US charges Chinese nationals in cyberattacks on Treasury, dissidents and more

U.S. law enforcement agencies announced dozens of criminal charges against a web of hackers employed by the Chinese government and private companies in China — accusing them of being involved in more than a decade of cyberattacks including the most recent breach of the U.S. Treasury. 

The Department of Justice charged 12 Chinese nationals, including two officers of the Ministry of Public Security (MPS) and several employees of a controversial cybersecurity firm known as i-Soon. 

In addition to the Treasury attack in 2024, prosecutors cited hacks of U.S.-based critics and dissidents of the PRC; a large religious organization in the United States; the foreign ministries of multiple governments in Asia; and several U.S. federal and state  government agencies.

The indictments outline a complex system in which China’s government relied heavily on private companies and freelance hackers to distance officials from cyberattacks the Justice Department called reckless. Department officials told reporters that using private companies provided China with plausible deniability and hid government involvement. 

At times, the hackers were given specific targets but they often operated on their own, officials said, breaching systems used by people and organizations that they believed would be of interest to Chinese government officials.  

“Today, we are exposing the Chinese government agents directing and fostering indiscriminate and reckless attacks against computers and networks worldwide, as well as the enabling companies and individual hackers that they have unleashed,” said Sue Bai, head of the Justice Department’s National Security Division. 

The Chinese government paid freelancers and i-Soon employees to breach email inboxes, steal sensitive data and monitor dissidents or U.S.-based critics. The FBI links i-Soon to a threat actor tracked by cybersecurity researchers under names such as Aquatic Panda, RedHotel or Charcoal Typhoon.

Hackers within i-Soon often tried to sell stolen information to at least 43 different bureaus of MPS of the Ministry of State Security (MSS) in at least 31 separate provinces and municipalities in China — charging between $10,000 and $75,000 for each email inbox it successfully exploited.

The company was also hired to train MPS officers on how to hack targets and offered governments tools to conduct operations. The DOJ said the hackers often “cast a wide net” before combing through stolen information and seeing what could be sold to the Chinese government.  

“The result of this largely indiscriminate approach was more worldwide computer intrusion victims, more systems worldwide left vulnerable to future exploitation by third parties, and more stolen information, often of no interest to the PRC government and, therefore, sold to other third-parties,” the DOJ said. 

Hackers for hire

One indictment filed in a Manhattan federal court focuses on eight i-Soon employees and two MPS officers, accusing them of hacking email accounts, cell phones, servers, and websites from 2016 to 2023. The DOJ said it also seized the primary internet domain used by i-Soon to advertise its business.  

“For years, these 10 defendants — two of whom we allege are PRC officials — used sophisticated hacking techniques to target religious organizations, journalists, and government agencies, all to gather sensitive  information for the use of the PRC,” said acting U.S. Attorney Matthew Podolsky for the Southern District of New York. 

The 10 are now wanted by the FBI and the State Department issued a $10 million reward for information on their whereabouts. 

Those indicted include i-Soon CEO Wu Haibo, COO Chen Cheng and several other technical staff members at the company.

The DOJ said i-Soon generated millions of dollars as key cogs in China’s hacker-for-hire ecosystem — often taking direction from China’s MPS or Ministry of State Security (MSS). Much of the focus was on targeting critics of China, including an unnamed large religious organization that sends missionaries to the country and was critical of the government. 

Other targets included organizations promoting human rights and religious freedom. In the U.S., the hackers went after multiple news organizations and others accused of trying to propagate uncensored news to people across Asia. 

The hackers also had dozens of targets outside of the U.S. that included the foreign ministries of Taiwan, India, South Korea, and Indonesia as well as a newspaper in Hong Kong and an unnamed religious leader.

Last February, a trove of leaked documents appearing to be from i-Soon shed light on the country’s commercial cyberespionage industry — revealing hacking contracts with public agencies, a repository of targets and years of chats among employees.

Yin Kecheng and Zhou Shuai

The other two indictments, filed in a District of Columbia federal court, charge Yin Kecheng and Zhou Shuai with being prolific actors in the APT27 threat group.  Zhou is known in the Chinese hacking community as “Coldface,” prosecutors said.

The DOJ also seized internet domains and server accounts used by both men to facilitate their hacking campaigns. 

The State Department issued $2 million bounties on both men but said they are residing in China and remain at large. 

Both began hacking for profit as far back as 2013 and are part of an APT27 subgroup known in the private sector as Silk Typhoon or Emissary Panda, according to the indictments. The two and their co-conspirators used PlugX malware and other tools to breach networks and spy on targets. 

“The defendants and their co-conspirators then identified and stole data from the compromised networks by exfiltrating it to servers under their control. Next, they brokered stolen data for sale and provided it to various customers, only some of whom had connections to the PRC government and military,” the Justice Department said. 

“For example, Zhou sold data stolen by Yin through i-Soon, whose primary customers, as noted above, were PRC government agencies, including the MSS and the MPS.”

Prosecutors said Yin and Zhou are profit-driven, targeting a wide array of U.S.-based technology companies, think tanks, law firms, defense contractors, local governments, health care systems, universities and more. 

Yin specifically was accused in January of being involved in the recent hack of the Treasury Department, which lasted from about September to December 2024. 

Justice Department and FBI officials declined to provide more information on the Treasury breach, telling reporters that the incident is still being investigated. 

But they noted that virtual private servers used to conduct the Treasury intrusion belonged to, and were controlled by, an account that Yin and his co-conspirators established. 

“Yin and his co-conspirators used that same account and other linked accounts they controlled to lease servers used for additional malicious cyber activity,” prosecutors said. “The seizure warrant unsealed today allowed the FBI to seize the virtual private servers and other infrastructure used by the defendants to perpetrate these crimes.”

Yin was sanctioned for his alleged role in the Treasury attack in January. The Treasury department on Wednesday unveiled corresponding sanctions on Zhou and his cybersecurity company Shanghai Heiying Information Technology. 

Zhou is majority owner of the company and has employed numerous known China-backed malicious cyber actors, including Yin.

Wide range of targets

The Treasury Department said Zhou has acted as a prolific data broker since at least 2018, selling stolen data and access to compromised networks. U.S. victims of Zhou and Yin include technology companies, a defense industrial base contractor, a communications service provider, an academic health system affiliated with a university, and a government county municipality.

Treasury officials said in 2020, Zhou “appeared to be working from a set of intelligence requirements that included targets within the United States, Russia, and Western Europe.” They added that the requirements “almost certainly originated from the CCP’s intelligence services.”

He was tasked with obtaining telecommunications data, border crossing data, data on personnel in religious research, data on media industry personnel, and data on public servants.

Justice Department officials told reporters that Zhou is a significant figure in China’s hacking community.

Eugenio Benincasa, a senior cyberdefense researcher at the Center for Security Studies at ETH Zurich, told Recorded Future News the case against Zhou was “particularly interesting as it adds to former patriotic hackers being exposed as working for the State.“

Zhou, ​​i-Soon’s CEO Wu Haibo, and several others named in the indictments were previously members of China’s first hacktivist group known as the Green Army — who in the late 1990s offered their hacking services to China’s government. 

The leaders of i-Soon and another company linked to Chinese state-backed hacking, Integrity Tech “are also former Green Army members, but this one definitely stands out as one of China’s most famous/talented legacy hackers still around with a lot of close personal connections to other top hackers,” added Benincasa.

The investigations behind the indictments were conducted by the DOJ, FBI, Treasury, State Department and the Naval Criminal Investigative Service. Microsoft, Mandiant, Volexity and PwC assisted, the DOJ said. 

The Justice Department noted that Microsoft published research on Wednesday outlining tactics used in recent years by China’s Silk Typhoon hackers. Microsoft accused Silk Typhoon of being behind the January exploitation of a vulnerability in products from prominent tech company Ivanti — which is used widely across U.S. federal and state governments.

Alexander Martin contributed to this story.