# Twitter Thread — Cybersecurity Law as Censorship Weapon # 推特线程 — 当网络安全法成为审查武器 --- ## Thread 1/15 (Hook) On World Consumer Rights Day (March 15), ALL FOUR of my security research articles were forcibly deleted from WeChat. Reason: "Violation of China's Cybersecurity Law." The irony? The SAME complaint was rejected by WeChat 4 days earlier. What changed? The legal grounds. Not the facts. 🧵 --- ## Thread 2/15 (Context) I'm a CISSP-certified security researcher. I found 17 vulnerabilities (CVSS 7.4-9.3) in a payment app used by 1 BILLION+ people. The core: a whitelist bypass (CVSS 9.3) enabling silent GPS theft (8.81m accuracy), payment hijacking, and worm-like propagation. 308 server logs. 42 screenshots. 3 devices. 3 countries. --- ## Thread 3/15 (Disclosure Timeline) Timeline: - Feb 25-Mar 7: 4 rounds of private reports - Mar 7: Vendor's security lead verbally acknowledged severity (23-min recorded call) - Mar 10: Vendor's final answer: "Normal functionality" - Mar 11: Public disclosure after exhausting private channels --- ## Thread 4/15 (First Censorship Attempt) 4 hours 29 minutes after publication: Beijing Geyun Law Firm (representing Ant Group) filed a "reputation infringement" complaint to WeChat. WeChat's verdict: "Unable to verify infringement. Complaint NOT supported." Complaint #428526665 — REJECTED. --- ## Thread 5/15 (Second Attempt) March 15: Same complainant, different weapon. This time: "Violation of Cybersecurity Law." Result: ALL 4 articles deleted. No specific article cited. No appeal process. No identification of violating content. First attempt: "reputation" → FAILED Second attempt: "Cybersecurity Law" → SUCCEEDED This is legal forum shopping. --- ## Thread 6/15 (International Validation) Meanwhile, the international community validated the research: - Packet Storm Security: Advisory #217089 (sandbox-verified) - MITRE: 6 CVEs accepted (Ticket #2005801) - Apple: Investigation Case OE01052449093014 - Google Play: Policy violation review #9-7515000040640 - CSSF Luxembourg: Whistleblowing case CSSFWB-2026-080 --- ## Thread 7/15 (Global Response) 189 emails → 22 countries → 38+ responses: - HKMA Hong Kong: Formal complaint filed - PDPC Singapore: Privacy investigation #00629724 - FCA UK: Whistleblowing confirmed - CSSF Luxembourg: Linked to €214K AML fine (2025) - OAIC Australia: Intake confirmed - EDPB EU: Cross-border complaint confirmed --- ## Thread 8/15 (The Contrast) Same facts, opposite treatment: 🌍 International: CVSS 9.3 + CVE pending + Packet Storm archived 🇨🇳 China: "Normal functionality" + articles deleted 🌍 International: ISO 29147 compliant + EU whistleblower protection 🇨🇳 China: "Violating Cybersecurity Law" 🌍 International: 16 regulators investigating 🇨🇳 China: Content censored --- ## Thread 9/15 (EU Whistleblower) EU Whistleblower Directive 2019/1937: - Art.19: PROHIBITS retaliation against reporters - Art.21: Retaliation = "any action causing unjustified detriment" - Art.22-23: Compensation + dissuasive penalties Alipay (Europe) Ltd S.A. holds an EMI license from CSSF Luxembourg. Cross-border content deletion = potential EU retaliation? --- ## Thread 10/15 (Pattern) This isn't isolated. @disaborar's Research Threats Database documents 80+ cases: - Columbus, Ohio vs researcher (2024) - NEWAG vs Dragon Sector in Poland (2023) - Modern Solution criminal prosecution in Germany (2024) - FreeHour: 4 CS students arrested in Malta (2023) But THIS case may be the first where a vendor switched legal grounds after rejection. --- ## Thread 11/15 (Real Threat) Deleting articles doesn't delete vulnerabilities. The attack chain is still archived on: 1. Packet Storm #217089 2. GitHub: sgInnora/alipay-deeplink-research 3. innora.ai/zfb/ The ONLY effect: 1 billion Chinese users can't learn about risks in their daily payment app. THAT is the real cybersecurity threat. --- ## Thread 12/15 (Escalation Pattern) The suppression pattern: 1. Verbal denial ("normal functionality") 2. Lawyer letter ("reputation infringement") → REJECTED 3. Legal upgrade ("Cybersecurity Law") → DELETED 4. Server-side PoC interception Each failure escalates to a more unassailable legal weapon. --- ## Thread 13/15 (The Fear Test) Imagine: you find a critical vulnerability. You report it privately. The vendor says "normal functionality." You publish. A lawyer files a complaint. The platform rejects it. You think you're safe. 4 days later, same lawyer, same complaint, different law cited. All your articles vanish. No appeal. Would YOU still dare to do security research? ## Thread 13.5/15 (Call to Action) To the global security research community: When "Cybersecurity Law" deletes security research instead of protecting cybersecurity, the law itself has become an unpatched zero-day. We need: - Global Safe Harbor for researchers - Platform moderation independence - Cross-border retaliation accountability --- ## Thread 14/15 (Evidence) All evidence is public: 📄 Full report: innora.ai/zfb/ 💻 GitHub: github.com/sgInnora/alipay-deeplink-research 🔒 Packet Storm: #217089 📋 MITRE: Ticket #2005801 🏛️ CSSF: CSSFWB-2026-080 🇭🇰 HKMA: CE20260313175412 Truth doesn't need a takedown notice. --- ## Thread 15/15 (License) This article is CC BY 4.0. Freely republish, translate, cite. The 4 deleted WeChat articles are preserved at innora.ai/zfb/ and will be updated with this analysis. #SecurityResearch #VulnerabilityDisclosure #Censorship #CybersecurityLaw #WhistleblowerProtection #AntGroup #PacketStorm #CVE #InfoSec Contact: feng@innora.ai