The Department of Justice Uncovers Alleged Worldwide Hacking Service Network of ‘Digital Soldiers’
Twelve Chinese individuals have been formally accused by the Justice Department for their suspected participation in worldwide hacking-for-hire operations. As per legal documentation, their targets encompassed the U.S. Treasury Department, reporters, and spiritual entities. The missions were designed to purloin information and suppress freedom of expression.
The legal charges identify two officials from China’s Ministry of Public Security, eight Anxun Information Technology and i-Soon company workers, and two members of the Advanced Persistent Threat 27 hacking team. All are currently evading authorities.
“The Justice Department will relentlessly pursue those who jeopardize our cybersecurity by pilfering from our government and society,” stated Sue J. Bai, leader of the division of National Security at the department, in a news release.
“Today, we are exposing the Chinese government agents guiding and fostering indiscriminate and irresponsible assaults against computers and networks globally, along with the assisting organizations and individual hackers they have set in motion. We will persist in battling to dismantle this network of digital soldiers and safeguard our national security,” she added.
Contracting i-Soon was enlisted by the officials to execute attacks in the United States and overseas
The two government operatives purportedly contracted i-Soon staff members as freelance hackers from 2016 to 2023 to filch data while concealing their engagement. They infiltrated email accounts, smartphones, servers, and websites of specific and suspected targets.
The U.S.-based targets of i-Soon involved a spiritual group critical of the Chinese government, a human rights organization focusing on China, media outlets opposed to the Chinese Communist Party or dispensing uncensored news in Asia, a state university for research, a representative from the New York State Assembly associated with a banned religious group in China, and multiple government units.
Besides pursuing political adversaries, i-Soon functioned as a financially-driven digital mercenary agency.
International targets consisted of a spiritual leader and their bureau, a Hong Kong newspaper against the Chinese government, and the foreign ministries of Taiwan, India, South Korea, and Indonesia. According to a press release from the Attorney’s Office of the Southern District of New York, these targets were either selected for their criticism of the Chinese government or their communication with the U.S.
i-Soon purportedly conducted hacking endeavors on behalf of Chinese intelligence agencies and independently, vending purloined data to them. It coached Ministry of Public Security personnel in autonomous hacking and peddled diverse cyber utilities like phishing, password deciphering, and system infiltration programs.
The platforms used by i-Soon targeted emails, social media, and operating systems, with one tool specifically tailored to seize control of Twitter (now X) accounts. Through this tool, hackers could send deceptive links to victims that, upon activation, granted them control over the account, circumventing security measures. They could then maneuver public opinion by sending, deleting, liking, and sharing Tweets.
i-Soon, which had a workforce of over 100 personnel at points, is believed to have produced tens of millions of dollars for the Chinese government, pricing their services between approximately $10,000 and $75,000 for each successful breach of an email inbox.
In addition to the charges laid out, the Justice Department has confiscated multiple primary internet domains utilized by i-Soon to advertise its services, including ecoatmosphere.org, newyorker.cloud, heidrickjobs.com, and maddmail.site.
The Government purchased stolen data from Two APT27 members through i-Soon and other entities
The APT27 members, Yin “YKC” Kecheng, 38, and Zhou “Coldface” Shuai, 45, also auctioned stolen data to organizations linked to the Chinese government, including i-Soon, during a span of years. Allegedly, their targets encompassed U.S. defense contractors, tech companies, governmental departments — including the Treasury — local administrations, law firms, healthcare systems, and foreign ministries in Asia, inflicting multimillion-dollar losses.
Between August 2013 and December 2024, they utilized sophisticated hacking methodologies, including scrutinizing for unknown software gaps and deploying malicious software like web shells to sustain continuous access to victim networks. They purloined identification credentials and leveraged relay servers to siphon off data while masking their actions through encrypted VPNs and VPS accounts.
Yin allegedly openly shared his aspiration to target American subjects, expressing a desire to disrupt the American military and infiltrate a major target to accumulate the funds to purchase a vehicle. Previously, he had been penalized for his involvement in hacking the Treasury Department toward the end of 2024.
Alongside the charges against these individuals, the U.S. Attorney’s Office of the District of Columbia has appropriated control of the Virtual Private Server account and internet domains that facilitated their unlawful operations.
Incentives of up to $2 million each are being offered for information that leads to the capture and convictions of Yin and Zhou. Separately, the Justice Department has put forth rewards of up to $10 million for information that discloses the identity or whereabouts of any individual engaging in malicious cyber pursuits against vital U.S. infrastructure while acting under a foreign government’s direction.
About Author
