alipay-deeplink-research/twitter_thread.md

# Twitter Thread — Cybersecurity Law as Censorship Weapon
# 推特线程 — 当网络安全法成为审查武器

---

## Thread 1/15 (Hook)
On World Consumer Rights Day (March 15), ALL FOUR of my security research articles were forcibly deleted from WeChat.

Reason: "Violation of China's Cybersecurity Law."

The irony? The SAME complaint was rejected by WeChat 4 days earlier.

What changed? The legal grounds. Not the facts. 🧵

---

## Thread 2/15 (Context)
I'm a CISSP-certified security researcher. I found 17 vulnerabilities (CVSS 7.4-9.3) in a payment app used by 1 BILLION+ people.

The core: a whitelist bypass (CVSS 9.3) enabling silent GPS theft (8.81m accuracy), payment hijacking, and worm-like propagation.

308 server logs. 42 screenshots. 3 devices. 3 countries.

---

## Thread 3/15 (Disclosure Timeline)
Timeline:
- Feb 25-Mar 7: 4 rounds of private reports
- Mar 7: Vendor's security lead verbally acknowledged severity (23-min recorded call)
- Mar 10: Vendor's final answer: "Normal functionality"
- Mar 11: Public disclosure after exhausting private channels

---

## Thread 4/15 (First Censorship Attempt)
4 hours 29 minutes after publication:

Beijing Geyun Law Firm (representing Ant Group) filed a "reputation infringement" complaint to WeChat.

WeChat's verdict: "Unable to verify infringement. Complaint NOT supported."

Complaint #428526665 — REJECTED.

---

## Thread 5/15 (Second Attempt)
March 15: Same complainant, different weapon.

This time: "Violation of Cybersecurity Law."

Result: ALL 4 articles deleted.

No specific article cited. No appeal process. No identification of violating content.

First attempt: "reputation" → FAILED
Second attempt: "Cybersecurity Law" → SUCCEEDED

This is legal forum shopping.

---

## Thread 6/15 (International Validation)
Meanwhile, the international community validated the research:

- Packet Storm Security: Advisory #217089 (sandbox-verified)
- MITRE: 6 CVEs accepted (Ticket #2005801)
- Apple: Investigation Case OE01052449093014
- Google Play: Policy violation review #9-7515000040640
- CSSF Luxembourg: Whistleblowing case CSSFWB-2026-080

---

## Thread 7/15 (Global Response)
189 emails → 22 countries → 38+ responses:

- HKMA Hong Kong: Formal complaint filed
- PDPC Singapore: Privacy investigation #00629724
- FCA UK: Whistleblowing confirmed
- CSSF Luxembourg: Linked to €214K AML fine (2025)
- OAIC Australia: Intake confirmed
- EDPB EU: Cross-border complaint confirmed

---

## Thread 8/15 (The Contrast)
Same facts, opposite treatment:

🌍 International: CVSS 9.3 + CVE pending + Packet Storm archived
🇨🇳 China: "Normal functionality" + articles deleted

🌍 International: ISO 29147 compliant + EU whistleblower protection
🇨🇳 China: "Violating Cybersecurity Law"

🌍 International: 16 regulators investigating
🇨🇳 China: Content censored

---

## Thread 9/15 (EU Whistleblower)
EU Whistleblower Directive 2019/1937:

- Art.19: PROHIBITS retaliation against reporters
- Art.21: Retaliation = "any action causing unjustified detriment"
- Art.22-23: Compensation + dissuasive penalties

Alipay (Europe) Ltd S.A. holds an EMI license from CSSF Luxembourg.

Cross-border content deletion = potential EU retaliation?

---

## Thread 10/15 (Pattern)
This isn't isolated. @disaborar's Research Threats Database documents 80+ cases:

- Columbus, Ohio vs researcher (2024)
- NEWAG vs Dragon Sector in Poland (2023)
- Modern Solution criminal prosecution in Germany (2024)
- FreeHour: 4 CS students arrested in Malta (2023)

But THIS case may be the first where a vendor switched legal grounds after rejection.

---

## Thread 11/15 (Real Threat)
Deleting articles doesn't delete vulnerabilities.

The attack chain is still archived on:
1. Packet Storm #217089
2. GitHub: sgInnora/alipay-deeplink-research
3. innora.ai/zfb/

The ONLY effect: 1 billion Chinese users can't learn about risks in their daily payment app.

THAT is the real cybersecurity threat.

---

## Thread 12/15 (Escalation Pattern)
The suppression pattern:

1. Verbal denial ("normal functionality")
2. Lawyer letter ("reputation infringement") → REJECTED
3. Legal upgrade ("Cybersecurity Law") → DELETED
4. Server-side PoC interception

Each failure escalates to a more unassailable legal weapon.

---

## Thread 13/15 (The Fear Test)
Imagine: you find a critical vulnerability. You report it privately. The vendor says "normal functionality." You publish. A lawyer files a complaint. The platform rejects it.

You think you're safe.

4 days later, same lawyer, same complaint, different law cited. All your articles vanish. No appeal.

Would YOU still dare to do security research?

## Thread 13.5/15 (Call to Action)
To the global security research community:

When "Cybersecurity Law" deletes security research instead of protecting cybersecurity, the law itself has become an unpatched zero-day.

We need:
- Global Safe Harbor for researchers
- Platform moderation independence
- Cross-border retaliation accountability

---

## Thread 14/15 (Evidence)
All evidence is public:

📄 Full report: innora.ai/zfb/
💻 GitHub: github.com/sgInnora/alipay-deeplink-research
🔒 Packet Storm: #217089
📋 MITRE: Ticket #2005801
🏛️ CSSF: CSSFWB-2026-080
🇭🇰 HKMA: CE20260313175412

Truth doesn't need a takedown notice.

---

## Thread 15/15 (License)
This article is CC BY 4.0. Freely republish, translate, cite.

The 4 deleted WeChat articles are preserved at innora.ai/zfb/ and will be updated with this analysis.

#SecurityResearch #VulnerabilityDisclosure #Censorship #CybersecurityLaw #WhistleblowerProtection #AntGroup #PacketStorm #CVE #InfoSec

Contact: feng@innora.ai