cae3c54867
- Unified nav bar with links to all research articles - Verification badge: Docker 37/37, Zenodo DOI, IACR 2026/526, Packet Storm - Mobile responsive hamburger menu - PoC payloads and evidence screenshots added - Draft articles and planning files included Co-Authored-By: Claude <noreply@anthropic.com>
5.5 KiB
Twitter Thread — Cybersecurity Law as Censorship Weapon
推特线程 — 当网络安全法成为审查武器
Thread 1/15 (Hook)
On World Consumer Rights Day (March 15), ALL FOUR of my security research articles were forcibly deleted from WeChat.
Reason: "Violation of China's Cybersecurity Law."
The irony? The SAME complaint was rejected by WeChat 4 days earlier.
What changed? The legal grounds. Not the facts. 🧵
Thread 2/15 (Context)
I'm a CISSP-certified security researcher. I found 17 vulnerabilities (CVSS 7.4-9.3) in a payment app used by 1 BILLION+ people.
The core: a whitelist bypass (CVSS 9.3) enabling silent GPS theft (8.81m accuracy), payment hijacking, and worm-like propagation.
308 server logs. 42 screenshots. 3 devices. 3 countries.
Thread 3/15 (Disclosure Timeline)
Timeline:
- Feb 25-Mar 7: 4 rounds of private reports
- Mar 7: Vendor's security lead verbally acknowledged severity (23-min recorded call)
- Mar 10: Vendor's final answer: "Normal functionality"
- Mar 11: Public disclosure after exhausting private channels
Thread 4/15 (First Censorship Attempt)
4 hours 29 minutes after publication:
Beijing Geyun Law Firm (representing Ant Group) filed a "reputation infringement" complaint to WeChat.
WeChat's verdict: "Unable to verify infringement. Complaint NOT supported."
Complaint #428526665 — REJECTED.
Thread 5/15 (Second Attempt)
March 15: Same complainant, different weapon.
This time: "Violation of Cybersecurity Law."
Result: ALL 4 articles deleted.
No specific article cited. No appeal process. No identification of violating content.
First attempt: "reputation" → FAILED Second attempt: "Cybersecurity Law" → SUCCEEDED
This is legal forum shopping.
Thread 6/15 (International Validation)
Meanwhile, the international community validated the research:
- Packet Storm Security: Advisory #217089 (sandbox-verified)
- MITRE: 6 CVEs accepted (Ticket #2005801)
- Apple: Investigation Case OE01052449093014
- Google Play: Policy violation review #9-7515000040640
- CSSF Luxembourg: Whistleblowing case CSSFWB-2026-080
Thread 7/15 (Global Response)
189 emails → 22 countries → 38+ responses:
- HKMA Hong Kong: Formal complaint filed
- PDPC Singapore: Privacy investigation #00629724
- FCA UK: Whistleblowing confirmed
- CSSF Luxembourg: Linked to €214K AML fine (2025)
- OAIC Australia: Intake confirmed
- EDPB EU: Cross-border complaint confirmed
Thread 8/15 (The Contrast)
Same facts, opposite treatment:
🌍 International: CVSS 9.3 + CVE pending + Packet Storm archived 🇨🇳 China: "Normal functionality" + articles deleted
🌍 International: ISO 29147 compliant + EU whistleblower protection 🇨🇳 China: "Violating Cybersecurity Law"
🌍 International: 16 regulators investigating 🇨🇳 China: Content censored
Thread 9/15 (EU Whistleblower)
EU Whistleblower Directive 2019/1937:
- Art.19: PROHIBITS retaliation against reporters
- Art.21: Retaliation = "any action causing unjustified detriment"
- Art.22-23: Compensation + dissuasive penalties
Alipay (Europe) Ltd S.A. holds an EMI license from CSSF Luxembourg.
Cross-border content deletion = potential EU retaliation?
Thread 10/15 (Pattern)
This isn't isolated. @disaborar's Research Threats Database documents 80+ cases:
- Columbus, Ohio vs researcher (2024)
- NEWAG vs Dragon Sector in Poland (2023)
- Modern Solution criminal prosecution in Germany (2024)
- FreeHour: 4 CS students arrested in Malta (2023)
But THIS case may be the first where a vendor switched legal grounds after rejection.
Thread 11/15 (Real Threat)
Deleting articles doesn't delete vulnerabilities.
The attack chain is still archived on:
- Packet Storm #217089
- GitHub: sgInnora/alipay-deeplink-research
- innora.ai/zfb/
The ONLY effect: 1 billion Chinese users can't learn about risks in their daily payment app.
THAT is the real cybersecurity threat.
Thread 12/15 (Escalation Pattern)
The suppression pattern:
- Verbal denial ("normal functionality")
- Lawyer letter ("reputation infringement") → REJECTED
- Legal upgrade ("Cybersecurity Law") → DELETED
- Server-side PoC interception
Each failure escalates to a more unassailable legal weapon.
Thread 13/15 (The Fear Test)
Imagine: you find a critical vulnerability. You report it privately. The vendor says "normal functionality." You publish. A lawyer files a complaint. The platform rejects it.
You think you're safe.
4 days later, same lawyer, same complaint, different law cited. All your articles vanish. No appeal.
Would YOU still dare to do security research?
Thread 13.5/15 (Call to Action)
To the global security research community:
When "Cybersecurity Law" deletes security research instead of protecting cybersecurity, the law itself has become an unpatched zero-day.
We need:
- Global Safe Harbor for researchers
- Platform moderation independence
- Cross-border retaliation accountability
Thread 14/15 (Evidence)
All evidence is public:
📄 Full report: innora.ai/zfb/ 💻 GitHub: github.com/sgInnora/alipay-deeplink-research 🔒 Packet Storm: #217089 📋 MITRE: Ticket #2005801 🏛️ CSSF: CSSFWB-2026-080 🇭🇰 HKMA: CE20260313175412
Truth doesn't need a takedown notice.
Thread 15/15 (License)
This article is CC BY 4.0. Freely republish, translate, cite.
The 4 deleted WeChat articles are preserved at innora.ai/zfb/ and will be updated with this analysis.
#SecurityResearch #VulnerabilityDisclosure #Censorship #CybersecurityLaw #WhistleblowerProtection #AntGroup #PacketStorm #CVE #InfoSec
Contact: feng@innora.ai