On March 6, 2025, the U.S. Department of Justice, FBI, Naval Criminal Investigative Service, Department of State, and Treasury Department jointly announced that they have taken action to combat malicious cyber activities originating from China. This operation targeted 12 Chinese citizens, including two members of the Chinese Public Security Bureau, employees of China’s Anxun Information Technology Co., Ltd. (i-Soon), and members of APT27 (Advanced Persistent Threat Group 27).
According to the charges, the Chinese Public Security and Intelligence departments employ a “hire-a-hacker” model, including the APT27 organization, to suppress freedom of speech and dissenting voices globally and to steal data from international organizations. These actions have garnered high concern from the U.S., prompting the government to take measures to prevent and deter related cyber attacks.
Currently, the 12 defendants are still at large and are wanted by the FBI. The U.S. Department of State has collectively offered a reward of up to $14 million for information that aids in identifying or locating these hackers.
Court documents reveal that the Chinese Public Security Bureau and Ministry of State Security conceal official involvement by hiring private enterprises and contractors to carry out hacker attacks and steal sensitive information. Anxun, in addition to conducting computer intrusions targeting specific objectives as directed by the Public Security and Ministry of State Security, also employs indiscriminate attack methods, infiltrating vulnerable computer systems and subsequently selling the data to the Chinese government or third parties. This not only expands the scope of global victims but also exposes more systems to attack risks.
The indictment unveiled by the Manhattan Federal Court shows that between 2016 and 2023, the Anxun hacker group launched large-scale attacks on email accounts, phones, servers, and websites. The U.S. Department of Justice has been authorized by the court to seize Anxun’s main domain used for business promotion.
According to the charges, Anxun charged between $10,000 and $75,000 to the Public Security and Ministry of State Security for each successful intrusion into email accounts, provided hacker training, assisted the Public Security Bureau in executing independent hacker attacks, and even supplied various attack tools.
In the U.S., the targets included a large religious organization that had sent missionaries to China and openly criticized the Chinese Communist Party, an organization dedicated to promoting human rights and religious freedom in China, numerous news media outlets, particularly those reporting on sensitive issues related to the CCP, and a New York State Assembly member.
Overseas targets included a religious leader and their office, a Hong Kong newspaper that covers Hong Kong politics and has continued to do so to this day, as well as diplomatic departments in Taiwan, India, South Korea, and Indonesia.
U.S. Acting Southern District Prosecutor Matthew Podolsky stated, “State-sponsored hacking activities by China pose a serious threat to our communities and national security. Over the years, these 10 defendants have launched hacker attacks against religious organizations, journalists, and government agencies, collecting sensitive information for the Chinese government. These charges will help combat such hacker actions and protect U.S. national security.”
China’s employment of private enterprises to launch hacker attacks globally to suppress dissent, combined with APT27’s targeting of various U.S. institutions through cyber attacks for profit.
On the same day, federal court indictments were unveiled in the District of Columbia, charging members of the Chinese hacker organization APT27, Yin Kecheng and Zhou Shuai (alias “Cold Face”), with engaging in prolonged cyber attacks, with Yin Kecheng’s actions tracing back to 2013. The FBI has issued arrest warrants, with the U.S. Department of State offering a maximum reward of $4 million for information leading to the arrest and conviction of these individuals.
The indictments show that the two individuals targeted numerous U.S. technology companies, think tanks, law firms, defense contractors, local governments, healthcare systems, and universities to profit illegally. They exploited vulnerabilities in the systems of the targeted institutions, gained access to the compromised networks for reconnaissance, installed malicious software such as PlugX for persistent access, and then sold the stolen data to various clients.
For example, Zhou Shuai profited significantly by selling the sensitive information stolen by Yin Kecheng through Anxun, resulting in losses amounting to hundreds of millions of dollars for U.S. technology, defense, healthcare, and other industries. Anxun’s primary clients included Chinese government agencies such as the Public Security and Ministry of State Security.
Additionally, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has imposed sanctions on Yin Kecheng, Zhou Shuai, and their hacker company, Shanghai Blackhawk Information Technology Co., Ltd. The FBI has also been authorized to seize relevant virtual servers and infrastructure.
Anxun had a data breach incident last year, with leaked internal employee conversations revealing that the core business of Anxun included designing Trojan viruses and implanting malicious software to infiltrate target systems and steal information.
This case once again exposes the global impact of Chinese hacker operations. The U.S. Department of Justice urges all sectors to enhance precautions to protect sensitive information from attacks. Governments, businesses, and individuals should increase cybersecurity awareness, avoid clicking suspicious links or downloading unknown software, and implement security measures such as enabling Multi-Factor Authentication (MFA), using strong passwords, regularly updating systems and antivirus software, monitoring abnormal login activities, and regularly reviewing account login records.
Furthermore, the business community is enhancing defense measures. Microsoft released a report yesterday analyzing APT27’s latest tactics, focusing on their attacks on IT supply chains, including the “Silk Typhoon” tactics, techniques, and procedures (TTPs), and providing corresponding defense recommendations.