U.S. Indicts 12 Chinese Nationals for Government-Backed Cyber Attacks

The U.S. Department of Justice (DoJ) has filed charges against 12 Chinese nationals for allegedly orchestrating a global scheme to steal data and suppress free speech.

Among those charged are two officers from China’s Ministry of Public Security (MPS), eight employees of the ostensibly private firm Anxun Information Technology Co. Ltd. (安洵信息技术有限公司), also known as i-Soon, and members of the cyberespionage group Advanced Persistent Threat 27 (APT27), also referred to as Budworm, Bronze Union, Emissary Panda, Lucky Mouse, and Iron Tiger.

The individuals named in the indictment are:

• Wu Haibo (吴海波) – CEO
• Chen Cheng (陈诚) – COO
• Wang Zhe (王哲) – Sales Director
• Liang Guodong (梁国栋) – Technical Staff
• Ma Li (马丽) – Technical Staff
• Wang Yan (王堰) – Technical Staff
• Xu Liang (徐梁) – Technical Staff
• Zhou Weiwei (周伟伟) – Technical Staff
• Wang Liyu (王立宇) – MPS Officer
• Sheng Jing (盛晶) – MPS Officer
• Yin Kecheng (尹可成) – APT27 actor, aka “YKC”
• Zhou Shuai (周帅) – APT27 actor, aka “Coldface”

According to the DoJ, these cyber operatives, whether working as freelancers or i-Soon employees, carried out cyber intrusions on behalf of China’s MPS and Ministry of State Security (MSS), often for financial gain. The MPS and MSS reportedly paid substantial sums for stolen data.

Court filings reveal that Chinese authorities relied on a network of private firms and contractors to infiltrate organizations worldwide while obscuring government involvement. Between 2016 and 2023, the accused individuals allegedly hacked into email accounts, mobile devices, servers, and websites.

The FBI stated in a court filing that cybersecurity experts track i-Soon’s activities under the moniker Aquatic Panda (aka RedHotel), while APT27 is associated with Silk Typhoon, UNC5221, and UTA0178. The agency also emphasized that the Chinese government collaborates with both official and freelance hackers to compromise networks globally.

U.S. Response and Monetary Rewards

The U.S. Department of State’s Rewards for Justice (RFJ) program has offered up to $10 million for information leading to the identification or location of individuals engaging in cyberattacks against U.S. critical infrastructure on behalf of foreign governments.

Additionally, a $2 million reward is available for information leading to the arrest or conviction of Shuai and Kecheng, who are accused of orchestrating cyber intrusions for profit since 2011, including deploying PlugX malware to maintain long-term access to compromised systems.

i-Soon’s Role in China’s Cyber Operations

The DoJ described i-Soon as a major player in China’s hacker-for-hire ecosystem, earning tens of millions of dollars. The company allegedly charged between $10,000 and $75,000 per compromised email inbox.

While some of i-Soon’s intrusions were commissioned by the MSS and MPS—including cyber-enabled transnational repression—the company also sold stolen data independently to at least 43 different bureaus of the MSS or MPS across 31 provinces and municipalities in China.

High-Profile Targets

i-Soon’s hacking campaigns targeted:

• A large religious organization in the U.S.
• Critics and dissidents of the Chinese government
• A U.S. state legislative body
• Various U.S. government agencies
• Ministries of foreign affairs across multiple Asian governments
• News organizations

Seizure of i-Soon Domains

As part of the operation, the DoJ has seized four domains linked to i-Soon and APT27:

• ecoatmosphere.org
• newyorker.cloud
• heidrickjobs.com
• maddmail.site

i-Soon’s Cyber Tools

i-Soon reportedly trained MPS officers in hacking techniques and marketed its cyber tools as “industry-leading offensive and defensive technology.” Among the tools it developed:

• Automated Penetration Testing Platform – Used for phishing, malware delivery, and website cloning.
• Divine Mathematician Password Cracking Platform – Designed to break into services such as Microsoft Outlook, Gmail, and X (formerly Twitter).
• Public Opinion Guidance and Control Platform (Overseas) – A tool that hijacked Twitter (X) accounts, bypassed multi-factor authentication, and enabled unauthorized access, tweet manipulation, and influence operations.

U.S. Condemnation

Acting Assistant Director in Charge Leslie R. Backschies stated that the charges highlight China’s ongoing efforts to spy on and silence critics of the Chinese Communist Party (CCP).

“The PRC government attempted to conceal its involvement by operating through a private company, but these actions amount to years of state-sponsored hacking targeting religious groups, media organizations, government agencies, and dissidents worldwide,” Backschies said.