US-China Joint Hammer! HoYoverse Catches Another 'Leaker': 'Nike Girl' Arrested — What Legal Consequences?
Using the HoYoverse v. Nike Girl case as an example, this article analyzes the criminal risks of game leaking in China and seven strict causes of action in US civil litigation, revealing cross-border rights enforcement strategies.
In recent years, the leaking of unpublished game content during development (commonly known as “insider leaks”) has been a persistent headache for major game companies, especially anime-style game developers.
Whether it disrupts a marketing campaign costing tens of millions or damages the player community ecosystem, the implicit and explicit losses caused by leaks are immeasurable.
Previously, companies typically responded with cease-and-desist letters or civil lawsuits. However, in the past year or two, cases involving criminal prosecution have been on the rise.
And recently, HoYoverse demonstrated a textbook “cross-border dual-track” rights enforcement action to the entire industry.
On February 27, Shanghai police announced the solving of the first criminal case of “illegal spoilers” in the gaming field, arresting three suspects. The mastermind was Zhou, a PhD student in mathematics (rumored) studying in the US, who built the leak website “Yuhuai Cup” under the online alias HomDGCat (Chinese nickname “Nike Girl”).
On the other side of the Pacific, HoYoverse’s overseas entity Cognosphere filed a federal civil lawsuit against Zhou on February 5, seeking astronomical damages.
As a Honkai: Star Rail player, I’m ashamed to admit (actually not) that I previously used Zhou’s “Yuhuai Cup” website to check what character materials would be needed for the next version, so I could farm them in advance during the dead period (now that the game has in-game previews, this is no longer necessary).
Today, let’s take a hardcore look at what legal consequences this post-00s genius academic faces and what “combo” HoYoverse’s legal team has executed.
*This article represents only the author’s personal views and does not constitute legal advice or a legal opinion.
I. Where Is the Technical and Legal Boundary of “Datamining”?
The police bulletin mentioned a core technical method: “using technical means to crack the game test installation package.”
In the gaming community, this is commonly called “datamining.”
I previously discussed this topic in detail in the article “[Game Law Knowledge: Is Using Asset Studio for Datamining Legal?]”
Many players have serious misconceptions about the legal boundaries of datamining, thinking: “The tool is open source, and I downloaded the package myself — what’s wrong with taking a look inside?”
Those who think they “know the law” might even say, “Doesn’t the Copyright Law say ‘personal study is exempt’?”
Article 24: In the following circumstances, a work may be used without permission from, or payment of remuneration to, the copyright owner, provided that the name or title of the author and the title of the work are indicated, and that the use does not affect the normal use of the work or unreasonably prejudice the legitimate rights and interests of the copyright owner:
(1) For personal study, research, or appreciation, using another person’s published work;
Article 50: Technical measures may be circumvented in the following circumstances, provided that the technologies, devices, or components for circumventing technical measures are not provided to others, and that other rights legally enjoyed by the right holder are not infringed:
(5) Conducting encryption research or computer software reverse engineering research.
The key here lies in the “object” and “purpose.”
Permissible: Published Content + Good Faith Use
If a player uses tools like Asset Studio to datamine an already officially released game client, for the purpose of studying how major studios do 3D model wireframing, or creating non-commercial fan MMDs on their own computer (of course, major studios like HoYoverse now directly release models for free use), this typically falls into the gray “fair use” zone, and company legal departments generally do not pursue it.
Not Permissible: Unpublished Content + Malicious Use
But this time, Zhou’s “purpose” was not pure.
First, they did not datamine a publicly released client, but rather obtained unpublished encrypted test builds through various means.
Furthermore, they turned the datamined [unpublished] core trade secrets (new characters, new scenes, skill multipliers, and even story text, new Abyss bosses, etc.) into videos and databases, publicly releasing them to attract nearly 100,000 subscribers, earning platform revenue shares and user tips.
Moreover, after multiple communications from HoYoverse, they [refused to comply].
That only left the “iron fist” as the answer.
II. First, Domestically — Why Face Criminal Compulsory Measures?
In practice, many people involved in IP infringement have a naively mistaken belief:
“At worst, the platform will send a warning letter, and I’ll just take down the video — problem solved, right?”
Well, not necessarily.
The Shanghai police’s operation provided a concrete example, thoroughly shattering this illusion.
This is the first criminal case in Shanghai targeting “illegal spoiler” conduct in the gaming field, and it certainly won’t be the last.
Why Was an Arrest Made?
Because unpublished information during game development is not only a work protected by copyright law — it is also a trade secret protected by anti-unfair competition law.
In April 2025, the Supreme People’s Court and the Supreme People’s Procuratorate jointly issued the “Interpretation on Several Issues Concerning the Application of Law in Criminal Cases of Intellectual Property Infringement” (which I wrote about earlier). This judicial interpretation provided clear legal guidance for the criminal prosecution of “illegal spoilers” in the gaming field.
Article 13: For acts of infringing copyright or rights related to copyright under Article 217 of the Criminal Law, if the illegal income is RMB 30,000 or more, it shall be deemed as “relatively large illegal income” under Article 217; any of the following circumstances shall be deemed as “other serious circumstances” under Article 217:
(4) Communicating to the public via information networks another person’s works, audio and video recordings, or performances, totaling 500 or more items (copies), or with downloads reaching 10,000 or more times, or with clicks reaching 100,000 or more times, or communicating in a membership-based manner with registered members reaching 1,000 or more;
In addition, Zhou’s actions not only profited themselves but also caused substantial harm to HoYoverse.
Premature release of unfinished data not only severely disrupted the established commercial marketing rhythm, but also likely triggered unnecessary disputes in the player community, damaging the game ecosystem.
When infringement causes significant economic loss to the rights holder and the amount of illegal business operations (such as traffic monetization, tips) meets the filing threshold, it triggers Article 217 (copyright infringement) or Article 219 (trade secret infringement) of the Criminal Law.
What Sentence?
Let’s go directly to the statutes:
Article 217: For profit, committing any of the following acts of copyright infringement, if the amount of illegal gains is relatively large or there are other serious circumstances, the offender shall be sentenced to fixed-term imprisonment of not more than three years or criminal detention, and/or fined; if the amount of illegal gains is huge or there are other especially serious circumstances, the offender shall be sentenced to fixed-term imprisonment of not less than three years but not more than seven years, and fined:
(1) Reproducing and distributing written works, music, film, television, video works, computer software, and other works without permission of the copyright owner;
Article 219: Engaging in any of the following acts of infringing trade secrets, if causing significant loss to the trade secret rights holder, the offender shall be sentenced to fixed-term imprisonment of not more than three years or criminal detention, and/or fined; if causing especially serious consequences, the offender shall be sentenced to fixed-term imprisonment of not less than three years but not more than seven years, and fined:
(1) Acquiring trade secrets from the rights holder by theft, inducement, coercion, or other improper means;
(2) Disclosing, using, or allowing others to use trade secrets acquired by the means mentioned above;
(3) Disclosing, using, or allowing others to use trade secrets in one’s possession in violation of an agreement or the rights holder’s requirements for keeping trade secrets confidential.
The actual profit determination is not yet visible, but generally speaking, based on publicly available information, a sentence of up to three years — or even one year suspended — seems appropriate.
Note the above reference to “disclosing, using, or allowing others to use trade secrets in one’s possession in violation of an agreement or the rights holder’s requirements for keeping trade secrets confidential.” In other words, leaking test server information also carries criminal liability risk.
III. Now, in the US — How Did HoYoverse Sue Them?
In addition to criminal measures in China, HoYoverse also filed a civil lawsuit against them in the United States.
I obtained and reviewed the full text of HoYoverse’s complaint filed in the United States District Court for the Northern District of Georgia.
This complaint is well worth studying.
(Follow me, type “Nike Girl” in the chat to get the full English complaint PDF.)
In this 45-page document, HoYoverse did not simply assert copyright infringement, but instead deployed an extremely tight “seven-count” combination punch:
1. Trade Secret Misappropriation (Count I & II)
First, they invoked the federal Defend Trade Secrets Act (DTSA) and the Georgia Trade Secrets Act (GTSA).
Unpublished game versions cannot simply be protected as “works.” Counts I and II directly characterize them as high-value “trade secrets.”
To satisfy the legal requirement for “confidentiality measures” for trade secrets, HoYoverse detailed in the complaint the security measures they implemented: strict NDAs signed with testers, physical isolation of development areas, IT system password protection and permission segmentation, etc.
Having established the trade secret nature, and since Zhou’s conduct was deemed “intentionally and maliciously,” this directly entitled HoYoverse to claim exemplary/punitive damages.
2. Claiming Statutory Maximum Damages (Count III)
Zhou, without authorization, directly copied and published in-game character artwork, models, and text dialogue on Telegram channels and the HomDGCat website, infringing reproduction and distribution rights.
Instead of getting bogged down in hard-to-calculate “actual damages,” HoYoverse went straight for the jugular by invoking the US Copyright Act (17 U.S.C. §§ 106 & 501) and reserving the right to elect statutory damages. For willful infringement, the maximum statutory damages under US copyright law are up to $150,000 per work.
3. DMCA Anti-Circumvention Violation (Count IV)
Many “tech enthusiasts” think that simply extracting data without monetizing it means they haven’t broken the law. But the DMCA provides that if you crack a company’s encryption technology, the “circumvention act” itself is illegal.
The complaint points out that the test build was encrypted, and Zhou’s data extraction constituted “circumvention of technological protection measures.”
Under US law, each act of circumvention may entitle the plaintiff to up to $2,500 in statutory damages.
Given the tens of thousands of data entries on the website, the theoretical claim for this count alone is astronomical.
4. TOS (Terms of Service) as a Safety Net (Count V)
The vast majority of “insiders” are also game players themselves, and Zhou was no exception.
Paragraphs 26-29 of the complaint state that Zhou owned a HoYoverse account and necessarily clicked to agree to the Terms of Service (TOS) upon registration.
And HoYoverse’s TOS clearly states: “Prohibited from extracting source code or cracking encrypted materials” and “Prohibited from using for commercial purposes.”
A well-written TOS is not just a disclaimer — when it comes to enforcement, it becomes a sharp weapon.
(But honestly, how many people actually read those lengthy Terms of Service?)
5. Tortious Interference with Contract (Count VI)
Many leakers like to argue:
“The test build was sent to me by someone else — I’m just republishing it. The ones who breached their contract are the testers.”
Of course, those testers certainly breached their contracts.
But under common law, if you know someone has a confidentiality obligation and you induce them to breach it, you have committed a tort.
Paragraph 35 of the complaint directly attaches irrefutable evidence: a message Zhou posted on Telegram on April 19, 2024, actively soliciting test server players to provide the test build, promising “I won’t know your identity, and I won’t leak the download link you give me to anyone.”
This directly strips away Zhou’s disguise as a “simple information sharer” (eliminating any claim of “good faith”), characterizing him as the mastermind who actively built and organized a leak network while inducing players to breach their contracts.
This also makes it easier for the court to issue a severe punitive judgment.
6. Seeking Legal Fees and Litigation Costs (Count VII)
Paragraph 46 of the complaint reveals a key detail that corroborates information from HoYoverse’s legal team video.
HoYoverse sent him a cease-and-desist (C&D) letter on December 24, 2025, but Zhou’s reply was extremely defiant, explicitly refusing to stop illegal datamining and soliciting of test builds.
As we all know, legal fees in US intellectual property litigation are astronomical.
HoYoverse used this to demonstrate that the defendant exhibited “malicious, stubbornly litigious” behavior, causing unnecessary trouble for the plaintiff, and therefore requested the court to order the defendant to bear all of HoYoverse’s legal fees and litigation costs.
This “combo” — covering trade secrets, copyright, technological circumvention, all the way to TOS and inducement to breach contract — essentially shut down every possible defense in civil litigation.
IV. Even Worse: Zhou Can’t Return to the US to Defend
Now Zhou faces an extremely thorny procedural dilemma.
HoYoverse’s civil lawsuit against him in the Northern District of Georgia has been filed.
However, the defendant Zhou is currently in China and has been subjected to criminal compulsory measures by Shanghai police.
This means Zhou is objectively unable to travel to the US to defend himself, and he may not even be able to timely retain US counsel to file an answer.
Under US civil procedure rules, if a defendant fails to respond or appear within the statutory period, the plaintiff may apply to the court for a default judgment.
Under default judgment procedure, the judge typically directly adopts the factual allegations and claims made in the plaintiff’s complaint.
In other words, a judgment covering infringement damages, DMCA maximum statutory damages, punitive damages, and hefty legal fees — potentially reaching millions or even tens of millions of dollars — is likely to be fully approved by the court.
Even if Zhou’s domestic criminal case is eventually resolved, once this US court judgment becomes final, all of his assets within US jurisdiction become subject to enforcement at any time.
With this massive debt from malicious IP infringement on his record, this “academic prodigy” (rumored to have attended a gifted youth program, currently a PhD student at Georgia Tech) has had his future overseas academic career and professional path essentially permanently blocked.
(Of course, being recruited by the company would be a different story.)
V. Final Thoughts
From the rejected cease-and-desist letter, to the seven-count federal civil complaint in the US, to coordinating with Chinese police for criminal prosecution — HoYoverse has demonstrated to the entire industry its determination and capability to combat the underground leak industry.
Faced with increasingly rampant black-market activities, beyond traditional civil litigation and cease-and-desist letters, more companies may attempt to actively coordinate with public security authorities, guided by the new judicial interpretation, to legitimately use criminal means to protect their rights.
This case also provides a textbook-level “battle guide” for law-abiding game companies. To wield legal weapons effectively, the underlying compliance foundation must be solid. Review and refine your Terms of Service (TOS) and Non-Disclosure Agreements (NDAs), clearly prohibiting datamining and circumvention of technological protection measures in writing. Technologically, strengthen the encryption and traceability mechanisms for test builds.
Only by first building your own “moat” can you deliver such a flawless cross-border combination punch in the face of infringement.
For the general player base and tech-savvy creators, this is a vivid and sobering legal lesson.
Internet technology — especially the rapid advancement of AI — gives more people the ability to explore the underlying code. But that is absolutely not a license to steal others’ trade secrets and profit from them.
Don’t cross the legal red line for the sake of chasing that meager “scoop traffic” and tips.
Also, be wary of those so-called “leak masters” who promise you “absolute safety and never reveal your identity” — they are just using ordinary test players as “cannon fodder” to obtain free resources.
Once a major company’s legal team coordinates with law enforcement to trace back to the source, even they won’t be able to protect their own secrets, let alone the tester who provided the build.
Protecting unpublished trade secrets means protecting the lifeline of game companies — and it also means protecting the foundation of an industry capable of consistently producing high-quality content.
