U.S. Indicts 12 Alleged Chinese Hackers in Cyber Espionage Crackdown
The U.S. Department of Justice (DoJ) has charged 12 Chinese nationals—10 alleged hackers and two government officials—in a sweeping cyber espionage case that exposes the inner workings of China’s hacker-for-hire ecosystem. The group is accused of carrying out global cyberattacks over more than a decade, including breaching the U.S. Treasury Department.
This indictment offers a rare look into China’s state-backed cyber operations, revealing internal communications, attack strategies, and the business dealings of the alleged hackers. The charges highlight the role of i-Soon, a Shanghai-based contractor that worked closely with China’s Ministry of State Security (MSS) and the Ministry of Public Security (MPS).
A Decade-Long Espionage Operation
According to the indictment, the accused individuals operated within China’s hacker-for-hire network, often choosing their own targets and selling stolen data to government agencies or private brokers. Among them is Yin Kecheng, previously sanctioned by the U.S. Treasury for his role in the 2024 breach of the U.S. Treasury Department. His messages, cited in the indictment, reveal a personal fixation on targeting American organizations, stating:
“I just like the Americans, nothing else is as good.”
Yin and Zhou Shuai, an alleged member of APT27 (Silk Typhoon), are accused of hacking U.S. defense contractors, think tanks, law firms, and tech companies. The hackers reportedly sought access to high-value targets but often exploited smaller subsidiaries to gain entry—an approach Yin described as “correct” when discussing strategy with a colleague.
How i-Soon Profited from Cyber Intrusions
i-Soon, which employed at least eight of the accused hackers, allegedly operated on a pay-per-breach model, charging MSS and MPS clients between $10,000 and $75,000 per compromised email inbox. The company worked with 43 different MSS and MPS bureaus across 31 Chinese provinces, making tens of millions of dollars annually. Prosecutors estimate that by 2025, i-Soon projected revenues of $75 million.
The firm reportedly maintained a “zero-day vulnerability arsenal”, supplying unpatched exploits, password-cracking tools, and phishing kits disguised as “penetration testing” tools. Targets included:
• U.S. defense and technology firms
• Government agencies and lawmakers (including the New York State Assembly)
• Media organizations and dissidents critical of Beijing
• Religious leaders and researchers flagged by the Chinese government
The December 2024 Treasury Department breach, linked to APT27, stemmed from an intrusion into software contractor BeyondTrust. The hackers allegedly used stolen credentials to infiltrate Treasury systems, compromising the laptops of senior U.S. officials.
A Reckless and Profitable Cybercrime Ecosystem
While Beijing’s cyber operations are often seen as highly coordinated, the indictment highlights the chaotic and profit-driven nature of its hacker-for-hire ecosystem. U.S. officials describe a system where Chinese firms and cybercriminals conduct speculative attacks in search of valuable data—often before government agencies even place an order.
“China is fostering reckless and indiscriminate targeting of vulnerable computers worldwide,” said a senior DoJ official. “Even when Beijing doesn’t directly order an attack, it benefits from the stolen data.”
Exposing and Disrupting China’s Cyber Operations
Although the 12 accused individuals remain at large, the U.S. government is taking a multi-pronged approach to disrupt their activities.
• Sanctions: The Treasury Department’s Office of Foreign Assets Control (OFAC) has sanctioned i-Soon and several individuals involved in the scheme.
• Financial Disruption: Prosecutors revealed that Yin and Zhou laundered cybercrime profits using cryptocurrency transactions outside of U.S. jurisdiction.
• Public Exposure: The FBI and DoJ aim to expose these cyber mercenaries, making it harder for them to operate internationally.
To further pressure China’s cyber operators, the U.S. State Department has announced rewards ranging from $2 million to $10 million for information leading to their arrest.
A Warning to Beijing’s Cybercriminals
While these hackers may never stand trial in the U.S., officials are making it clear that those who enable China’s cyber espionage will be identified, sanctioned, and exposed.
“To those who choose to aid the CCP in its unlawful cyber activities,” said Bryan Vorndran, assistant director of the FBI’s Cyber Division, “we will use all available tools to identify you, indict you, and expose your malicious activity for all the world to see.”
With this latest indictment, the U.S. is sending a strong message: China’s cybercriminals are not beyond reach, and their activities will not go unchallenged.
