot of data would be supplied by “moles” working in anything from real estate agencies to airlines, and then passed around thousands of times. Chinese reportage encourages tough regulations nonetheless, but the takeaways of some articles are humorously missing the plot, summarising that Telegram is poisonous, or the SED is a “foreign” (境外) thing. I’ll let you read the subtext here. Most of them refrained from mentioning that AI is helping businesses mass-harass people off of illegally procured phone numbers.
I wonder if this market on the dark web has been around forever, and I had been too ignorant. But fanquan’s entanglement with this industry is most definitely new, and the booming demand for illegally obtained personal information within fan spaces gives me the chills. Fan wars never used to be this intense and so enabled by co-opted technology that thrives on our heightened digital presences. Fan wars never used to be this hungry about data, and this obsessed with possessing information that’s supposedly off-limits. It’s because Fandom is in a data craze as a whole. Human victims are the collateral damage. 4
You can buy information to attack and threaten other fans, but a celebrity’s life also becomes within reach. You can know where they live, where their parents work, what their friends eat, or who their secret lover is. This is how saesangs can buy the neighbouring seat on the same plane, hide in the stairwells of their apartment buildings, and dig through the trash of their hotel rooms. Flight booking confirmations of idols can be bought, and their upcoming schedules can be predicted, down to the day and the hour. I learnt about SEVENTEEN Jeonghan’s possible enlistment date months before the official announcement, because the group has booked their flights for their upcoming overseas tour, and there was no ticket for him. This information showed up unsolicited on my Xiaohongshu homepage. The algorithm made me complicit.
This is why I think sometimes celebrities need to use their privileges. They should use the VIP entrances at airports, ride in fancy cars with blackout curtains, live in secluded neighbourhoods and have 24/7 security. Their paranoia is justified. And hence as much as fanquan hates “208”, they are but the Frankenstein that itself created. The most extreme of us drove them out of touch with the commoners.
On the 28th of March, the catastrophic earthquake in Myanmar affected millions. Shocks and panic were felt in Bangkok, where many Chinese fans of the K-Pop group BOYNEXTDOOR were travelling to for their concert, scheduled for the 29th.
1 hour after the earthquake, at 3:29 PM, the local organiser posted a notice of show cancellation, but it was immediately deleted. No statements were made by the artists and the company, so confused, terrified and mentally torn fans were pushed into gritting their teeth and sticking to their original travel plans. Flight confirmations got leaked at 5:15 PM: BOYNEXTDOOR were flying back to Seoul that day. 5:45, the show was officially cancelled. By 9:58 PM, the group was boarding their flight home, completely silent and unresponsive to the fans, while thousands of other girls (a lot of them underage) were still stranded in Bangkok, experiencing aftershocks without accommodation that lasted into the week or possible means of exit. Rumours spread that the statement was deliberately delayed to stall the fans, allowing the company to snatch up onward tickets before the fans beat them to it. Apparently, they were also snatching the shuttle carts at the airport that were pre-booked by fans. You can imagine feelings of abandonment, the disappointment and the anger. They were left behind, outsmarted and ignored. Videos surfaced of fans almost crying and asking BND at the gate “What should we do then?” (우리 어떻게?)
By the time the members rushed to do some damage control by posting consolatory messages on Weverse, it was already too late. “Unfan” was trending on Weibo and tirades of their callousness were ubiquitous. Fans of any kind from any community could empathise with that feeling of helplessness and frustration.
I was on the eighth floor of the hotel when the earthquake happened. I ran down the fire escape, and a white girl joined me on the way. She was so scared. We were both running and crying, and I held out my hand for her to hold, and we comforted each other, saying “we’ll be okay” over and over again. It’s an animal instinct to weep for someone else’s pain as if it’s ours, even when they’re strangers. But these are people who love you enough to have travelled thousands of miles to see you. How could you ignore us? This hotel is next to the stadium, and everywhere around the block there are fans with their photocards and plushies, standing in the sun and taking shelter. How could you not think of this?
Some tried to defend BND and insist that the company is to blame for their poor management, not the idols themselves, who are puppets being told to shut up and be stern. But fans who followed the group onto their plane reported that the guys seemed perfectly content on the ride and unaffected by the chaos. They napped, and watched some TV, and one member, Taesan, wolfed down the free Häagen-Dazs ice cream at meal time. More fuel to the fire.
Meanwhile, fans rallied together for mutual aid. The Lead Fans’ Weibo accounts became an information hub, compiling all the latest updates from local news as well as places where you could find free sandwiches or other essential supplies. 站姐 were buying meals and leaving them around the area for others to pick up. Many of these leading figures in the community offered to cover rebooking costs for (younger) fans who can’t afford them. It is not uncommon for girls to hide their overseas concert trips entirely from their unsupportive family, and so many would lie. They were completely isolated, in all senses of the word, with only their fellow fans to rely on. I’ve seen it firsthand how easy unconditional kindness can flow in moments like these, and how simple it is to trust someone with your whole being, for no other reason than that they love like me. We love the same people with the same fierceness, and therefore we love each other. That’s a connection so weighty and inscrutable it transcends our subjectivities. It’s loving a sunflower, for we both need the sun to live.
Perhaps people wouldn’t have been this distressed had the earthquake happened at a different time. This is a crisis that succeeded the abduction of the actor Wang Xingxing earlier in the year, where he was taken by a Thai crime group and trafficked to the Myanmar borders, which garnered massive public attention.
Since then, political relations have been fraught, and rumours have gone around that anti-China sentiments are high in Southeast Asia. As Bangkok’s public transport system collapsed and solo-travelling female fans were forced to drag their luggage around in the pouring rain after dark, their fear led to more outrage. It didn’t help that a 16-year-old fan reportedly went missing.
By now, you should see how this incident proves that you can’t draw neat conclusions like “data leaks are bad” and “fans are crazy”. Yes, BND shouldn’t be expected to show (perform) concerns and sympathies, especially in a flight cabin when they’re off duty. Their privacy was disgustingly violated. It shouldn’t have been made known to the fans how they feel and react in private. But fans wouldn’t be so desperate to see a reaction if they had said more and done more. Yes, their flight information shouldn’t have been leaked at 5:15 PM. But that might have gotten some fans out of the country before they got held back.
Should BND and co. have taken measures to care for the fans? Also a resounding yes. A prompt cancellation, proper apologies and explanations, reimbursement of financial losses or evacuation measures. Fans weren’t asking them to heroically stay behind, but they didn’t even refund the tickets. It’s outrageous. It reads to me that while “prioritising the safety of the artists”, the company has completely disregarded the fans who are human beings and not data points. The more obsessed we are with streams and sales and “traffic”, the more we resemble data ourselves.
You might want to scold the fans for their stubbornness or naivety, their inability to anticipate the disruptions and their unwise choice to travel despite them. That they had it coming for themselves. But you also need to know that concerts these days feature a string of unrecoupable costs. Flights, accommodations, transits, insurances, physical strain, emotional labour of planning, and not to mention the tickets bought off of scalpers for twice the face value. A lot of fans go into debt and take out loans. Every tiny strand of investment winds into a tightrope that fans would cling to until the very last second. It is a privilege to make this kind of commitment, but that’s not why we should dismiss their sufferings or refuse to look at who propelled them. This makes them vulnerable, and it’s humiliating to feel like you’re at the mercy of someone else.
This video on Bilibili gave me such a wake-up call that I saved it for future rewatch. The title is called “our natural trust in fellow fans could destroy us beyond repair”. It imagines a possible scam where a coach could pull up to the exit of a concert stadium, claiming that it’s a free fan shuttle to Haidilao (it’s a neiyu tradition to go for post-show hotpot). The coach could be decorated with concert posters, signages that say it’s sponsored by a major fan site, or even promising freebies. They could hire young girls to sit on the coach with the right kind of lightsticks to lure you in. You’d think you’re smarter than that to fall for it, but you are going to be too exhausted and too hyped to judge well. There could be no taxis or buses, or subways around, and you are desperate.
Desperation always gets preyed on. It’s how fake autographs, photocards, and concert tickets get sold. It’s why celebrities never stop creating their own clothing brands or restaurants that are subpar at best and health-endangering at worst. Just a few days ago, Huang Zitao announced that he’s founded a new menstrual pad business that will be the “best in the field”. He sold all 100K of the samples in his live stream to his fans. Remember what I wrote in the beginning of the piece that menstrual pad factories could be really, really vile?
Perhaps fans are always going to be vulnerable, because love makes us vulnerable. There is always going to be a need for information. To know more and feel good, whether that’s winning an argument or being taken care of, even if we were to be dehumanised into data. It’s hard to feel good these days. Perhaps that’s why we are going to concerts. Grounded in the here and the now, exchanging friendship bracelets with strangers you might never meet again, being kind and smiley and feeling alive. Complete anonymity and hence safety, and absolute connection with the people on the stage. That’s why the fans were in Bangkok in the first place. We are always going to go to concerts.
BND tried to appease Chinese fans by singing some Chinese songs in their next show. A classic move. 5
https://m.thepaper.cn/newsDetail_forward_30406448
https://m.mp.oeeee.com/a/BAAFRD0000202503211061784.html
https://www.secrss.com/articles/76794
One more article used in this segment: https://news.cctv.com/2025/03/26/ARTIFIB8Z2MkgY6arGy2gbnA250326.shtml
Cover photo: BND’s official Chinese fan club buying groceries for fans.
This is some serious Cyberpunk, like pure uncut '90s stuff. Except you don't have to break into a secure facility and hack a dedicated terminal to use it, you can just text someone. Bloody hell.