Connect with us

Hi, what are you looking for?



$2.5 Million Offered at Upcoming ‘Matrix Cup’ Chinese Hacking Contest 

The Chinese hacking contest Matrix Cup is offering big rewards for exploits targeting OSs, smartphones, enterprise software, browsers, and security products.

Matrix Cup Chinese hacking contest

A prize pool of $2.5 million is being offered at an upcoming Chinese hacking contest for exploits targeting a wide range of technology products, particularly ones made in the West. 

The competition, named Matrix Cup, is being described as “the Eastern hemisphere’s top cybersecurity competition”. Set to take place on June 26-28, Matrix Cup is sponsored by Chinese cybersecurity firm Qihoo 360 and Beijing Huayun’an Information Technology.  

Organizers are offering a total of 20 million yuan ($2.75 million) to participants, including 18 million yuan ($2.5 million) for zero-day exploits. 

The list of targets includes the Windows, Linux and macOS operating systems; Samsung Galaxy, Google Pixel, iPhone and several China-made smartphone brands; enterprise products from Microsoft, Zimbra, F5 and Citrix; networking devices from Cisco, Juniper Networks, Sonicwall and Linksys; NAS devices from WD, Synology and QNAP; and cybersecurity products from Fortinet, Checkpoint, Cisco, Ivanti (Pulse Secure), and Kaspersky.

Targets also include databases such as MariaDB, SQL Server, MySQL, and Oracle Database; enterprise tools such as Adobe Reader, Microsoft Teams, Zoom and Microsoft Office; the Chrome, Firefox, Edge and Safari web browsers; VMware, QEMU, Docker, Microsoft and Oracle virtualization technologies; an HP multi-functional printer; and the Hadoop data storage and processing framework.

Organizers say the goal is to address the cybersecurity challenges posed by new technologies, lower the level of risk, and improve the security of products. No information appears to be provided on the Chinese-language website set up for Matrix Cup on whether the demonstrated vulnerabilities will be reported to the affected vendors. 

Chinese hacking competitions often compare themselves to the North America-based Pwn2Own, which every year pays out significant amounts of money for software, IoT, ICS and automotive exploits. At the latest Pwn2Own, participants earned a total of $1.1 million for their work.

One of the most well known Chinese hacking contests is the Tianfu Cup. At the 2021 event, participants earned a total of $1.9 million for iOS, Chrome, Windows, VMware and other types of exploits. Tianfu Cup took a break in 2022, and the 2023 event shifted focus to domestic products from companies such as Huawei, Xiaomi, Tencent and Qihoo 360. Little information is available on the results of the 2023 event.

Advertisement. Scroll to continue reading.

Unlike in the case of Pwn2Own, which clearly states that findings are immediately reported to impacted vendors, details are murky regarding the disclosure of Tianfu Cup exploits to vendors. Several vulnerabilities presented at Tianfu Cup are known to have been patched by vendors, albeit months after their discovery in some cases. 

Chinese law dictates that zero-day vulnerabilities found by citizens must be promptly disclosed to the government. The details of a security hole cannot be sold or provided to any third-party, apart from the product’s manufacturer. The cybersecurity industry has raised concerns that the law will help the Chinese government stockpile zero-days. 

Indeed, one year after the law came into effect, Microsoft said it had contributed to a zero-day exploit surge. Threat actors believed to be sponsored by the Chinese government regularly leverage zero-day vulnerabilities in their attacks, including against the US government and affiliated entities. 

Related: US-China Competition to Field Military Drone Swarms Could Fuel Global Arms Race

Related: ArcaneDoor Espionage Campaign Targeting Cisco Firewalls Linked to China

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

OT zero trust access and control company Dispel has appointed Dean Macris as its CISO.

Cloud identity and security solutions firm Saviynt has hired former Gartner Analyst Henrique Teixeira as Senior Vice President of Strategy.

PR and marketing firm FleishmanHillard named Scott Radcliffe as the agency's global director of cybersecurity.

More People On The Move

Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.