U.S. law enforcement has uncovered a vast network of hackers linked to Chinese intelligence agencies, indicting them for orchestrating a series of cyberattacks against government institutions and organizations worldwide.
The case revolves around dozens of cybercrimes allegedly carried out by employees of i-Soon, a Chinese company operating under the direct supervision of Beijing’s authorities. Among the accused are two notorious Chinese hackers, Yin (YKC) and Zhou (Coldface), who are believed to have played a central role in the massive breach of the U.S. Department of the Treasury.
i-Soon was actively engaged in cyberattacks targeting foreign entities and individuals deemed critics of the Chinese government. Their primary victims included human rights activists, journalists, religious leaders, as well as government and defense agencies in the U.S. and across Asia. The hackers employed sophisticated techniques to infiltrate networks and extract sensitive information, which was then sold to Chinese security agencies and third parties.
Investigators revealed that hackers earned between $10,000 and $75,000 per compromised email account, reflecting a high demand for stolen data. The scope of interest was so extensive that even organizations with no direct stake in the intelligence were willing to purchase it.
According to U.S. prosecutors, i-Soon evolved into a highly profitable arm of China’s cyber-espionage apparatus, supplying stolen intelligence to dozens of Chinese government agencies. Many cyber intrusions were conducted without specific directives, with stolen data being openly offered for sale to any interested governmental body. This chaotic approach resulted in widespread breaches, leaving numerous organizations worldwide vulnerable to further exploitation.
The U.S. Department of Justice also announced the seizure of domains and servers used to facilitate these cyber operations. Additionally, the U.S. government has placed a $2 million bounty on information leading to the arrest of Yin and Zhou, who are believed to be residing in China, making apprehension difficult. Moreover, ten additional individuals—including i-Soon executives, employees, and Chinese intelligence officers involved in cyberattacks against the U.S.—have been added to the wanted list. The State Department has offered up to $10 million for any intelligence that could help locate or identify the suspects.
A particularly alarming aspect of the investigation is the breach of the U.S. Department of the Treasury, which persisted for several months and ultimately resulted in sanctions against Yin and his company. The probe has also uncovered previously unknown details about these cyberattacks: for years, the hackers systematically collected and monetized sensitive information, operating both as independent mercenaries and as operatives executing directives from Chinese intelligence agencies.
According to the U.S. Department of Justice, Chinese authorities have actively employed private companies and freelance hackers as proxies to obscure their direct involvement in cyberattacks. This strategy allows Beijing to evade direct accountability while still gaining access to valuable intelligence and fostering conditions for future cyber threats.
Additionally, hackers associated with APT27, a well-known Chinese advanced persistent threat (APT) group, have for years infiltrated the servers of government institutions, medical research centers, and tech companies, selling pilfered intelligence to Chinese agencies and external clients. This practice has inflicted millions of dollars in damages and severely undermined digital security worldwide.
According to the U.S. Department of the Treasury, the hackers’ targets included major American technology firms, defense contractors, university-affiliated medical institutions, and municipal agencies. Beyond the U.S., their attacks also impacted organizations in South Korea and Indonesia, as well as journalists and religious figures across Asia. The responsibility for these intrusions has been directly attributed to the APT27 hacking group.
