Sophidea, or the Chinese-Cheyenne Express

Why did the Chinese internet burst out of Cheyenne, Wyoming in 2014? What is Sophidea? How are they related to the Open Technology Fund? Why are the Chinese camping out in our supercomputer facilities? What's with that? Should they be paying rent?

Sophidea, or the Chinese-Cheyenne Express


Sophidea is really the US sponsored tech firm “Ultrasurf”.

Ultrasurf in turn is sponsored by the Open Technology Fund (OTF). They in turn report to an agency that has used various names at various times, but is today: US Agency for Global Media


Ultrasurf is part of a long list of OTF sham software projects that mostly did very little, or sometimes appear to have purposely exposed user data to the Chinese government.

Such accusations probably seem very big, but that I think is because only I think this topic is little talked about. Regardless, nearly everyone should be able to agree on the fact that penetrating, subverting, and spying on OTF would theoretically be straightforward and not that difficult for Beijing. The CIA and FBI have to deal constantly with such activity from China, so what makes OTF special?

Other such projects include Tor, perhaps the biggest joke ever played on users seeking better cybersecurity in the history of computing. Besides trying to pawn off a laughably simple program as a “breakthrough” (Tor just forwards your data to two other nodes and then to the desired site, this is nothing novel), it has been plagued by aggressive sexual misconduct:


In 2014 an unusual incident happened regarding the Chinese internet, the unblocking of many typically censored sites, and the state of Wyoming.

The incident itself is not what it seems at first. First how the story appeared is enormously unusual. There are almost no reports from blogs or tweets about crashes and massive outages that day. The story simply “appears” in the newspapers of record in the United States. All we can be certain of is this wasn’t an organic event just dutiful reported on by the media.

Second, the connection between Sophidea and Ultrasurf was never reported on and never made clear. That would have immediately implicated the Open Technology Fund.

Third, the hosting provider of Sophidea is Hurricane Electric. We will come back to this later.

Finally fourth, while Sophidea has a business address, it does not have servers there. Those servers are located in the NCAR Super Computing Facility down the road on the western edge of the city of Cheyenne. We were able to deduce this from historical passive DNS, reverse resource records, and ASN ownership titles. This will be expanded on


This immediately brings up red flags. NCAR has been under off and on investigation for espionage and sedition since 1970. That year, Robert White was appointed director of the facility. A very odd man, he sought to merge anarchy, critical theory, extreme bolshevism, and the darker bits of communist theory into a management style that haunts NOAA to this day.

The historical records of communism have never been easy to investigate. From the mysterious 1973 fire at the National Personnel Records Center, to the 2007 arrest of Sandy Berger for stuffing 50 pages of National Archives documents down his pants, records just seem to “disappear” that talk in depth regarding US government personnel controversies and their loyalty to the United States.

1973 National Personnel Records Center fire in St. Louis

Most people also don’t realize, and would find very very strange, that members of NOAA consider themselves military officers with equivalent rank. According to United States law, they technically are correct as they are a “uniformed service”.


The Chinese internet is almost entirely IPv6 based. Though first described in a 1995 RFC, IPv6 is terribly complicated compared to IPv4, typically not worth the hassle to implement, and is a privacy disaster.

Roughly speaking, the reason it would be a privacy disaster is that IPv6 has so many unique IP addresses to assign (it goes into the quadrillions) that every device on Earth would have a trackable unique fingerprint that would make it possible to constantly identify a user and make evasion next to impossible. For this reason Huawei has tried to rebrand IPv6 with the term New IP, but it is just IPv6 redux.

Because the American internet is still mostly on IPv4, despite enormous pushes from lobbyists, Huawei, and others, it is not straightforward for traffic to move between the two countries. Hurricane Electric solves this problem though by making available, mostly for free, brokers and tunnels that help bridge the connection between IPv6 networks and IPv4 networks.


This post is meant to be a resource for other researchers as well as kick off what will be a series of writings that investigate Chinese cyber activity in the American West.

If we take everything talked about above, some of which is will be fleshed out in more detail in later posts, the a rough summary can be arrived at as to what was going on back in late 2014. First,  malicious traffic and ad fraud bots that help generate in the tens of billions of dollars flow out of China. They then flow through Taiwan via the Data Business Communication Group (also known as HiNet) and Japan via the Sakura ISP. The reason for this stopover is the lack of direct underwater fiber line between the US and the PRC. Finally from those two countries it moves across the “IPv6 bridge” Hurricane Electric provides out of its HQ in Fremont, CA, and then finally to Sophidea/NCAR in Wyoming.

From there as best we are able to tell, the supercomputer “Cheyenne” at NCAR, which as of last month is the 60th fastest computer in the world, fans the traffic across the United States for various uses by Chinese intelligence.

The following diagram maybe of some assistance: