Office of Public Affairs Justice Department Charges 12 Chinese Contract Hackers and Law Enforcement Officers in Global Computer Intrusion Campaigns United States Department of Justice
pAn official website of the United States governmentppHeres how you knowpp
Official websites use gov
A gov website belongs to an official government organization in the United States
pp
Secure gov websites use HTTPS
A lock
Lock
Locked padlock
or https means youve safely connected to the gov website Share sensitive information only on official secure websites
ppArchived NewsppPara Notícias en EspañolppNote View the indictments in US v Wu Haibo et al US v Yin Kecheng US v Zhou Shuai et al hereppThe Justice Department FBI Naval Criminal Investigative Service and Departments of State and the Treasury announced today their coordinated efforts to disrupt and deter the malicious cyber activities of 12 Chinese nationals including two officers of the Peoples Republic of Chinas PRC Ministry of Public Security MPS employees of an ostensibly private PRC company Anxun Information Technology Co Ltd 安洵信息技术有限公司 also known as iSoon and members of Advanced Persistent Threat 27 APT27ppThese malicious cyber actors acting as freelancers or as employees of iSoon conducted computer intrusions at the direction of the PRCs MPS and Ministry of State Security MSS and on their own initiative The MPS and MSS paid handsomely for stolen data Victims include USbased critics and dissidents of the PRC a large religious organization in the United States the foreign ministries of multiple governments in Asia and US federal and state government agencies including the US Department of the Treasury Treasury in late 2024ppThe Department of Justice will relentlessly pursue those who threaten our cybersecurity by stealing from our government and our people said Sue J Bai head of the Justice Departments National Security Division Today we are exposing the Chinese government agents directing and fostering indiscriminate and reckless attacks against computers and networks worldwide as well as the enabling companies and individual hackers that they have unleashed We will continue to fight to dismantle this ecosystem of cyber mercenaries and protect our national securityppThe FBI is committed to protecting Americans from foreign cyberattacks said Assistant Director Bryan Vorndran of the FBIs Cyber Division Todays announcements reveal that the Chinese Ministry of Public Security has been paying hackersforhire to inflict digital harm on Americans who criticize the Chinese Communist Party CCP To those victims who bravely came forward with evidence of intrusions we thank you for standing tall and defending our democracy And to those who choose to aid the CCP in its unlawful cyber activities these charges should demonstrate that we will use all available tools to identify you indict you and expose your malicious activity for all the world to seeppAccording to court documents the MPS and MSS employed an extensive network of private companies and contractors in China to hack and steal information in a manner that obscured the PRC governments involvement In some cases the MPS and MSS paid private hackers in China to exploit specific victims In many other cases the hackers targeted victims speculatively Operating from their safe haven and motivated by profit this network of private companies and contractors in China cast a wide net to identify vulnerable computers exploit those computers and then identify information that it could sell directly or indirectly to the PRC government The result of this largely indiscriminate approach was more worldwide computer intrusion victims more systems worldwide left vulnerable to future exploitation by third parties and more stolen information often of no interest to the PRC government and therefore sold to other thirdparties Additional information regarding the indictments and the PRCs hackerforhire ecosystem is available in Public Service Announcements published by the FBI todayppUS v Wu Haibo et al Southern District of New YorkppToday a federal court in Manhattan unsealed an indictment charging eight iSoon employees and two MPS officers for their involvement from at least in or around 2016 through in or around 2023 in the numerous and widespread hacking of email accounts cell phones servers and websites The Department also announced today the courtauthorized seizure of the primary internet domain used by iSoon to advertise its businessppStatesponsored hacking is an acute threat to our community and national security said Acting US Attorney Matthew Podolsky for the Southern District of New York For years these 10 defendants two of whom we allege are PRC officials used sophisticated hacking techniques to target religious organizations journalists and government agencies all to gather sensitive information for the use of the PRC These charges will help stop these statesponsored hackers and protect our national security The career prosecutors of this office and our law enforcement partners will continue to uncover alleged statesponsored hacking schemes disrupt them and bring those responsible to justiceppThe defendants remain at large and wanted by the FBI Concurrent with todays announcement the US Department of States Rewards for Justice RFJ program administered by the Diplomatic Security Service announced a reward of up to 10 million for information leading to the identification or location of any person who while acting at the direction or under the control of a foreign government engages in certain malicious cyber activities against US critical infrastructure in violation of the Computer Fraud and Abuse Act The reward is offered for the following individuals who are alleged to have worked in various capacities to direct or carry out iSoons malicious cyber activityppiSoon and its employees to include the defendants generated tens of millions of dollars in revenue as a key player in the PRCs hackerforhire ecosystem In some instances iSoon conducted computer intrusions at the request of the MSS or MPS including cyberenabled transnational repression at the direction of the MPS officer defendants In other instances iSoon conducted computer intrusions on its own initiative and then sold or attempted to sell the stolen data to at least 43 different bureaus of the MSS or MPS in at least 31 separate provinces and municipalities in China iSoon charged the MSS and MPS between approximately 10000 and 75000 for each email inbox it successfully exploited iSoon also trained MPS employees how to hack independently of iSoon and offered a variety of hacking methods for sale to its customersppThe defendants USlocated targets included a large religious organization that previously sent missionaries to China and was openly critical of the PRC government and an organization focused on promoting human rights and religious freedom in China In addition the defendants targeted multiple news organizations in the United States including those that have opposed the CCP or delivered uncensored news to audiences in Asia including China and the New York State Assembly one of whose representatives had communicated with members of a religious organization banned in ChinappThe defendants foreignlocated targets included a religious leader and his office and a Hong Kong newspaper that iSoon considered as being opposed to the PRC government The defendants also targeted the foreign ministries of Taiwan India South Korea and IndonesiappAssistant US Attorneys Ryan B Finkel Steven J Kochevar and Kevin Mead for the Southern District of New York and Trial Attorney Gregory J Nicosia Jr of the National Security Divisions National Security Cyber Section are prosecuting the caseppUS v Yin Kecheng and US v Zhou Shuai et al District of ColumbiappToday a federal court unsealed two indictments charging APT27 actors Yin Kecheng 尹可成 and Zhou Shuai 周帅 also known as Coldface for their involvement in the multiyear forprofit computer intrusion campaigns dating back in the case of Yin to 2013 The Department also announced today courtauthorized seizures of internet domains and computer server accounts used by Yin and Zhou to facilitate their hacking activityppThe defendants remain at large View the FBIs Wanted posters for Shuai and Kecheng hereppConcurrent with todays announcement the Department of States States Bureau of International Narcotics and Law Enforcement Affairs is announcing two reward offers under the Transnational Organized Crime Rewards Program TOCRP of up to 2 million each for information leading to the arrests and convictions in any country of malicious cyber actors Yin Kecheng and Zhou Shuai both Chinese nationals residing in ChinappThese indictments and actions show this offices longstanding commitment to vigorously investigate and hold accountable Chinese hackers and data brokers who endanger US national security and other victims across the globe said Interim US Attorney Edward R Martin Jr for the District of Columbia The defendants in these cases have been hacking for the Chinese government for years and these indictments lay out the strong evidence showing their criminal wrongdoing We again demand that the Chinese government to put a stop to these brazen cyber criminals who are targeting victims across the globe and then monetizing the data they have stolen by selling it across ChinappThe APT27 group to which Yin and Zhou belong is also known to private sector security researchers as Threat Group 3390 Bronze Union Emissary Panda Lucky Mouse Iron Tiger UTA0178 UNC 5221 and Silk Typhoon As alleged in court documents between August 2013 and December 2024 Yin Zhou and their coconspirators exploited vulnerabilities in victim networks conducted reconnaissance once inside those networks and installed malware such as PlugX malware that provided persistent access The defendants and their coconspirators then identified and stole data from the compromised networks by exfiltrating it to servers under their control Next they brokered stolen data for sale and provided it to various customers only some of whom had connections to the PRC government and military For example Zhou sold data stolen by Yin through iSoon whose primary customers as noted above were PRC government agencies including the MSS and the MPSppThe defendants motivations were financial and because they were profitdriven they targeted broadly rendering victim systems vulnerable well beyond their pilfering of data and other information that they could sell Between them Yin and Zhou sought to profit from the hacking of numerous USbased technology companies think tanks law firms defense contractors local governments health care systems and universities leaving behind them a wake of millions of dollars in damagesppThe documents related to the seizure warrants also unsealed today further allege that Yin and Zhou continued to engage in hacking activity including Yins involvement in the recently announced hack of Treasury between approximately September and December 2024 Virtual private servers used to conduct the Treasury intrusion belonged to and were controlled by an account that Yin and his coconspirators established Yin and his coconspirators used that same account and other linked accounts they controlled to lease servers used for additional malicious cyber activity The seizure warrant unsealed today allowed the FBI to seize the virtual private servers and other infrastructure used by the defendants to perpetrate these crimesppOn Jan 17 Treasurys Office of Foreign Assets Control OFAC announced sanctions against Yin for his role in hacking that agency between September and December 2024 Concurrent with todays indictments OFAC also announced sanctions on Zhou and Shanghai Heiying Information Technology Company Ltd a company operated by Zhou for purposes of his hacking activityppPrivate sector partners are also taking voluntary actions to raise awareness and strengthen defenses against the PRCs malicious cyber activity Today Microsoft published research that highlights its unique updated insights into Silk Typhoon tactics techniques and procedures specifically its targeting of the IT supply chainppAssistant US Attorneys Jack F Korba and Tejpal S Chawla for the District of Columbia and Trial Attorney Tanner Kroeger of the National Security Divisions National Security Cyber Section are prosecuting the caseppppThe above disruptive actions targeting PRC malicious cyber activities were the result of investigations conducted by FBI New York and Washington Field Offices FBI Cyber Division the Naval Criminal Investigative Service The US Attorneys Offices for the Southern District of New York and District of Columbia and the National Security Divisions National Security Cyber Section are prosecuting the caseppThe Department acknowledges the value of publicprivate partnerships in combating advanced cyber threats and recognizes Microsoft Volexity PwC and Mandiant for their valuable assistance in these investigationsppThe details in the abovedescribed indictments and warrants are merely allegations All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of lawppJairo Jaime Tinajero 25 pleaded guilty yesterday in the Western District of Kentucky to the following charges contained in the superseding information racketeering conspiracy online enticement three counts of productionppA New York man was arrested and charged in a superseding indictment unsealed today in the Southern District of New York for hiring someone to kill his estranged husband whoppOffice of Public AffairsUS Department of Justice950 Pennsylvania Avenue NWWashington DC 20530ppOffice of Public Affairs Direct Line2025142007ppDepartment of Justice Main Switchboard2025142000ppSignup for Email UpdatesSocial MediappppHave a question about Government Servicesp
Official websites use gov
A gov website belongs to an official government organization in the United States
pp
Secure gov websites use HTTPS
A lock
Lock
Locked padlock
or https means youve safely connected to the gov website Share sensitive information only on official secure websites
ppArchived NewsppPara Notícias en EspañolppNote View the indictments in US v Wu Haibo et al US v Yin Kecheng US v Zhou Shuai et al hereppThe Justice Department FBI Naval Criminal Investigative Service and Departments of State and the Treasury announced today their coordinated efforts to disrupt and deter the malicious cyber activities of 12 Chinese nationals including two officers of the Peoples Republic of Chinas PRC Ministry of Public Security MPS employees of an ostensibly private PRC company Anxun Information Technology Co Ltd 安洵信息技术有限公司 also known as iSoon and members of Advanced Persistent Threat 27 APT27ppThese malicious cyber actors acting as freelancers or as employees of iSoon conducted computer intrusions at the direction of the PRCs MPS and Ministry of State Security MSS and on their own initiative The MPS and MSS paid handsomely for stolen data Victims include USbased critics and dissidents of the PRC a large religious organization in the United States the foreign ministries of multiple governments in Asia and US federal and state government agencies including the US Department of the Treasury Treasury in late 2024ppThe Department of Justice will relentlessly pursue those who threaten our cybersecurity by stealing from our government and our people said Sue J Bai head of the Justice Departments National Security Division Today we are exposing the Chinese government agents directing and fostering indiscriminate and reckless attacks against computers and networks worldwide as well as the enabling companies and individual hackers that they have unleashed We will continue to fight to dismantle this ecosystem of cyber mercenaries and protect our national securityppThe FBI is committed to protecting Americans from foreign cyberattacks said Assistant Director Bryan Vorndran of the FBIs Cyber Division Todays announcements reveal that the Chinese Ministry of Public Security has been paying hackersforhire to inflict digital harm on Americans who criticize the Chinese Communist Party CCP To those victims who bravely came forward with evidence of intrusions we thank you for standing tall and defending our democracy And to those who choose to aid the CCP in its unlawful cyber activities these charges should demonstrate that we will use all available tools to identify you indict you and expose your malicious activity for all the world to seeppAccording to court documents the MPS and MSS employed an extensive network of private companies and contractors in China to hack and steal information in a manner that obscured the PRC governments involvement In some cases the MPS and MSS paid private hackers in China to exploit specific victims In many other cases the hackers targeted victims speculatively Operating from their safe haven and motivated by profit this network of private companies and contractors in China cast a wide net to identify vulnerable computers exploit those computers and then identify information that it could sell directly or indirectly to the PRC government The result of this largely indiscriminate approach was more worldwide computer intrusion victims more systems worldwide left vulnerable to future exploitation by third parties and more stolen information often of no interest to the PRC government and therefore sold to other thirdparties Additional information regarding the indictments and the PRCs hackerforhire ecosystem is available in Public Service Announcements published by the FBI todayppUS v Wu Haibo et al Southern District of New YorkppToday a federal court in Manhattan unsealed an indictment charging eight iSoon employees and two MPS officers for their involvement from at least in or around 2016 through in or around 2023 in the numerous and widespread hacking of email accounts cell phones servers and websites The Department also announced today the courtauthorized seizure of the primary internet domain used by iSoon to advertise its businessppStatesponsored hacking is an acute threat to our community and national security said Acting US Attorney Matthew Podolsky for the Southern District of New York For years these 10 defendants two of whom we allege are PRC officials used sophisticated hacking techniques to target religious organizations journalists and government agencies all to gather sensitive information for the use of the PRC These charges will help stop these statesponsored hackers and protect our national security The career prosecutors of this office and our law enforcement partners will continue to uncover alleged statesponsored hacking schemes disrupt them and bring those responsible to justiceppThe defendants remain at large and wanted by the FBI Concurrent with todays announcement the US Department of States Rewards for Justice RFJ program administered by the Diplomatic Security Service announced a reward of up to 10 million for information leading to the identification or location of any person who while acting at the direction or under the control of a foreign government engages in certain malicious cyber activities against US critical infrastructure in violation of the Computer Fraud and Abuse Act The reward is offered for the following individuals who are alleged to have worked in various capacities to direct or carry out iSoons malicious cyber activityppiSoon and its employees to include the defendants generated tens of millions of dollars in revenue as a key player in the PRCs hackerforhire ecosystem In some instances iSoon conducted computer intrusions at the request of the MSS or MPS including cyberenabled transnational repression at the direction of the MPS officer defendants In other instances iSoon conducted computer intrusions on its own initiative and then sold or attempted to sell the stolen data to at least 43 different bureaus of the MSS or MPS in at least 31 separate provinces and municipalities in China iSoon charged the MSS and MPS between approximately 10000 and 75000 for each email inbox it successfully exploited iSoon also trained MPS employees how to hack independently of iSoon and offered a variety of hacking methods for sale to its customersppThe defendants USlocated targets included a large religious organization that previously sent missionaries to China and was openly critical of the PRC government and an organization focused on promoting human rights and religious freedom in China In addition the defendants targeted multiple news organizations in the United States including those that have opposed the CCP or delivered uncensored news to audiences in Asia including China and the New York State Assembly one of whose representatives had communicated with members of a religious organization banned in ChinappThe defendants foreignlocated targets included a religious leader and his office and a Hong Kong newspaper that iSoon considered as being opposed to the PRC government The defendants also targeted the foreign ministries of Taiwan India South Korea and IndonesiappAssistant US Attorneys Ryan B Finkel Steven J Kochevar and Kevin Mead for the Southern District of New York and Trial Attorney Gregory J Nicosia Jr of the National Security Divisions National Security Cyber Section are prosecuting the caseppUS v Yin Kecheng and US v Zhou Shuai et al District of ColumbiappToday a federal court unsealed two indictments charging APT27 actors Yin Kecheng 尹可成 and Zhou Shuai 周帅 also known as Coldface for their involvement in the multiyear forprofit computer intrusion campaigns dating back in the case of Yin to 2013 The Department also announced today courtauthorized seizures of internet domains and computer server accounts used by Yin and Zhou to facilitate their hacking activityppThe defendants remain at large View the FBIs Wanted posters for Shuai and Kecheng hereppConcurrent with todays announcement the Department of States States Bureau of International Narcotics and Law Enforcement Affairs is announcing two reward offers under the Transnational Organized Crime Rewards Program TOCRP of up to 2 million each for information leading to the arrests and convictions in any country of malicious cyber actors Yin Kecheng and Zhou Shuai both Chinese nationals residing in ChinappThese indictments and actions show this offices longstanding commitment to vigorously investigate and hold accountable Chinese hackers and data brokers who endanger US national security and other victims across the globe said Interim US Attorney Edward R Martin Jr for the District of Columbia The defendants in these cases have been hacking for the Chinese government for years and these indictments lay out the strong evidence showing their criminal wrongdoing We again demand that the Chinese government to put a stop to these brazen cyber criminals who are targeting victims across the globe and then monetizing the data they have stolen by selling it across ChinappThe APT27 group to which Yin and Zhou belong is also known to private sector security researchers as Threat Group 3390 Bronze Union Emissary Panda Lucky Mouse Iron Tiger UTA0178 UNC 5221 and Silk Typhoon As alleged in court documents between August 2013 and December 2024 Yin Zhou and their coconspirators exploited vulnerabilities in victim networks conducted reconnaissance once inside those networks and installed malware such as PlugX malware that provided persistent access The defendants and their coconspirators then identified and stole data from the compromised networks by exfiltrating it to servers under their control Next they brokered stolen data for sale and provided it to various customers only some of whom had connections to the PRC government and military For example Zhou sold data stolen by Yin through iSoon whose primary customers as noted above were PRC government agencies including the MSS and the MPSppThe defendants motivations were financial and because they were profitdriven they targeted broadly rendering victim systems vulnerable well beyond their pilfering of data and other information that they could sell Between them Yin and Zhou sought to profit from the hacking of numerous USbased technology companies think tanks law firms defense contractors local governments health care systems and universities leaving behind them a wake of millions of dollars in damagesppThe documents related to the seizure warrants also unsealed today further allege that Yin and Zhou continued to engage in hacking activity including Yins involvement in the recently announced hack of Treasury between approximately September and December 2024 Virtual private servers used to conduct the Treasury intrusion belonged to and were controlled by an account that Yin and his coconspirators established Yin and his coconspirators used that same account and other linked accounts they controlled to lease servers used for additional malicious cyber activity The seizure warrant unsealed today allowed the FBI to seize the virtual private servers and other infrastructure used by the defendants to perpetrate these crimesppOn Jan 17 Treasurys Office of Foreign Assets Control OFAC announced sanctions against Yin for his role in hacking that agency between September and December 2024 Concurrent with todays indictments OFAC also announced sanctions on Zhou and Shanghai Heiying Information Technology Company Ltd a company operated by Zhou for purposes of his hacking activityppPrivate sector partners are also taking voluntary actions to raise awareness and strengthen defenses against the PRCs malicious cyber activity Today Microsoft published research that highlights its unique updated insights into Silk Typhoon tactics techniques and procedures specifically its targeting of the IT supply chainppAssistant US Attorneys Jack F Korba and Tejpal S Chawla for the District of Columbia and Trial Attorney Tanner Kroeger of the National Security Divisions National Security Cyber Section are prosecuting the caseppppThe above disruptive actions targeting PRC malicious cyber activities were the result of investigations conducted by FBI New York and Washington Field Offices FBI Cyber Division the Naval Criminal Investigative Service The US Attorneys Offices for the Southern District of New York and District of Columbia and the National Security Divisions National Security Cyber Section are prosecuting the caseppThe Department acknowledges the value of publicprivate partnerships in combating advanced cyber threats and recognizes Microsoft Volexity PwC and Mandiant for their valuable assistance in these investigationsppThe details in the abovedescribed indictments and warrants are merely allegations All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of lawppJairo Jaime Tinajero 25 pleaded guilty yesterday in the Western District of Kentucky to the following charges contained in the superseding information racketeering conspiracy online enticement three counts of productionppA New York man was arrested and charged in a superseding indictment unsealed today in the Southern District of New York for hiring someone to kill his estranged husband whoppOffice of Public AffairsUS Department of Justice950 Pennsylvania Avenue NWWashington DC 20530ppOffice of Public Affairs Direct Line2025142007ppDepartment of Justice Main Switchboard2025142000ppSignup for Email UpdatesSocial MediappppHave a question about Government Servicesp
