Analysis of Large-Scale Black and Gray Industry Attacks on Kuaishou Live Streaming Platform and Research on Governance Improvements

Based on the searched information, I will conduct an in-depth analysis of this incident and discuss the improvement directions for platform governance.

Around 22:00 on December 22, 2025, Kuaishou Live Streaming Platform encountered an organized and premeditated large-scale black and gray industry attack. Attackers exploited underlying vulnerabilities in the streaming interface to bypass real-name authentication and content moderation links in a short time, flooding a large number of non-compliant live rooms instantly and spreading obscene, pornographic, and bloody violent content [1][2].

From the timeline:

• 22:00
  - Incident broke out; large-scale non-compliant content appeared in the recommendation feed, and the number of viewers in some live rooms soared to 50,000-100,000+ [3]
• 23:30
  - Attack scale reached its peak; moderation mechanism was suspected to have failed, and non-compliant content spread for more than 1 hour [3]
• 23:23:00
  - Kuaishou was forced to implement the “indiscriminate shutdown” circuit breaker measure and fully close the live streaming channel [1][4]
• 01:00
  - Official response was released, acknowledging the black and gray industry attack and reporting to the police simultaneously [3]

This incident was designated as a P0-level top security incident by the industry, which is an extremely rare case of platform governance failure in the history of mobile Internet development [5].

: Attackers successfully exploited underlying vulnerabilities in the live streaming interface, which means the traditional boundary-based static defense thinking has completely failed [1]. The fact that black industry gangs can register accounts in batches and bypass real-name authentication indicates that Kuaishou’s risk control system has serious blind spots.

: 360 Digital Security Analysis pointed out that this attack marks the entry of the black and gray industry into the industrialization stage. Attackers used adversarial perturbation technology to add noise that is difficult for human eyes to recognize to video frames, causing serious misjudgments by the AI moderation model [6]. At the same time, they found out the response threshold of Kuaishou’s real-time moderation model through continuous “feeding” tests, thereby designing a strategy to maximize content dissemination.

: A large number of newly registered accounts started broadcasting collectively at the same time, playing pre-made illegal videos. The platform fell into the dilemma where “the blocking speed cannot keep up with the speed of non-compliant content generation” [6]. According to Akamai’s report, since 2025, attack traffic related to AI crawlers and AI-generated content has surged by 300% [5].

At the time of the incident, Kuaishou was undergoing drastic executive changes. In September 2025, Yu Haibo, the company’s senior vice president, no longer served as the head of the security and compliance line and was transferred to honorary advisor [7]. Changes in the core technical team are often accompanied by risks such as technical document gaps, slack maintenance of underlying systems, and reduced frequency of security drills.

In addition, in 2025, Kuaishou fully invested in the research and development and commercialization of large models (such as Keling AI), which may have dispersed the operation and maintenance resources for underlying security infrastructure to a certain extent [1].

Kuaishou claimed in its ESG report to adopt a “combination of machine moderation and manual moderation” model and promote the iterative upgrade of the malicious information database [4]. However, judging from the incident, there are obvious “gaps” in the platform’s governance side. Lang Hua, a partner of SynTao Consulting, pointed out that to judge whether a company’s disclosure is truly “useful and verifiable”, it is necessary to see whether there are large differences and anomalies in relevant issues and data disclosure [4].

: Abandon the static defense thinking of “one-time verification, permanent trust” and establish a dynamic defense architecture centered on continuous verification [1].

: Use multimodal large models to conduct in-depth semantic understanding of live content, and identify hidden non-compliant content that evades traditional CNN recognition through slicing, inversion, local mosaic, and other methods [1].

: No longer rely solely on static tokens, but conduct continuous evaluation by combining device fingerprints, geographic locations, biometric information, network link quality, and real-time behavior patterns [1].

: Divide the live streaming business into multiple tiny areas. Even if attackers obtain permissions for a certain number segment or interface, they cannot move laterally to attack other core modules [1].

: Clarify the automatic circuit breaker process after the violation threshold is triggered to achieve “second-level response and minute-level disposal”. For example, suspend the broadcasting of high-risk account segments and restrict abnormal streaming behaviors [2].

: When a large number of newly registered accounts across the platform initiate high-concurrency streaming simultaneously, the system should automatically trigger the “extreme security mode” and raise the priority of manual intervention to the highest [1].

: Dynamically adjust authorization according to the sensitivity of content. When the number of viewers in a live room surges, automatically increase the moderation frequency and modal dimensions [1].

: Share characteristic information such as non-compliant accounts and device fingerprints to promote cross-platform joint prevention and control [2].

: Collaborate with telecom operators and security institutions to establish a global database of illegal virtual number segments, and implement “moderation before broadcasting” restrictions on registrations using high-risk number segments [1].

: Set up high bonuses to encourage users to report black industry clues and transform the vast number of users into the platform’s “distributed security sentinels” [1].

: According to Articles 6, 8, and 21 of the “Regulations on the Governance of the Online Information Content Ecosystem”, earnestly fulfill the main responsibility for information content management [2].

: According to Articles 11 and 20 of the “Regulations on the Management of Internet Live Streaming Services”, establish a second-level offline, automatic blocking, and function circuit breaker mechanism for pornographic and violent content [2].

: Combine Articles 74 and 80 of the “Minor Protection Law” to strengthen special prevention and control measures for pornographic content [2].

: Simulate new attack scenarios to optimize defense strategies and get rid of the efficiency shortcoming of over-reliance on manual review [2].

The Kuaishou incident is not an isolated case but an extreme manifestation of common problems faced by the live streaming industry. In 2025, live streaming and social platforms worldwide are facing challenges of AI-driven content attacks [1].

From the perspective of industry comparison, domestic platforms perform well in “emphasizing response and shutdown”, but there is still much room for improvement in “precision defense” and “predictive defense” based on multimodal large models [1].

Future Trend Outlook:

1. Continuous Reduction of Attack Costs
   : The development of AI technology has greatly reduced attack costs, and more black and gray industries will target Internet platforms [5].
2. Increased Industry Threshold
   : Platforms will have to invest more resources in security protection, which may change the competitive landscape [5].
3. Deepened Government-Enterprise Collaboration
   : Cross-border law enforcement and intelligence sharing mechanisms will be more improved to promote source governance [1].
4. From “Governance Technology” to “Technology Governance”
   : Platforms will actively explore embedding governance into technology to achieve a paradigm shift [7].

Facing the increasingly complex cybersecurity environment, platforms can only reshape their security concept—from “post-incident patching” to “predictive defense”, isolate risks through effective security architecture, and build a trust loop between users, regulators, and enterprises, to reshape platform trust in the confrontation between technology and rules [1].

---

[1] FreeBuf Cybersecurity Industry Portal - In-Depth Analysis Report on Kuaishou’s Large-Scale Content Security Incident (https://www.freebuf.com/articles/463370.html)
[2] Sohu - Tens of Thousands of Live Rooms Broadcasting Pornographic Content? Lawyer Interprets Kuaishou’s “Cybersecurity Gate” (https://m.sohu.com/a/968591953_120491808)
[3] Securities Times - Kuaishou Attacked by “Pornography”, Live Streaming Function Collapsed Temporarily (https://www.stcn.com/article/detail/3555005.html)
[4] Huxiu - Kuaishou is Not Just a “Victim”, Kuaishou Has Not Apologized (https://www.huxiu.com/article/4820192.html)
[5] Sina Finance - Kuaishou Suffers Rare Large-Scale Cyber Attack: How Fragile Are Live Streaming Platforms’ Security Defenses? (https://finance.sina.com.cn/roll/2025-12-29/doc-inhemfqt8246886.shtml)
[6] EET-China - Market Value Evaporated by Ten Billion: Who is Responsible for Kuaishou’s “Dual Moderation Failure”? (https://www.eet-china.com/mp/a462408.html)
[7] The Paper - A Terrifying Night in Kuaishou Live Rooms (https://m.thepaper.cn/newsDetail_forward_32235114)