Employees of i-Soon accused of executing widespread hacking operations for China’s security agencies.
The U.S. Department of Justice revealed new indictments on Wednesday, charging individuals employed by the Chinese cybersecurity company, i-Soon (Anxun Information Technology), for participating in large-scale cyberattacks on behalf of China’s security organizations.
The prosecution claims that employees of i-Soon acted as “hackers-for-hire,” infiltrating email systems, government databases, and corporate networks under the direction of China’s Ministry of Public Security (MPS) and the Ministry of State Security (MSS).
These charges follow a significant leak that occurred last year, revealing a trove of documents allegedly originating from i-Soon. The leak detailed hacking tactics and surveillance tools used to target both Chinese citizens and foreign entities.
The targets of the cyber tools from i-Soon included activists and ethnic groups in regions of China where anti-government protests have been prevalent, such as Hong Kong and Xinjiang, a heavily Muslim area in western China.
The leaked documents outlined various methods used by Chinese authorities to monitor dissidents outside of China, engage in espionage activities, and promote Beijing’s narrative on global social media platforms.
The U.S. Justice Department noted that the hacking group’s victims included U.S. federal and state agencies—one such incident involved a breach of the Department of the Treasury in late 2024. Other targets included American journalists, human rights defenders, and Chinese pro-democracy dissidents living abroad.
Court documents indicate that these hackers not only stole sensitive information but also executed cyber campaigns aimed at silencing critics of the Chinese government, as part of what is described as a coordinated effort of espionage and political repression.
The Justice Department stated, “Operating with impunity and driven by financial gain, this network of Chinese companies and contractors targeted vulnerable systems worldwide, extracting valuable information that was then sold or shared with the Chinese government.”
The department further emphasized that this approach led to an increased number of global cyber intrusions, leaving countless systems exposed to future breaches, with stolen data sometimes finding its way into the hands of third parties with no direct interest from the Chinese government.
In conjunction with the indictments, the U.S. government announced the seizure of the main internet domain used by i-Soon to promote its activities.
Additionally, a reward is being offered by the U.S. for information leading to the identification of Chinese individuals allegedly involved in directing or executing these cyberattacks. These individuals include:
Wu Haibo (CEO)
Chen Cheng (COO)
Wang Zhe (Sales Director)
Liang Guodong (Technical Staff)
Ma Li (Technical Staff)
Wang Yan (Technical Staff)
Xu Liang (Technical Staff)
Zhou Weiwei (Technical Staff)
Wang Liyu (MPS Officer)
Sheng Jing (MPS Officer)
The Justice Department also unsealed two separate indictments against APT27 members Yin Kecheng (also known as “Coldface”) and Zhou Shuai, who are implicated in a series of profit-driven hacking operations dating back to 2013.
