Fangxiao, a Chinese phishing threat actor
02-11, 10:40–11:10 (UTC), Track 1- Dragon Suite

Fake survey sites, dating scams, shell companies, and Chinese threat actors - oh my! A walkthrough of Fangxiao, a phishing threat actor, covering their TTPs, IOCs, and how we attributed their activities.

Have you ever seen a fake survey site spready by WhatsApp? If so, you might have interacted with Fangxiao. Starting from a single phishing website, this talk will cover how we identified tens of thousands of phishing domains and de-anonymised domains behind Cloudflare. Pivoting across sites, we uncover a shady world of lead generation agencies, fake dating sites, and a frankly ridiculous number of domains. We will explain how we identified and tracked the group behind these sites and discuss their operational security failures.

Emily is a CTI analyst at Cyjax and a student. In her spare time she can be found tinkering with all kinds of electronics and 3D printers, or buried in a book. She tweets from @nyxilar.


I'm a security enthusiast with a background in web hacking and VDPs, and an interest in OSINT investigations and threat intelligence. My CV looks like a bad game of scrabble with the amount of letters I've picked up from working with various organisations and completing certs.

I've read thousands of bug reports and write synopses and other security topics in the forms of blogs ( and I write bash one liners and regexes so horrific that HP Lovecraft couldn't dream of on twitter (