Inside Look at a Chinese Operational Relay Network

Presented at DEF CON 33 (2025), Aug. 8, 2025, 11 a.m. (45 minutes).

Operational relay box (ORB) networks are used by hackers to obscure their true origin, effectively turning a network of computers into their own private TOR network. This talk is an inside look at a relay network we believe to be based in the People’s Republic of China based entirely on public data we stumbled upon. It will contain an unprecedented level of detail into the specific tools, networks, and development techniques used to create and operate an ORB network. If you’re a cloud provider trying to stop this type of abuse, a defender trying to understand how to detect when a relay is being used, or a wanna-be attacker, this is the talk for you. We name the cloud providers, data storage systems, software tools, domain names, email addresses, and passwords that they use to create, maintain, and operate their network. References: [link](https://github.com/DockerExploitationFramework/DockerExploitationFramework) [link](https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-orb-networks) [link](https://www.team-cymru.com/post/an-introduction-to-operational-relay-box-orb-networks-unpatched-forgotten-and-obscured)

Presenters:

• Michael "mtu" Torres
  mtu, otherwise known as Michael Torres, is a security engineer focused on detecting bad things at scale. Michael is also a Staff Sergeant in the United States Marine Corps Reserve, where he has been responsible for planning and conducting both offensive and defensive cyber operations. He likes to learn new stuff, then share it to benefit others, and is an active volunteer for VetSec (veteransec.org), a charity focused on helping military veterans have successful careers in cybersecurity.
• Zane "earl" Hoffman
  Earf, also known as Zane, is a DevOps Engineer that does vulnerability research in his free time. Zane recently left active duty as a U.S. Marine, where he did vulnerability research and tool development full time. He is also a certified airplane seamstress, qualified to operate industrial sewing machines to maintain aircraft equipment. He likes to hike, climb rocks, and tear apart devices with his hot air gun, soldering machine, and funny looking glasses.

Similar Presentations:

• DEF CON 32 (2024) / Measuring the Tor Network
• DEF CON 32 (2024) / Laundering Money
• DEF CON 33 (2025) / Edge of Tomorrow: Foiling Large Supply Chain Attacks By Taking 5k Abandoned S3 Buckets from Malware and Benign Software