Tianfu Cup Hacking Contest Revival Under Secrecy
China’s Tianfu Cup Hacking Contest Returns with Increased Secrecy and Government Oversight
After a two-year hiatus, the Tianfu Cup hacking contest has resumed in 2026, but with a significant shift towards increased secrecy and government control. The competition, which was launched as an alternative to the Zero Day Initiative’s Pwn2Own, has been taken over by China’s Ministry of Public Security (MPS).
According to threat intelligence firm Natto Thoughts, the MPS announced the Tianfu Cup on January 16, and the competition’s official website was subsequently made inaccessible to visitors outside of China. Natto Thoughts managed to obtain the list of targets before the site was taken down, which included a range of devices and software, such as smartphones, operating systems, browsers, cloud and virtualization products, and cybersecurity solutions.
Targets and Rules
The targets included the iPhone 17, Xiaomi 14 Ultra, Honor Magic 7 Pro, and Samsung Galaxy S24 Ultra, among others. Hackers were challenged to demonstrate exploits against these devices, with the goal of achieving remote code execution, sandbox escape, kernel privilege escalation, and local kernel privilege escalation.
The competition also included an AI category, with targets such as Hugging Face, Ollama, and OpenLLM, and a new track focused on reproducing exploits for known vulnerabilities. However, the rules and targets have undergone significant changes this year, according to an industry insider.
Concerns and Implications
The total prize pool for the competition has been significantly reduced to CN¥ 1 million (approximately $140,000), compared to the $1.9 million awarded in 2021. The exploits demonstrated at the competition will likely be retained by the Chinese government, which has implemented regulations requiring citizens to report zero-day vulnerabilities to the government and not disclose them to any third party outside the country.
The Tianfu Cup has been criticized in the past for its lack of transparency and its potential to aid Chinese state-sponsored hacking operations. The competition’s shift towards increased secrecy and government control has only heightened these concerns, and the implications for global cybersecurity remain to be seen.
About Author
English