How Illegal Web Crawlers Stole Over 1 Billion Chinese Users’ Data and Got Sent to Prison

Case Overview

In November 2019 a university graduate (referred to as 逯某) developed a custom web‑crawler named 淘评评 to scrape data from Taobao’s public interfaces. Over an eight‑month period the crawler harvested more than 1.180 billion records, including digital IDs, nicknames and phone numbers.

The harvested phone numbers were transferred to a middle‑school graduate (黎某), who imported them into a self‑built 微信加人 tool. This tool added the numbers as WeChat contacts, organized them into 1,100 groups (90‑200 members each), and used bots to push Taobao coupons, generating over 340,000 CNY in profit.

Technical Methodology

Crawler Implementation

Software name: 淘评评 Targeted Taobao APIs: product‑detail API and share API, which expose customer digital IDs, nicknames and, via the share API, phone numbers.

Operation period: November 2019 – July 2020.

Data volume: approximately 50 million records scraped directly by 逯某; additional 11 billion records downloaded from other sources.

Peak extraction rate (July 6‑13 2020): ~5 million records per day, covering buyer nicknames, review content and other sensitive fields.

Data Transfer and Exploitation

Phone numbers were exported from the crawler’s output and sent to 黎某 via WeChat file transfer.

黎某’s 微信加人 tool automated adding these numbers as WeChat friends, grouping them, and broadcasting promotional messages.

Revenue was split between the two participants.

Legal Findings

The Suiyang District People’s Court convicted both defendants of illegal acquisition of personal information under China’s Cybersecurity Law (§41). Sentences:

逯某: 3 years 3 months imprisonment, 100,000 RMB fine.

黎某: 3 years 6 months imprisonment, 350,000 RMB fine.

Regulatory Context

Chinese law requires explicit consent from data subjects before personal information can be collected. Violations can lead to charges of illegal acquisition of personal information, illegal intrusion into computer systems, and related offenses.

Related Incidents

Alibaba’s Taobao Alliance identified 43 unauthorized apps that scraped shopping‑cart and favorites data.

Similar large‑scale data leaks have occurred at JD.com (2013) and Facebook (2022), involving hundreds of millions of records.

Third‑party data firms such as 魔蝎科技 were prosecuted for embedding front‑end plugins in loan‑app platforms, collecting users’ telecom, social security and e‑commerce credentials, storing them in plaintext, and selling the data for 0.1‑0.3 CNY per record. The company was fined 30 million RMB and its executives received three‑year suspended sentences.

Key Takeaway

While web‑crawling itself is a legitimate technique, collecting personal data without consent violates Chinese cybersecurity regulations and carries severe criminal penalties.