The United States Department of Justice unveiled charges against twelve Chinese nationals on March 5, 2025, accusing them of orchestrating a sophisticated global cyber espionage campaign targeting critical American infrastructure, government agencies, and dissidents.
The indictments mark a significant escalation in Washington’s efforts to counter what officials describe as China’s increasingly aggressive cyber operations against U.S. national security interests.
Federal prosecutors detailed how ten alleged hackers-for-hire, along with two Chinese government officials, operated within a complex web of state-sponsored cyber activities.
The accused individuals, including employees of a private hacking company known as i-Soon, allegedly conducted advanced persistent threat (APT) operations under directives from China’s Ministry of Public Security.
The hackers functioned as what one senior FBI official described as “cyber mercenaries,” exploiting vulnerable systems and extracting sensitive data that was subsequently sold to Chinese government security services.
“Today, we are exposing the Chinese government agents directing and fostering indiscriminate and reckless attacks against computers and networks worldwide,” stated Sue J. Bai, head of the DOJ’s National Security Division.
Sophisticated Attack Vectors and Targets
The hackers reportedly employed multiple attack vectors, including backdoor exploitations, access control breaches, and authentication bypass techniques to penetrate secure networks.
Among the high-profile targets were the U.S. Treasury Department, which acknowledged a significant breach last year, and the Defense Intelligence and Commerce departments.
Beyond U.S. government entities, the campaign extended to foreign ministries in Taiwan, South Korea, India, and Indonesia, the New York State Assembly, and various religious and media organizations critical of China.
According to Foundation for Defense of Democracies (FDD), Zhou Shuai and Yin Kecheng are among those charged; they are accused of stealing information from extremely sensitive U.S. vital infrastructure as early as 2013 in order to support China’s defense industry.
Two people frequently work together to target infrastructure and steal and sell important information from the defense industrial base.
They are recognized members of Silk Typhoon, the hacker collective that gained access to Treasury’s networks in late 2024 by breaching a government contractor.
According to the indictment, the DOJ disclosed that Zhou had been collecting data on border crossings, telecommunications, and individuals employed in the media, civil service, and religion studies for the previous five years under a stringent set of guidelines provided by the MSS.
Further, the indictments shed light on what U.S. officials characterize as a booming “hacking-for-hire ecosystem” in China, where private companies like i-Soon operate with tacit government approval.
This arrangement provides Chinese state security forces with plausible deniability while maintaining operational effectiveness.
Wu Haibo, the founder of i-Soon and a former member of China’s first hacktivist group, Green Army, allegedly oversaw and directed many of these hacking operations.
US Warns of Ongoing Chinese Espionage
According to Justice Department representatives, all twelve individuals indicted remain at large in China. The Chinese Embassy in Washington promptly condemned the indictments and associated sanctions, urging the U.S. to refrain from using cybersecurity issues as a pretext to “defame” China.
Despite these denials, U.S. authorities maintain that the evidence points to a deliberate, state-sponsored intelligence-gathering campaign designed to advance Chinese interests at the expense of American national security.
U.S. officials view these indictments as merely “one phase in a much more extensive battle” against China’s cyber threats.
They warn that Chinese state-backed hackers continue to target broad segments of American organizations and critical infrastructure using increasingly sophisticated methods.
The case highlights the changing landscape of international cyberwarfare, in which nation-states use private organizations to carry out espionage while seemingly avoiding direct government intervention.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
