Cybersecurity Risk Management, Strategy, and Governance Disclosure |
12 Months Ended |
|---|---|
Dec. 31, 2025 | |
| Cybersecurity Risk Management, Strategy, and Governance [Line Items] | |
| Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block] | Item 16K. Cybersecurity Our management and Board recognize the critical importance that a robust cybersecurity program and processes play in maintaining the integrity of our information technology networks and systems, which we rely upon to securely process, transmit and store electronic information and to communicate among our locations and with our customers and partners. We identify and address information security risks by employing a defense-in-depth methodology that provides multiple, redundant defensive measures in case a security control fails or a vulnerability is exploited. Our policies include procedures for handling urgent problems, accident classification standards, and internal audit standards for information security. We have passed Information Security Management Systems (ISMS) certifications such as ISO27001 and ISO27701, and we follow these and other international standards to assess, identify and manage cybersecurity threats. In addition to our internal resources, we also leverage external resources to mitigate cybersecurity threats to the Company, including partnering with third parties to conduct penetration testing, attack and defense exercises; perform annual audits and certifications of our cybersecurity and information technology processes and performance; and supply us with defensive tools. We have processes in place to oversee and identify risks that may arise from cybersecurity threats associated with our use of third-party service providers, including contract review procedures that apply to third party vendors handling or having access to company information. Our security team conducts additional cybersecurity due diligence on certain vendors involved in customer data sharing. Oversight of cybersecurity risk is integrated into our overall enterprise risk management framework. At the management level, our Chief Information Officer (“CIO”) oversees our cybersecurity program and risks, with more than 15 years of experience in the online advertising and fintech industry, including significant engineering experience and responsibility for building trading systems, anti-fraud systems, and risk management systems. Our CIO holds a M.S. degree in Computer Science from Institute of Software, Chinese Academy of Sciences, and a B.S. degree from Huazhong University of Science and Technology. Our CIO oversees our research and development (“R&D”) department, which is responsible for detecting, identifying, monitoring, and remediating IT and cybersecurity risks. The security team within the R&D department prepares and disseminates to vice presidents, team leaders and licensed entity team leaders a security monthly report regarding our security posture, critical business security metrics, security incidents, security audits, and other security-related matters. At the Board level, cybersecurity risk oversight has been delegated to our Operation Committee, which is a sub-committee of the Board of Directors composed of our non-independent directors. The Operation Committee meets weekly, and our CIO reports to the Operation Committee in the event any significant risks or incidents have been identified. In addition, the Operations Committee has an online working group where the CIO will promptly report any cybersecurity incidents and risks.
On July 10, 2025, we experienced a ransomware attack, resulting in restrictions of access to certain office environment shared folders and completed the recovery of all of the affected file data on July 20, 2025. We engaged an independent third-party cybersecurity expert, with support from its managed detection and response provider, to investigate the nature and scope of the incident, assist with containment, and ensure no ongoing unauthorized activity. We also promptly notified the relevant regulatory authorities upon discovery of the incident, and we have not received any notices related to the commencement of any formal disciplinary proceedings with respect to this incident. Recommended and implemented remediation measures have already been adopted, including rebuilding affected devices, credential resets, enhanced monitoring and endpoint protection, phased migration away from the legacy VPN toward a zero-trust access model, and further strengthening of network segregation and ransomware defenses, aiming to prevent similar incident in the future. To date, we have worked with data discovery and review team to determine the scope, nature, and extent of information potentially impacted. We have notified business partners and critical vendors about the incident. For the year ended December 31, 2025, we incurred approximately $1.86 million of costs related to remediation, restoration, communications, investigation and analysis, legal services, and other related expenses. We will invest more on the prioritization and upgrade on our systems and network defenses, aiming to prevent similar incident in the future. There’s no other similar incident occurred for the year ended December 31, 2025.
As of the date of this report, the incident did not materially affect us, our business strategy, results of operation or financial condition. |
| Cybersecurity Risk Management Processes Integrated [Flag] | true |
| Cybersecurity Risk Management Processes Integrated [Text Block] | Oversight of cybersecurity risk is integrated into our overall enterprise risk management framework. |
| Cybersecurity Risk Management Third Party Engaged [Flag] | true |
| Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] | true |
| Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] | false |
| Cybersecurity Risk Board of Directors Oversight [Text Block] | Our management and Board recognize the critical importance that a robust cybersecurity program and processes play in maintaining the integrity of our information technology networks and systems, which we rely upon to securely process, transmit and store electronic information and to communicate among our locations and with our customers and partners. We identify and address information security risks by employing a defense-in-depth methodology that provides multiple, redundant defensive measures in case a security control fails or a vulnerability is exploited. Our policies include procedures for handling urgent problems, accident classification standards, and internal audit standards for information security. We have passed Information Security Management Systems (ISMS) certifications such as ISO27001 and ISO27701, and we follow these and other international standards to assess, identify and manage cybersecurity threats. In addition to our internal resources, we also leverage external resources to mitigate cybersecurity threats to the Company, including partnering with third parties to conduct penetration testing, attack and defense exercises; perform annual audits and certifications of our cybersecurity and information technology processes and performance; and supply us with defensive tools. We have processes in place to oversee and identify risks that may arise from cybersecurity threats associated with our use of third-party service providers, including contract review procedures that apply to third party vendors handling or having access to company information. Our security team conducts additional cybersecurity due diligence on certain vendors involved in customer data sharing. Oversight of cybersecurity risk is integrated into our overall enterprise risk management framework. |
| Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] | At the Board level, cybersecurity risk oversight has been delegated to our Operation Committee, which is a sub-committee of the Board of Directors composed of our non-independent directors. |
| Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] | The security team within the R&D department prepares and disseminates to vice presidents, team leaders and licensed entity team leaders a security monthly report regarding our security posture, critical business security metrics, security incidents, security audits, and other security-related matters. |
| Cybersecurity Risk Role of Management [Text Block] | Oversight of cybersecurity risk is integrated into our overall enterprise risk management framework. At the management level, our Chief Information Officer (“CIO”) oversees our cybersecurity program and risks, with more than 15 years of experience in the online advertising and fintech industry, including significant engineering experience and responsibility for building trading systems, anti-fraud systems, and risk management systems. Our CIO holds a M.S. degree in Computer Science from Institute of Software, Chinese Academy of Sciences, and a B.S. degree from Huazhong University of Science and Technology. Our CIO oversees our research and development (“R&D”) department, which is responsible for detecting, identifying, monitoring, and remediating IT and cybersecurity risks. The security team within the R&D department prepares and disseminates to vice presidents, team leaders and licensed entity team leaders a security monthly report regarding our security posture, critical business security metrics, security incidents, security audits, and other security-related matters. At the Board level, cybersecurity risk oversight has been delegated to our Operation Committee, which is a sub-committee of the Board of Directors composed of our non-independent directors. The Operation Committee meets weekly, and our CIO reports to the Operation Committee in the event any significant risks or incidents have been identified. In addition, the Operations Committee has an online working group where the CIO will promptly report any cybersecurity incidents and risks.
On July 10, 2025, we experienced a ransomware attack, resulting in restrictions of access to certain office environment shared folders and completed the recovery of all of the affected file data on July 20, 2025. We engaged an independent third-party cybersecurity expert, with support from its managed detection and response provider, to investigate the nature and scope of the incident, assist with containment, and ensure no ongoing unauthorized activity. We also promptly notified the relevant regulatory authorities upon discovery of the incident, and we have not received any notices related to the commencement of any formal disciplinary proceedings with respect to this incident. Recommended and implemented remediation measures have already been adopted, including rebuilding affected devices, credential resets, enhanced monitoring and endpoint protection, phased migration away from the legacy VPN toward a zero-trust access model, and further strengthening of network segregation and ransomware defenses, aiming to prevent similar incident in the future. To date, we have worked with data discovery and review team to determine the scope, nature, and extent of information potentially impacted. We have notified business partners and critical vendors about the incident. For the year ended December 31, 2025, we incurred approximately $1.86 million of costs related to remediation, restoration, communications, investigation and analysis, legal services, and other related expenses. We will invest more on the prioritization and upgrade on our systems and network defenses, aiming to prevent similar incident in the future. There’s no other similar incident occurred for the year ended December 31, 2025.
As of the date of this report, the incident did not materially affect us, our business strategy, results of operation or financial condition. |
| Cybersecurity Risk Management Positions or Committees Responsible [Flag] | true |
| Cybersecurity Risk Management Positions or Committees Responsible [Text Block] | Our CIO oversees our research and development (“R&D”) department, which is responsible for detecting, identifying, monitoring, and remediating IT and cybersecurity risks. |
| Cybersecurity Risk Management Expertise of Management Responsible [Text Block] | At the management level, our Chief Information Officer (“CIO”) oversees our cybersecurity program and risks, with more than 15 years of experience in the online advertising and fintech industry, including significant engineering experience and responsibility for building trading systems, anti-fraud systems, and risk management systems. Our CIO holds a M.S. degree in Computer Science from Institute of Software, Chinese Academy of Sciences, and a B.S. degree from Huazhong University of Science and Technology. |
| Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] | The security team within the R&D department prepares and disseminates to vice presidents, team leaders and licensed entity team leaders a security monthly report regarding our security posture, critical business security metrics, security incidents, security audits, and other security-related matters. At the Board level, cybersecurity risk oversight has been delegated to our Operation Committee, which is a sub-committee of the Board of Directors composed of our non-independent directors. The Operation Committee meets weekly, and our CIO reports to the Operation Committee in the event any significant risks or incidents have been identified. In addition, the Operations Committee has an online working group where the CIO will promptly report any cybersecurity incidents and risks.
On July 10, 2025, we experienced a ransomware attack, resulting in restrictions of access to certain office environment shared folders and completed the recovery of all of the affected file data on July 20, 2025. We engaged an independent third-party cybersecurity expert, with support from its managed detection and response provider, to investigate the nature and scope of the incident, assist with containment, and ensure no ongoing unauthorized activity. We also promptly notified the relevant regulatory authorities upon discovery of the incident, and we have not received any notices related to the commencement of any formal disciplinary proceedings with respect to this incident. Recommended and implemented remediation measures have already been adopted, including rebuilding affected devices, credential resets, enhanced monitoring and endpoint protection, phased migration away from the legacy VPN toward a zero-trust access model, and further strengthening of network segregation and ransomware defenses, aiming to prevent similar incident in the future. To date, we have worked with data discovery and review team to determine the scope, nature, and extent of information potentially impacted. We have notified business partners and critical vendors about the incident. For the year ended December 31, 2025, we incurred approximately $1.86 million of costs related to remediation, restoration, communications, investigation and analysis, legal services, and other related expenses. We will invest more on the prioritization and upgrade on our systems and network defenses, aiming to prevent similar incident in the future. There’s no other similar incident occurred for the year ended December 31, 2025.
As of the date of this report, the incident did not materially affect us, our business strategy, results of operation or financial condition. |
| Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] | true |