The Justice Department has charged 12 Chinese nationals for their alleged involvement in global hacker-for-hire activities. According to court documents, targets included the U.S. Treasury Department, journalists, and religious organisations. The attacks aimed to steal data and suppress free speech.
The indictment names two officers of China’s Ministry of Public Security, eight employees of a private company known as both Anxun Information Technology and i-Soon, and two members of the hacking group Advanced Persistent Threat 27. All remain at large.
“The Department of Justice will relentlessly pursue those who threaten our cybersecurity by stealing from our government and our people,” said Sue J. Bai, head of the department’s National Security Division, in a press release.
“Today, we are exposing the Chinese government agents directing and fostering indiscriminate and reckless attacks against computers and networks worldwide, as well as the enabling companies and individual hackers that they have unleashed. We will continue to fight to dismantle this ecosystem of cyber mercenaries and protect our national security.”
i-Soon was hired by the government officials to carry out attacks in the U.S. and abroad
The two government officers allegedly hired i-Soon employees as freelance hackers between 2016 and 2023 to steal data while obscuring their involvement. They broke into email accounts, cellphones, servers, and websites of both specific and speculated victims.
i-Soon’s U.S.-based targets included a religious group critical of the Chinese government, a China-focused human rights group, news organisations opposing the Chinese Communist Party or delivering uncensored news to Asia, a state research university, a New York State Assembly representative linked to a religious group banned in China, and multiple government departments.
Beyond targeting political opponents, i-Soon operated as a profit-driven cyber mercenary firm.
Non-U.S. targets included a religious leader and their office, a Hong Kong newspaper opposed to the Chinese government, and the foreign ministries of Taiwan, India, South Korea, and Indonesia. The Attorney’s Office of the Southern District of New York says that these targets were either of interest because of their criticism of the Chinese government or because of their communication with the U.S.
i-Soon allegedly conducted hacking operations both at the request of Chinese intelligence agencies and independently, selling stolen data to them. It trained Ministry of Public Security employees in hacking independently and sold various cyber tools, including phishing, password-cracking, and system infiltration software.
Its platforms targeted email, social media, and operating systems, with one tool specifically designed to hijack Twitter (now X) accounts. Using this tool, hackers could send victims phishing links that, once opened, granted them access to the account, bypassing security measures. They could then manipulate public opinion by sending, deleting, liking, and forwarding Tweets.
i-Soon, which had more than 100 employees at times, is thought to have generated tens of millions of dollars for the Chinese government, charging between approximately $10,000 and $75,000 for each email inbox it successfully exploited.
In addition to charges, the JusticeDepartment has seized several primary internet domains used by i-Soon to advertise its business, including ecoatmosphere.org, newyorker.cloud, heidrickjobs.com, and maddmail.site.
Two APT27 members sold stolen data to the government via i-Soon and other organisations
The APT27 members, Yin “YKC” Kecheng, 38, and Zhou “Coldface” Shuai, 45, also sold stolen data to organisations with links to the Chinese government, including i-Soon, over a period of years. They allegedly targeted U.S. defense contractors, technology firms, government agencies — including the Treasury — local governments, law firms, healthcare systems, and foreign ministries in Asia, resulting in millions of dollars in damages.
Between August 2013 and December 2024, they used advanced hacking techniques, including scanning for zero-day vulnerabilities and installing malware such as web shells to maintain persistent access to victim networks. They stole credentials and used hop-point servers to exfiltrate data while utilising encrypted VPNs and VPS accounts to conceal their activities.
Yin allegedly openly discussed his desire to target American victims, telling an associate he wanted to “mess with the American military” and “break into a big target” so that he could earn enough money to buy a car. He was also previously sanctioned for his role in hacking the Treasury Department in late 2024.
Along with the individuals’ charges, the U.S. Attorney’s Office of the District of Columbia has seized the Virtual Private Server account and internet domains that facilitated their criminal activities.
Rewards of up to $2 million each are now available for information leading to the arrests and convictions of Yin and Zhou. Separately, the Justice Department is offering up to $10 million for information leading to the identification or location of any person who engages in malicious cyber activities against U.S. critical infrastructure while acting under the direction of a foreign government.
Read the full article here
