← Back to stories Two masked individuals in a dark room working on computers, symbolizing cyber security threats.
Photo by Tima Miroshnichenko on Pexels
凤凰科技 2026-04-06

Creepy on closer inspection: 'Longxia' was PUA'd by hackers into an insider, exposing users' IP addresses

What happened

It has been reported that social-engineering attackers used "PUA" techniques to turn an employee at Longxia (龙虾) into an unwitting insider, gaining access to internal systems and exposing users' real IP addresses. The initial report by ifeng describes the breach as less a traditional exploit and more a human-targeting operation: manipulators reportedly cultivated trust and coaxed credentials or privileged actions out of a staff member, then used those credentials to query logs or an internal API.

The technical outcome is straightforward and worrying. IP addresses tied to user accounts — data that many decentralized or privacy-focused apps treat as sensitive — were reportedly leaked or made accessible to the attackers. That can enable deanonymization, location inference and follow-on attacks such as targeted phishing or law-enforcement requests in jurisdictions where IP data is actionable.

Why it matters

Why should Western readers care? Because the incident exposes a universal weakness: human trust is often the easiest path to break systems. For users of Chinese apps and services, the stakes are higher given the geopolitical backdrop. Chinese platforms operate under a different regulatory and surveillance environment than many Western services, and amid rising global scrutiny of data flows and sanctions, leaked metadata can be weaponized in unexpected ways.

Longxia's case also highlights wider tensions in China's tech ecosystem — the promise of decentralised identity and privacy can be undone by centralized operational controls and weak insider protections. It has been reported that the platform is taking remedial steps, but the event underlines the need for stronger operational security, staff training against social engineering, and clearer regulatory expectations about breach disclosure and user notification. Who protects users when the weakest link is human? The answer will shape trust in China's next wave of social and Web3 services.

Policy
View original source →