The US Justice Department on Wednesday unsealed indictments charging employees of a Chinese cybersecurity firm known as i-Soon (Anxun Information Technology) with conducting extensive hacking campaigns on behalf of Beijing’s security services.
Prosecutors say i-Soon employees acted as “hackers-for-hire,” breaching email networks, government databases, and corporate systems at the direction of China’s Ministry of Public Security (MPS) and the Ministry of State Security (MSS).
The indictments come a year after an unauthorized and highly unusual online dump of documents from i-Soon that catalog apparent hacking activity and tools to spy on both Chinese and foreigners.
Among the apparent targets of tools provided by the impacted company, I-Soon: ethnicities and dissidents in parts of China that have seen significant anti-government protests, such as Hong Kong or the heavily Muslim region of Xinjiang in China’s far west.
The i-Soon leak revealed, in detail, methods used by Chinese authorities to surveil dissidents overseas, hack other nations and promote pro-Beijing narratives on social media.
According to the Justice Department, the group’s victims ranged from US federal and state agencies — including a late-2024 breach of the Department of the Treasury – to American journalists, human rights activists, and Chinese pro-democracy dissidents abroad.
According to court filings, the hackers stole sensitive data and even carried out cyber operations to silence critics of Beijing, as part of what officials describe as a coordinated campaign of espionage and repression.
“Operating from their safe haven and motivated by profit, this network of private companies and contractors in China cast a wide net to identify vulnerable computers, exploit those computers, and then identify information that it could sell directly or indirectly to the PRC government,” the department said in a statement.
“The result of this largely indiscriminate approach was more worldwide computer intrusion victims, more systems worldwide left vulnerable to future exploitation by third parties, and more stolen information, often of no interest to the PRC government and, therefore, sold to other third-parties.”
The Justice Department also announced the court-authorized seizure of the primary internet domain used by i-Soon to advertise its business.
The US government is also offering a reward for a list of Chinese nationals who are alleged to have worked in various capacities to direct or carry out i-Soon’s malicious cyber activity:
Wu Haibo (吴海波), Chief Executive Officer
Chen Cheng (陈诚), Chief Operating Officer
Wang Zhe (王哲), Sales Director
Liang Guodong (梁国栋), Technical Staff
Ma Li (马丽), Technical Staff
Wang Yan (王堰), Technical Staff
Xu Liang (徐梁), Technical Staff
Zhou Weiwei (周伟伟), Technical Staff
Wang Liyu (王立宇), MPS Officer
Sheng Jing (盛晶), MPS Officer
The department also unsealed two separate indictments charging APT27 actors Yin Kecheng (尹可成) and Zhou Shuai (周帅) also known as “Coldface” for their involvement in multi-year, for-profit hacking campaigns dating back to 2013.
Related: Online Dump of i-Soon Docs is Rare Window Into Pervasive State Surveillance
Related: China Hackers Behind US Treasury Breach Caught Targeting IT Supply Chain
Related: Chinese APT Tools Found in Ransomware Schemes, Blurring Attribution Lines
Related: US Treasury Slaps Sanctions on China-Linked APT31 Hackers
Related: Chinese APT Hacks 48 Government Organizations