China's First Nationwide Case of Illegal WeChat Data Harvesting via "Clean Fan" Software

In September of the previous year, the Nantong Public Security Bureau in Tongzhou District cracked the country's first nationwide case of illegally obtaining WeChat user information through a "clean fan" software, resulting in the arrest of eight suspects and a collective sentencing on March 3.

The defendants, including Zhang and seven others, were convicted of crimes related to illegal acquisition of computer information system data and illegal control of computer information systems.

Many WeChat users employ "clean fan" services to remove unwanted contacts, but some later discover strangers joining groups via QR codes they shared or being added to advertising groups. In June 2020, the Nantong cyber‑security team identified serious security risks in these "clean fan" applications.

The software operates by controlling a WeChat account through a cluster control system, automatically sending messages to all friends and groups, then identifying and deleting "zombie" contacts. After gaining control of the accounts, the suspects extracted group QR codes, stored them as images on a server, and sold them to fraud and gambling rings.

On July 3, 2020, a special task force comprising cyber‑security, legal, and local police units was formed. The investigation revealed that since February 2020, numerous regions experienced strangers scanning QR codes to join groups for gambling, marketing, and fraud, with over 1,500 related cases across more than 20 provinces. Tencent cooperated with authorities, and the task force identified a software named "WeiQing" as a major suspect.

The gang promoted a product called "Rapid Clean Fan" as an officially certified tool that could scan and clean contacts within a minute. In reality, the software allowed attackers to log into victims' WeChat accounts, obtain full permissions, and harvest personal data.

Although the suspects used unregistered identities, investigators traced them through a decommissioned server, uncovering real identities such as Liu and He. On July 22, 2020, coordinated raids in Guangdong, Hubei, and other provinces led to the capture of all five remaining suspects.

The gang's division of labor was clear: Zhang, Liu, and He handled system development and maintenance; Li managed QR‑code sales; Tan drove traffic to WeChat public accounts. They rented servers, built their own system, and used it to mass‑collect group QR codes, automatically follow, read, and like content.

In just three months, the group illegally harvested over 20 million WeChat group QR codes, selling them to fraud and gambling groups in Fujian and elsewhere, and also provided services for mass‑following public accounts and inflating read and like counts, earning more than 2 million yuan.

The operation was highly professional, platform‑based, and concealed, forming a complete black‑gray industry chain from illegal data collection to downstream advertising, marketing, and other cybercrimes. This unprecedented case provided valuable experience for law‑enforcement, with cooperation from Tencent and the Nanjing Forest Police Academy leading to its successful resolution.

Reminder: Using such "clean fan" tools effectively hands over full control of your account to malicious actors. Users are advised to avoid unofficial plugins or software that violate official agreements to mitigate security risks. Cybersecurity is for the people, and it relies on the people.