In China, cybercrime is growing, as is the size of the groups committing those crimes. But some of China's social attitudes have led to relatively short prison sentences for those convicted, and those sentences are getting shorter.
These trends and others have been revealed in a new analysis by Dr Tianji Cai from the Department of Sociology at the University of Macau.
"China has been infamous for politically-motivated intelligence gathering, espionage," Cai told the 5th International Conference on Cybercrime and Computer Forensics on Australia's Gold Coast last month. "But it also shows that China's citizens also are victims of the cybercrimes, for example fraud, intellectual property, stolen identities."
But China's efforts to crack down on cybercrime have been hampered by the view, held by many Chinese, that the internet is a lawless place.
"There is some kind of misunderstanding, especially for the common citizens. Cybercrime is not considered a crime," Cai said.
"I take your identities, for example your social media accounts. That's not considered a crime. That's kind of fun. Also, well, if I can steal your money from your online account such and such, that's considered pretty smart."
Cai is neither a sociologist nor a criminologist, but calls himself "a social scientist using quantitative methods". His research is based on a quantitative analysis of the judgement and sentencing documents from the Chinese criminal justice system, which started to become available online in 2013.
Every one of these documents is being released, except when the case involves state secrets, or has privacy-related or similar restrictions. So far the system has seen 35 billion downloads.
Cai focused on the cases that represented cybercrime, which in practice meant crimes defined in articles 285 through 287 of the Chinese criminal law, excluding those convictions related to copyright violation.
The crimes included those defined in the original 1997 version of the laws, which focused on intrusions into computer systems, particularly those connected with state affairs or the construction of defence facilities, as well as in relation to serious crime, including financial fraud.
Subsequent updates to the law have gradually extended the list of crimes. More specific crimes have been added, such as setting up a website or mailing list to conduct fraud, publishing illegal or criminal information, or selling drugs, guns, or other restricted items, including hacking services. Knowingly providing services to anyone conducting these illegal activities is also a crime.
In all, Cai analysed 458 cases leading to criminal convictions.
"Chinese cybercrime is highly correlated to the underground market ... basically financially motivated. So they want money," Cai said.
He has identified four value chains, although there's some overlap between them:
- Theft of real assets, for example, hacking into a bank account or stock market account and transferring the funds elsewhere.
- Theft of virtual assets, such as the devices and experience points in online games.
- Theft of internet resources, such a stealing the details of phone or internet accounts and selling them online, or using those stolen credentials to contact the victim's relatives or friends to commit further fraud. There have also been "many cases" where the stolen accounts have been held to ransom, returned to the victims only if they pay a fee, Cai said.
- The misuse of government systems.
Around 20 percent of cases analysed involved the theft of real money, with another 15 percent involving virtual assets.
Virtual assets are valuable because players "spend tons of money and time in it", Cai said.
"The virtual coins or the money can be sold on the market. People want it. [Or] for example, you're a low level kind of player, and you want to be a higher level, you hire somebody to do the work for you," he said.
"Theft of virtual assets is declining because online gaming is declining in popularity ... Phone gaming is more popular. So people don't want it anymore. They want to hack your phone, not your online gaming ID, [while] service and resource abuse is increasing."
That said, online gaming accounts are still the second most popular target for cybercrime, topped only by the targeting of accounts for commercial sites such as Alibaba. In third place comes what Cai called "public systems", such as those used to communicate students' results in the national exam for college entrance.
"One girl attended the college entrance exam, and then got a phone call from somebody else saying, well, you've been admitted, but you have to send us some money to [our] account, for example, as a security deposit. So she did," Cai said.
"The family was poor, and the girl felt so bad, and then committed suicide."
Cai's fourth category is the misuse of government systems. These systems aren't normally a target for hackers, because they know that the authorities would pursue them aggressively. But most of these cases have involved improper access by insiders.
Examples include removing records of traffic offences, removing the names of drug users from the relevant government registers, or creating a new identity so that additional bank accounts can be opened.
"This has become a huge business," Cai said.
The penalties for cybercrime under Chinese law have been relatively lenient, according to Cai: Imprisonment up to three years, extended in 2015 to five years, although longer for more serious crimes. But in reality the sentences never reach that.
The mean prison sentence meted out for cybercrime convictions has dropped from a peak of 45 months in 2012 to 28 months in 2016. The mean value of fines has also dropped, to less than a tenth of what it was in 2012.
"More than half of the offenders receive probation, and some of them [are] using a financial penalty as a substitute for this imprisonment or probation," Cai said.
"I think whilst the common stereotype of the cybercriminals, maybe they're in a wheelchair or something -- that is somehow true in [the] Chinese case ... If you want to receive probation, there are articles you have to cite. We see that many of [the cases that] cite articles, for example, offenders have a physical disability."
Cai's data shows a clear upward trend in the number of cases handled each year, but it also shows a trend towards having more offenders per case.
In 2012, the average number of offenders per case was one, and today it's still less than two. But the maximum number of offenders per case has risen much faster. In 2016, there was even a case with 78 offenders.
"The organisation, or the size of the group, is increasing," Cai said.
"There is a clear division of labour. After you are hacking people's account, then there's somebody needed to take the money from the ATM machine, and then you need to distribute it. The size of the group is actually increasing."