The U.S. Department of Justice (DOJ) has officially indicted 12 individuals linked to a decade-long, state-sponsored hacking campaign. The group is accused of infiltrating over 100 American organizations, including the U.S. Treasury, as part of a sophisticated “hacker-for-hire” ecosystem operating out of China.
State-Sponsored Espionage and Financial Gain
Senior DOJ officials confirmed that the indicted individuals, ranging from private contractors to Chinese law enforcement officers, targeted entities globally. The primary motives behind these intrusions included the suppression of free speech, the targeting of religious groups, and large-scale financial extortion.
Among those charged, Yin Kecheng and Zhou Shuai are identified as key figures associated with the state-backed group APT27, also known as Silk Typhoon. Prosecutors allege the pair conducted “multi-year, for-profit” operations since 2013, stealing sensitive data to sell to third parties, including entities with ties to the Chinese government.
Exploiting Critical Infrastructure
The hackers gained unauthorized access by weaponizing vulnerabilities in essential enterprise software. According to newly released research from Microsoft, the group targeted flaws in:
- Microsoft Exchange
- Palo Alto Networks firewalls
- Citrix NetScaler appliances
- Ivanti Pulse Connect Secure appliances
While Ivanti stated they could not verify specific attribution regarding the attacks, the company confirmed that patches were deployed immediately following the discovery of the security flaws.
The I-Soon Connection and Treasury Breach
The investigation further implicates eight employees of I-Soon, a known Chinese hacking contractor. This group, which includes the company’s CEO and COO, allegedly generated tens of millions of dollars by conducting intrusions for Chinese security agencies and selling stolen data on their own initiative.
Yin Kecheng, who was previously sanctioned by the Treasury Department in February 2025, is directly linked to the massive December 2024 breach of the U.S. Treasury. The FBI has successfully seized the virtual private servers and infrastructure utilized by Yin to facilitate these intrusions.
Global Manhunt and Rewards
The targeted organizations span a wide range of sectors, including U.S. technology firms, defense contractors, healthcare systems, think tanks, and news organizations. The defendants remain at large, prompting the U.S. government to take aggressive action.
The U.S. Department of State’s Rewards for Justice program is offering up to $10 million for information leading to the capture of I-Soon employees. Additionally, a $2 million bounty has been placed on information resulting in the arrest and conviction of Yin and Zhou.