The U.S. Department of Justice (DOJ) has unsealed indictments against 12 Chinese nationals, accusing them of a decade-long cyber espionage campaign that targeted the U.S. Treasury Department, government agencies, journalists, and religious organizations.
The accused include two officers of China’s Ministry of Public Security and several employees of i-Soon, a Chinese cybersecurity firm alleged to be a major player in Beijing’s “hacker-for-hire” ecosystem. The hackers allegedly infiltrated email accounts, stole sensitive data, and sold access to compromised networks, with many of their operations directly or indirectly benefiting the Chinese government.
The cyberattacks were not limited to the United States. Prosecutors detailed intrusions into the foreign ministries of Taiwan, India, South Korea, and Indonesia, as well as breaches involving a Hong Kong newspaper and a major U.S.-based religious organization that has been critical of China.
The indictments shed light on how China’s intelligence agencies leveraged private contractors and freelance hackers to conduct cyber intrusions while maintaining plausible deniability.
As part of the U.S. response, the Treasury Department imposed sanctions on Shanghai Heiying Information Technology and its founder, Zhou Shuai, for their role in trafficking stolen data and providing hacking services to Chinese government clients.
Why It Matters: These charges mark one of the most significant U.S. law enforcement actions against Chinese cyber activities in recent years, underscoring Washington’s increasing focus on countering state-sponsored hacking. The indictment highlights the growing role of private firms like i-Soon in China’s cyber warfare strategy, which blurs the line between state-backed espionage and commercial cybercrime. With the U.S. Treasury Department directly targeted, the case raises concerns about the vulnerability of critical government institutions to foreign cyber threats.
- Hack of the U.S. Treasury: The DOJ linked Chinese hacker Yin Kecheng to a 2024 cyberattack on the U.S. Treasury, lasting from September to December. Prosecutors said Yin and his co-conspirators used virtual private servers under their control to breach government systems. The U.S. Treasury responded by sanctioning both Yin and his associate, Zhou Shuai, whose company Shanghai Heiying Information Technology was accused of selling stolen data and access to compromised networks.
- i-Soon’s Role in Cyber Espionage: The indictments describe i-Soon as a key player in China’s cyber activities, working closely with the Ministry of Public Security and the Ministry of State Security. Employees of i-Soon allegedly sold access to hacked email accounts for between $10,000 and $75,000 per inbox. The company also trained Chinese law enforcement officers in hacking techniques and developed tools for government use.
- Wider Scope of Attacks: Beyond the U.S. Treasury, the hackers targeted American news organizations, a large U.S. religious group that sends missionaries to China, and human rights organizations. Internationally, they breached the foreign ministries of Taiwan, South Korea, India, and Indonesia, as well as a Hong Kong newspaper.
- Indictments and Bounties: The DOJ unveiled three separate indictments: one in New York charging eight i-Soon employees and two MPS officers, and two in Washington, D.C., against Yin Kecheng and Zhou Shuai. The FBI and State Department have placed a $10 million bounty for information on their whereabouts. All 12 defendants remain at large in China.
US Charges Chinese Nationals in Cyberattacks on Treasury, Dissidents and More – The Record
US Indicts Slew of Alleged Chinese Hackers, Sanctions Company Over Spy Campaign – Reuters
