12 Chinese Nationals Charged by US Justice Department in Global Cyber Intrusion Campaign

• The U.S. DoJ unsealed indictments that charged 12 Chinese nationals concerning state-sponsored hacks.
• Two of China’s Ministry of Public Security employees are allegedly part of the large-scale cyberattacks.
• Moreover, i-Soon employees, acting independently or as company members, are accused of infiltrating several high-profile targets.

The U.S. Department of Justice (DOJ), in collaboration with the FBI and other federal agencies, has unsealed indictments with charges against 12 Chinese nationals accused of involvement in a large-scale, state-sponsored cyber intrusion campaign. 

The individuals include two officers from the People’s Republic of China’s (PRC) Ministry of Public Security (MPS), employees of Anxun Information Technology Co. Ltd. (also known as "i-Soon"), and members of the APT27 hacking group (LuckyMouse, EmissaryPanda).  

Hackers-for-hire Yin Kecheng, 38 (尹 可成), aka YKC, and Zhou Shuai, 45 (周帅), from the APT27 group (tracked as Aquatic Panda, RedHotel, or Charcoal Typhoon), also known as "Coldface," are among the recently indicted. 

The accused, who remain at large at the moment, used sophisticated hacking techniques to infiltrate email accounts, servers, and websites of identified victims, the government release says. The FBI offers a reward for MPS officers and i-Soon members who were linked to the threat actor: 

• Wu Haibo (吴海波), Chief Executive Officer
• Chen Cheng (陈诚), Chief Operating Officer
• Wang Zhe (王哲), Sales Director
• Liang Guodong (梁国栋), Technical Staff
• Ma Li (马丽), Technical Staff
• Wang Yan (王堰), Technical Staff
• Xu Liang (徐梁), Technical Staff
• Zhou Weiwei (周伟伟), Technical Staff
• Wang Liyu (王立宇), MPS Officer
• Sheng Jing (盛晶), MPS Officer

U.S. officials disclosed that the campaign aimed to suppress free speech, conduct surveillance, and steal sensitive data worldwide, often benefiting the PRC’s Ministry of State Security (MSS) and MPS, who paid hefty money for the exfiltrated data.

Acting independently and on behalf of the PRC and MSS, the hackers used platforms to gain unauthorized access while systematically retaining sensitive information. Payment for successful exploits ranged from $10,000 to $75,000 per targeted email or dataset.  

High-profile targets included U.S.-based government agencies, critics of the Chinese Communist Party, a large religious organization critical of the PRC, foreign ministries in Asia, and media outlets that provide uncensored content to Chinese-language audiences. 

According to court documents, the cyber operations were part of a larger hacker-for-hire ecosystem funded by the PRC government. Members of i-Soon reportedly cast a wide net, regularly selling stolen data to Chinese government entities and other buyers. 

The campaign generated tens of millions in revenue over years of operations, targeting both domestic Chinese critics and international organizations.  

Federal prosecutors moved to disrupt further hacking attempts. Court-authorized seizures targeted internet domains used by i-Soon and APT27. 

Concurrently, the Department of State offered rewards of up to $10 million for information leading to identifying or locating those conducting cyber threats against U.S. critical infrastructure.  

Private sector partners, including Microsoft, Mandiant, Volexity, and PwC, are also working alongside federal agencies to strengthen defenses against similar attacks.