Justice Department charges Chinese hackers-for-hire linked to Treasury breach | TechCrunch

The Department of Justice has announced criminal charges against 12 Chinese government-linked hackers who are accused of hacking more than 100 American organizations, including the U.S. Treasury, over the course of a decade.

The charged individuals all played a “key role” in China’s hacker-for-hire ecosystem, a senior DOJ official said on a background call with reporters, including TechCrunch, on Wednesday. The official added that those charged, which includes contract hackers and Chinese law enforcement officials, targeted organizations in the U.S. and worldwide for the purposes of “suppressing free speech and religious freedoms.”

The DOJ also confirmed that two of the indicted individuals are linked to the China government-backed hacking group APT27, or Silk Typhoon. 

The two individuals, named as Yin Kecheng and Zhou Shuai, are accused of carrying out “multi-year, for-profit computer intrusion campaigns” dating back to 2013. Prosecutors say these campaigns allowed the two individuals to steal data from victim organizations before selling that information to third parties, some of which had links to the Chinese government.

The two hackers gained access to victims’ networks by exploiting multiple security flaws in widely used enterprise software, according to the DOJ’s now-unsealed indictment. New research from Microsoft published on Wednesday confirms the hackers exploited flaws in Microsoft Exchange, Palo Alto Networks firewalls, Citrix NetScaler appliances, and Ivanti Pulse Connect Secure appliances as recently as January.

Ivanti’s chief security officer Daniel Spicer told TechCrunch that the company “can’t speak” to Microsoft’s attribution, but said it moved quickly to patch the bug.

Organizations targeted by Yin and Zhou include U.S.-based technology companies, think tanks, law firms, defense contractors, local governments, healthcare systems, and universities, said U.S. prosecutors. 

Yin has also been linked to the recent widespread hack of the U.S. Treasury in December 2024. Yin was sanctioned by the Treasury Department’s Office of Foreign Assets Control in February after linking Yin to China’s Ministry of State Security (MSS), the intelligence agency responsible for the country’s foreign intelligence collection.

According to the DOJ, the FBI has seized the virtual private servers and other infrastructure used by Yin to carry out the hack on the U.S. Treasury. 

The Justice Department also on Wednesday announced charges against eight employees of Chinese government hacking contractor I-Soon, including its chief executive and chief operating officer, along with two alleged officers of China’s Ministry of Public Security, the government agency that oversees public policing in the country.

According to the DOJ, the I-Soon employees were involved in a widespread hacking campaign from 2016 to 2023, generating “tens of millions of dollars.” The I-Soon employees are also accused of carrying out hacks at the request of China’s security agencies, as well as carrying out intrusions on their “own initiative” before selling the stolen data to the Chinese government.

This hacking campaign saw the I-Soon employees target a number of U.S.-based organizations, prosecutors say, including a religious organization that was critical of the Chinese government, an organization focused on promoting religious freedoms in China, and several U.S. news organizations, the DOJ said.

Data stolen by Yin was also sold through I-Soon, prosecutors say, though it’s unclear if this includes data stolen during the breach at the U.S. Treasury.

The defendants remain at large. The U.S. Department of State’s Rewards for Justice program has announced a reward of up to $10 million for information that helps track down any employees of I-Soon. Separately, a reward of $2 million is being offered for information that leads to the arrest and conviction of Yin and Zhao.