How a Baidu Engineer Bypassed Audits to Fraudulently Approve 735 Sites and Steal 3.7 M Yuan

In 2015, Chen Mourui (born 1992) joined Baidu Era Network Technology (Beijing) Ltd. as a software developer in the Union team of the Display Advertising Platform, responsible for developing and maintaining Baidu Union’s traffic‑side systems.

Unauthorized “Audit” Business

In August 2017, a man named Liu approached Chen via WeChat, offering a side business: quickly passing website audits for Baidu Union’s advertising eligibility. Chen, enticed by a 300 CNY fee per site, agreed to review 30 sites for a total of 9,000 CNY.

Exploitation Method

Although Chen had no official audit authority, he used his workstation to send CURL requests to an internal API that automatically approved sites. He later wrote a script that accepted website usernames and passwords, batch‑submitted them via the same API, and repeatedly invoked the endpoint to mark hundreds of sites as audit‑passed.

From September 2017 to March 2018, Chen altered the audit status of over 735 media sites, including many containing gambling or lottery content, and collected 235,900 CNY in illicit earnings.

Impact

The fraudulent approvals allowed these sites to display Baidu ads, siphoning an estimated 3.745 million CNY in revenue that should have gone to Baidu. The breach also exposed weaknesses in Baidu’s two‑stage audit process, which normally involves automated policy filtering followed by manual review.

Detection and Investigation

In February 2018, Baidu’s risk‑control platform flagged inconsistencies: sites appeared as “approved” in the UNION system but not in the risk‑control system. Internal investigation identified Chen’s unauthorized use of the media‑audit interface, confirming the large‑scale manipulation.

On March 13, Baidu hired a third‑party security firm (Beijing ShenZhou Green Alliance) to analyze the compromised servers. The firm concluded that the attacker, using the username “chenborui,” leveraged the servers as a jump‑box to batch‑approve media domains.

Legal Outcome

The Haidian District People’s Court ruled that Chen’s actions constituted “damage to computer information systems,” sentencing him to one year and nine months in prison. The court noted his self‑surrender, restitution of illegal gains, and compensation for IT service costs, resulting in a reduced sentence.

Key Takeaways

Insider threats can bypass multi‑layered audit mechanisms when privileged access is misused.

Automated audit APIs must enforce strict authentication and logging.

Regular cross‑system consistency checks can reveal unauthorized state changes.