45,000 Attacks, 5,300+ Backdoors Tied to China-Linked Cybercrime Operation

The emergence of a highly automated, China‑based cyber‑crime infrastructure underscores a shift toward industrial‑scale hacking. By integrating a central command system (Paperclip) with an agent‑oriented workflow (OpenClaw), the group can orchestrate each phase of an intrusion—from reconnaissance to data exfiltration—across thousands of targets simultaneously. This level of coordination mirrors legitimate enterprise operations, allowing rapid scaling without manual intervention and making traditional, signature‑based defenses increasingly ineffective.

Technically, the attackers leverage well‑known remote‑code‑execution flaws such as Log4Shell, React2Shell and newer CVEs, coupling them with bespoke Python scripts that bypass web‑application firewalls and execute commands in parallel. Their file‑less execution chain injects malicious code directly into Node.js memory, evading disk‑based detection. Persistent footholds are maintained via custom backdoors (d2, pl) and Cloudflare tunnels, while automated scripts harvest high‑value credentials—AI API keys, Stripe tokens, and PostgreSQL passwords—enabling swift monetization.

For the broader market, the operation’s focus on fintech, Web3 and security vendors signals a strategic targeting of sectors with lucrative digital assets. By validating stolen Stripe keys and tracking nearly 22,000 cryptocurrency addresses through APIs like OKLink and Tatum, the group turns compromised data into immediate revenue. Organizations in these verticals must adopt threat‑intel‑driven monitoring, enforce strict API key hygiene, and deploy behavior‑based detection to counter such sophisticated, profit‑driven adversaries.