How a Baidu Engineer Exploited the Ad‑Review System to Steal Millions

Background

Chen Borui, born in 1992, joined Baidu Era Network Technology (Beijing) in 2015 as a developer in the Union team of the display advertising platform, responsible for system development and maintenance of the Baidu Union traffic side.

Unauthorized Activity

In August 2017, Chen was approached by a man named Liu on WeChat, who offered a side‑business: fast‑track website approvals for Baidu Union advertising. Liu paid Chen 300 RMB per site, and Chen agreed to audit 30 sites for 9,000 RMB.

Although Chen had no official audit authority, he used his workstation to send curl requests to an internal API that automatically approved sites. He later wrote a script that accepted site usernames and passwords, batch‑submitted them via the same API, and repeatedly invoked the endpoint to mark hundreds of sites as approved.

Scale and Impact

From September 2017 to March 2018, Chen altered the audit status of more than 735 media sites, including many with gambling or lottery content that would normally be rejected. This illicit approval generated approximately 2.35 million RMB in personal earnings and caused Baidu to lose about 3.74 million RMB in ad‑revenue sharing.

Detection and Investigation

In February 2018, Baidu’s risk‑control platform flagged inconsistencies: some media appeared approved in the UNION system but not in the risk‑control system. Internal audits revealed that Chen had performed out‑of‑scope operations, using his access to bypass the two‑step review process (machine filter followed by manual review).

On March 2 2018, Baidu’s ethics committee reported the anomaly, and a third‑party firm (Beijing Shenzhou Green Alliance) confirmed that the user “chenborui” had used the server as a jump‑box to batch‑approve media domains.

Legal Outcome

Police were notified on March 11 2018, and Chen was summoned on April 20 2018. The Haidian District People’s Court convicted him of “destroying computer information systems,” sentencing him to one year and nine months in prison, with a reduced penalty due to his voluntary surrender, restitution of illicit gains, and compensation to the employer.