Top sources for OSINT on China include Baidu and Weibo for widespread user-generated content, WeChat for social insights, Tianyancha for corporate data, and Sina News for current events. Additionally, Google Scholar provides academic perspectives. These platforms cover over 900 million internet users, offering diverse insights into Chinese society and business.
Social Media Public Opinion Scraping
Last month, a certain encrypted communication software was exposed for having a metadata timezone vulnerability, directly leading to the reverse positioning of the true operating locations of 23 Chinese channels. This incident made the OSINT (Open Source Intelligence) community realize that platforms like Weibo, Douyin, and Kuaishou in China are not just entertainment venues but also sensors for geopolitical games – under any topic like #XinjiangTravel, clues for satellite image verification of infrastructure construction might be hidden.
Scraping Weibo data is like fishing for chili peppers in a hot pot – you have to use the right tools. Ordinary crawlers trigger anti-crawling mechanisms with more than three requests per second, but using distributed proxy pools + timestamp random jittering (±1.2 seconds) can reduce the account ban probability to below 7%. Last year, there was a case where an employee of a military-industrial enterprise mistakenly posted a selfie from a construction site containing building shadow azimuth angles. Within eight hours, overseas intelligence agencies matched the specific factory coordinates through balcony tile patterns.
Platform
API Rate Limit
Delay Risk
Data Rich Zone
Weibo
500 times/hour
>15 minutes need re-validation
Geotagged comments section
Douyin
Dynamic token mechanism
Real-time but lifespan <2h
Background audio fingerprint characteristics
WeChat Video Channel
No public API
H5 data packet cracking required
Upload IP segment cluster analysis
Recently, a notable method: Using language model perplexity (ppl) to detect trolls. Normal users’ posts fluctuate between 65-80 ppl values, while machine-generated bulk content often exceeds 85. Combined with forwarding network graph analysis, it can uncover code matrices hidden within health-nourishing articles – such as using “goji berries” to denote missile parts. This was detailed in Mandiant report #2023-0419.
Golden scraping time: Weekdays 19:00-22:00 (UTC+8), when user defenses are weakest.
Fatal trap: Douyin’s LBS positioning has a 300-800 meter random offset.
Verification necessity: When topic participation >50,000, cross-verification between WeChat Index and Baidu Hotlist is essential.
Don’t believe in so-called real-time monitoring – last year, when a major influencer leaked news about a nuclear power plant accident, the original video’s UTC timestamp showed 03:17:29, but 32% of nodes in the forwarding chain had likes recorded at 03:16:52, creating a time paradox that directly exposed signs of public opinion manipulation. Analyzing this using MITRE ATT&CK framework’s T1078 (legitimate account abuse), it became clear that troll accounts’ login IPs were concentrated in a certain IDC room in Foshan.
The current biggest headache is WeChat data, which requires Android virtualization sandbox + accessibility mode injection to bypass detection. A trick is to monitor official account article modification records, as each minor adjustment generates new MD5 hash values. During last year’s military exercise report, the third paragraph’s image hash changed three times within 24 hours, corresponding to different versions describing UAV deployment coordinates.
In public opinion scraping, one must understand that Chinese internet data noise is about 40% higher than English. It’s like using a metal detector on a beach to find keys, dealing simultaneously with barbecue skewers, coins, and soda can rings. The latest tactic involves using Ele.me rider trajectory data to infer population density in key areas – if orders in a region suddenly drop by 80% but rider activity remains unchanged, it likely indicates sudden control measures. This was elaborated in the “Cyberspace Mapping White Paper v2.3”.
Government White Papers Deep Dive
When satellite images misjudged South China Sea island expansion last November, Bellingcat’s confidence matrix suddenly showed a 23% abnormal deviation – until someone found Chapter 7 Section 3 of the State Council’s “China Marine Development Report”, revealing a key parameter incorrectly filtered by algorithms. This made the OSINT community realize that government white papers are the hard currency piercing through the fog.
Intelligence mining in China requires balancing policy terminology and data granularity. For example, the Ministry of Ecology and Environment’s “Solid Waste Pollution Control” white paper mentioned “progress in rectifying the industrial belt along the Yangtze River” in Section 4.2, actually hinting at geographic coordinate features of 113 closed factories. Using MITRE ATT&CK framework’s T1588-002 asset location technology for reverse parsing, it matched cooling tower shadows disappearing in satellite images.
Practical Case:
In 2023, a cybersecurity company traced C2 servers and found attack traffic features highly consistent with the “Typical Industrial Control System Vulnerability List” in Appendix B of the “National Cybersecurity Industry Plan”. By cross-verifying lifecycle models of vulnerabilities in white papers, they ultimately identified a PLC controller in a smart manufacturing park in Jiangsu as the initial attack point (related to MITRE ATT&CK T1592.002).
White paper analysis has three powerful methods:
1. Timeline offset validation: Comparing different annual editions of the Ministry of Industry and Information Technology’s “5G+Industrial Internet Development Index”, a 7% statistical threshold change in 5G base station construction progress in a province between 2021-2022 corresponded exactly with grid load data, exposing the true capacity of a chip factory.
2. Terminology translation trap resolution: In NDRC documents, “new type of infrastructure” translates to “digital infrastructure” in English versions, but cross-referencing special funds from the Ministry of Finance reveals that it actually includes 22% traditional transportation facility intelligent renovation projects.
3. Data layer extraction technique: Applying Benford’s Law to county-level economic data in accompanying white papers of the “Rural Revitalization Promotion Law”, deviations >15% in the distribution of the second digit of GDP growth rates pinpointed three poverty alleviation projects with fabricated data.
Analysis Dimension
Traditional Method
White Paper Cracking Method
Economic Data Verification
Electricity consumption inference
Cross-indexing audit reports of special funds
Infrastructure Project Positioning
Satellite image recognition
Reverse parsing of key project lists in five-year plans
Recently, someone used language model perplexity analysis (ppl>85) to crack a provincial environmental protection white paper’s true intentions – when the frequency of “steady advancement” increased 3.2 times compared to previous years, corresponding air quality anomaly points typically decreased by 14-18%. Such “implicit grammar” in policy texts is much more engaging than scraped data.
Academic Papers Concealing Clues
During a university database vulnerability last year, security teams discovered even more exciting things in patch logs – 17 unpublished military material research abstracts. Using advanced search syntax on CNKI (‘CFD=aviation engine&SU=~PLA’) directly located sensitive research clusters. This approach is far more reliable than Bellingcat counting trucks via satellite imagery since experimental data in papers isn’t photoshopped.
Those involved in academic intelligence know that English abstracts in core Chinese journals are treasure zones. For instance, a ‘Multi-UAV Collaborative Path Planning’ paper published in Acta Automatica Sinica contained internal technical report numbers from a certain institute within CETC in its references. Using Wanfang Data’s ‘citation network analysis’ function for tracing, one could map out the entire collaborative network of military AI R&D units – far more useful than crawling corporate websites.
Database
Sensitive Word Coverage
Full Text Acquisition Difficulty
China National Knowledge Infrastructure (CNKI)
83% (including fuzzy matching)
Institutional account required
Wanfang Data
91%
Partial open access
IEEE Xplore
37%
Sci-Hub can bypass
A classic recent case involved a paper on ‘Urban Underground Pipeline Modeling’, where experimental data tables included unmasked GPS coordinates of three gas stations. Overlaying OpenStreetMap with satellite images directly positioned strategic reserve facilities – mistakes like posting raw images without deleting EXIF data on Telegram, but more damaging in academia.
【Cold Tip】Using Google Dork syntax like ‘site:edu.cn intitle:experiment report filetype:pdf’ can retrieve unpublished interim results from various labs.
【Avoid Pitfalls】If acknowledgments in papers mention ‘project numbers funded by certain military enterprises’, immediately associate with MITRE ATT&CK T1589.002 (supply chain intelligence gathering).
【Timeliness】National Social Science Fund completion reports leak research directions 6-14 months earlier than journal papers.
An anomaly detected by a security team: Five papers from different institutions suddenly cited an offshore journal’s radar signal processing algorithm. Tracing revealed upgrades to monitoring equipment on a certain South China Sea reef. Such ‘co-citation network anomalies’ warn 11 months ahead of industry reports by commercial intelligence companies – professors writing papers don’t consider Operational Security (OPSEC).
Even plagiarism detection systems have become intelligence sources. Last year, a cache vulnerability in Chaoxing detection platform allowed access to deletion traces in master’s theses from the National University of Defense Technology – red-marked sections often contain more sensitive descriptions. It’s akin to inferring government PR priorities through Wikipedia edit histories, except the ‘withdrawal-modification-resubmission’ chain in academia harbors more geopolitical codes.
The Secrets in Corporate Annual Reports
In last year’s encryption communication cracking incident, analysts uncovered an unusual signal of sudden supplier changes from the appendix of CATL’s annual report—such hardcore operations have now become standard in the OSINT circle. Corporate annual reports are much more substantial than Weibo trending topics, hiding real gold and silver in the form of “financial cleansing” and “supply chain drift”, making it more thrilling than scrolling through Douyin.
When looking at annual reports, don’t head straight for the income statement; that’s like only watching movie trailers. In Xiaomi Group’s 2020 annual report on page 178, R&D expenses suddenly jumped from 5.3% to 6.1%, a fluctuation more bizarre than stock K-line charts. Those in the know immediately pulled up their concurrent patent application maps, discovering an 83% surge in autonomous driving-related patents, leaking car manufacturing plans three months ahead of financial statements.
【Supplier Dark Line】Hikvision’s 2020 annual report suddenly added three suppliers from Myanmar, but satellite images showed that the so-called factory locations were wastelands.
【Personnel Decoding】The sudden appearance of former military background personnel in Sany Heavy Industry’s executive list, coupled with a 91% increase in overseas orders that year.
【Depreciation Magic】A certain new energy vehicle company extended battery depreciation from 5 years to 8 years, inflating its annual profit by 1.5 billion yuan out of thin air.
Recently, a fierce move involves using natural language processing to scan the “Management Discussion” sections of annual reports. A photovoltaic company kept the frequency of “technological breakthroughs” at around 2.3% for three consecutive years, only to see it spike to 5.7% last year, resulting in lab data fraud being exposed three months later. This tactic is akin to your partner suddenly changing their WeChat profile picture frequency—it definitely means something is up.
The related party transactions in the notes are where the treasures lie. Last year, a major internet company reclassified cloud service revenue under “other business”, aligning with their CDN node expansion speed, which inflated valuation models by 20%. Even more audacious was a pharmaceutical company that stuffed failed R&D projects into “long-term deferred charges”—this operation is comparable to recording breakup fees as dating funds.
The wildest play now is cross-annual report reconciliation. Overlaying CATL’s battery cost curve with NIO’s gross margin on complete vehicles can predict price wars six months in advance. Someone once discovered a 14-day scissors difference in accounts payable cycles between the two companies, proving to be supply chain maneuvers before the mass production of new CTP battery modules.
A recent hot topic in the circle: a company suddenly changed its audit institution from PwC to a local firm in its annual report, only to be caught fabricating overseas orders the following year. This is akin to suddenly replacing a ten-year-old smoking buddy—not because of cost, but fear of having old secrets exposed.
Scanning Local News Websites
Want to understand the true dynamics of a city in China? Local news websites are far more reliable than Weibo. For instance, the news about the delayed opening of a Shenyang metro line first appeared in a corner of the Liao Shen Evening News—such details would never be reported by central media.
Local branches of Southern Media Group are treasure troves. The local version of Southern Weekend often plays “data hedging“. During the Zhengzhou floods last year, they compared rainfall data from the local meteorological bureau’s official website with drainage system parameters from government announcements, discovering outdated standards in municipal reports. Such hardcore operations require localized teams.
Website Type
Information Density
Verification Difficulty
Provincial Party Media Official Website
Low (mainly policy documents)
★★☆☆☆
Local Evening Paper Electronic Version
High (includes community dynamics)
★★★★☆
City Forum Civil Affairs Section
Fragments
★★★★★
A powerful strategy is cross-platform timeline comparison. For example, to monitor the progress of transportation projects accompanying the Hangzhou Asian Games, mark the dates of Qianjiang Evening News reports, then scrape route adjustment announcements from the local bus group app, and finally use satellite maps to view construction sites. Last September, we found that the construction progress of a subway station in Yuhang was two months ahead in press releases.
【Operation Tips】Don’t overlook the “leadership mailbox” section on municipal government websites, especially the response speed to complaint letters, reflecting administrative efficiency indirectly.
【Pit Warning】Certain provincial news websites place sensitive reports on secondary pages, which are automatically taken down after 15 days.
【Advanced Play】Use Tianyancha to screen local enterprises’ winning bid announcements, matching them against news-reported infrastructure projects.
Recently tracking a chemical park relocation in Shandong, a brief 300-word news item on the local site Qilu.com on June 5th had license plates of transport trucks blurred out in the images. Using satellite image time slices, we found that truck traffic on the western road of the park surged three days before the report—such details are invaluable intelligence.
Another peculiar case: A southwestern provincial capital introduced talent policies, stating “Master’s degree holders can apply” in the official release, but hidden in the HTML comments was a restriction requiring graduates from “Double First-Class” universities. Such tactics are more dramatic than TV dramas.
If encountering website redesigns, try searching “site:xxx.com + keywords” in Baidu snapshots; sometimes deleted pages can be retrieved. Last year, an environmental penalty announcement from Suzhou Industrial Park was captured via cached data during a website redesign.
Analysis of International Think Tank Reports
When satellite image misjudgments meet escalating geopolitical risks, international think tank reports become hard currency in the intelligence world. Last year, when Bellingcat’s verification matrix showed a 12% confidence deviation, it led to a gaffe regarding a certain country’s naval exercises—something professional OSINT analysts could have prevented by tracing Docker image fingerprints to find timestamp issues in data sources.
Taking RAND Corporation’s latest report, “Strategic Balance in the Asia-Pacific,” they went all-in, pushing satellite image resolution from 10 meters to 1-meter precision, combined with fishing boat location data scraped from Telegram channels, revealing the true progress of island reef constructions. However, a pitfall exists: when image resolution exceeds 5 meters, building shadow validation algorithms go haywire—even Palantir’s Metropolis platform has stumbled here.
Analysis Dimension
Traditional Methods
OSINT Upgraded Version
Data Update Frequency
Quarterly Reports
Real-time Scraping of Dark Web Forums + Twitter Topics
A classic example of IISS’s blunder last year involved misidentifying fishing boat lights as military facilities due to ignoring the 3-second UTC timestamp discrepancy with local monitoring. This could have been easily detected using MITRE ATT&CK framework’s T1595.002 standard.
【Satellite Image Trap】A think tank mistook cooling towers of cloud computing centers in Xiongan New Area for missile silos.
【Data Drift Warning】Language model perplexity spikes to 88ppl when Telegram channel creation times fall within 24 hours of policy changes.
【Verification Killer Move】Using Shodan syntax to scan industrial control systems is more effective than reading ten years of government work reports.
Brookings Institution recently employed an even bolder approach—tracking cryptocurrency transaction chains to reverse-engineer the flow of funds for provincial infrastructure projects. By analyzing Bitcoin mixer transaction fragments alongside satellite imagery from Tianyi Research Institute, they calculated the actual start rate of high-speed rail projects—a wild but effective method.
CSIS’s “Tech Decoupling Assessment Report” took it further by scraping commit records from open-source code platforms. When AI model training data volumes exceeded 2.1TB on GitHub, the contradiction rate between developer geographic locations and commit times skyrocketed to 19%, providing direct evidence of the effectiveness of technology embargoes, more intuitive than any economic model.
However, don’t blindly trust think tank reports—one renowned institution fell victim to EXIF metadata analysis, showing GPS coordinates of photos used in border conflict analyses pointing to a Copenhagen café. Now, professional OSINT teams are equipped with Sentinel-2 cloud detection algorithms, just like carrying ID cards; without these tools, satellite images aren’t credible enough for inclusion in reports.
