-
A dark web user named “SHGA” claims to sell 1.2 billion records from the Shanghai National Police Database.
-
Experts suspect the data may come from a massive 2022 leak rather than a fresh breach.
-
No independent verification exists, and researchers urge caution about the seller’s claims.
A threat actor who goes by “SHGA” says they have over a billion Chinese citizen records. The data allegedly comes from the Shanghai National Police Database.
They posted the listing on a dark web forum this month. The dataset reportedly includes full names and Chinese Resident Identity Card numbers. It comes in Excel, CSV, and JSON formats. A compressed archive holds everything in about 10.9 GB.
SHGA directs buyers to a Telegram contact. They also promote a channel called EliteLeadHub. That channel sells business and consumer database leads. So far, no researcher has proven the data is real.
And no evidence currently shows that the alleged data is complete or freshly stolen. Also, no Chinese authority has publicly acknowledged any breach connected to the listing.
Claim Revives Memories of Old Shanghai Police Leak
This new claim sounds very similar to an older one. In 2022, a threat actor named “ChinaDan” offered a huge dataset. They also said it came from the Shanghai National Police Database and that it contains personal information of almost one billion Chinese citizens.
The size? 23 terabytes database holding people’s names, addresses, phone numbers, ID numbers, as well as police records. And it was being offered for 10 Bitcoin. Security researchers looked at samples. Many records appeared authentic, making the leak one of the biggest cybersecurity incidents that year.
The new listing shares key details with the old case. Both mention the Shanghai police database. And both involve massive amounts of citizen information. Both focus heavily on identity data. These overlaps make experts wonder if SHGA is just repackaging old material.
Old Data or a New Breach?
Cyber crooks often retain stolen data and keep reselling it for years. A breach from five years ago can surface again. The size difference here raises questions; the leak from 2022 was 23 terabytes, whereas the new listing claims only 10.9 GB compressed.
That gap suggests a few things. SHGA may be selling just a subset of the original records. The data might have been cleaned up to remove extras. Or it might just be a sample they’re using to attract buyers. Either that, or the seller’s claims are a bluff or exaggerated, which is very common in dark web marketplaces. Sellers compete for attention and trust.
Without independent access to the files, no one knows for sure. The true origin remains a mystery for now.
Why Chinese ID Numbers Matter So Much
The listing specifically mentions Resident Identity Card numbers. These 18-digit numbers are critical in China. They include a person’s birth date and registration place. Citizens use them everywhere.
People need the ID number to access government programs. They use it to open bank accounts. They need it to register phone numbers. Employers ask for it to verify workers. Travel tickets require it. Many routine transactions depend on this number.
If a database bearing the real names and ID numbers gets exposed, criminals could use it to do horrible things, such as fraud, targeted phishing, social engineering attacks, etc.
Criminals could steal someone else’s identity. Criminals could perpetrate different types of fraud. Having such personal information circulating somewhere in the dark web carries very serious security risks.
The same concerns apply to unverified claims of French healthcare data leaks, where sensitive medical information could be weaponized by cybercriminals.
Questions About Data Size
According to the actor, they hold 1.2 million records in total. That’s horrific when we compare the population of China which is approximately 1 billion.
But lots of databases have duplicated records forming part of their data, and some of the records may be historical in nature. More than one record can refer to the same person. Therefore, not all of the records are for unique individuals.
The total number of records has not been verified by any public source. The claims of the seller are still under evaluation.
No technical analysis of the documents corroborates that the records came from a police database. But the mere thought that a dataset supposedly with direct ties to the Shanghai Police system is out there is a cause for concern.