WASHINGTON D.C. – In a decisive move against state-sponsored cyber threats, the U.S. Department of Justice (DOJ) has unsealed indictments against Chinese nationals Yin Kecheng (尹 可成), 38, and Zhou Shuai (周帅), 45, exposing a years-long, sophisticated hacking campaign targeting a wide range of U.S. entities, including the Department of Treasury. The operation, which involved the seizure of internet domains and a Virtual Private Server (VPS) account, underscores the escalating battle against foreign actors seeking to undermine U.S. national security and economic interests.
The indictments, unsealed by the U.S. Attorney’s Office for the District of Columbia, allege that Yin and Zhou, operating with ties to the People’s Republic of China (PRC) government, engaged in extensive cyber espionage activities from 2011 to the present day. These activities, which caused millions of dollars in damages, involved the theft and exfiltration of sensitive data from U.S.-based technology companies, think tanks, defense contractors, government municipalities, and universities.
State-Sponsored Cyber Warfare: A Pattern of Impunity
The DOJ’s actions highlight the PRC government’s alleged role in promoting and protecting large-scale computer hacking activities. According to court documents, the PRC Ministry of Public Security (MPS) and Ministry of State Security (MSS) directed or financed hackers like Yin and Zhou to conduct intrusions against high-value targets in the U.S. and elsewhere. Victims included U.S.-based critics and dissidents of the PRC, a large religious organization, foreign ministries of multiple Asian governments, and U.S. federal and state agencies, including a recent 2024 breach.
The PRC government reportedly employed an extensive network of private companies and contractors to obscure its direct involvement in these cyberattacks. This strategy allowed hackers to profit from additional intrusions worldwide and sell stolen data through Chinese data brokers, operating under the state’s protection. This sponsorship resulted in the loss of sensitive, valuable, and personal identification information, causing direct harm to U.S. entities and foreign governments.
Domain and VPS Seizures: Disrupting the Hacker Infrastructure
In conjunction with the indictments, the DOJ announced the judicially authorized seizure of internet domains linked to Yin and a VPS account linked to Zhou, both used to facilitate network intrusion activities. The Department of Treasury also announced sanctions against Zhou and his company, Shanghai Heiying Information Technology Company, Limited, following previous sanctions against Yin for his role in the 2025 Treasury network compromise.
“These indictments and actions show this Office’s long-standing commitment to vigorously investigate and hold accountable Chinese hackers and data brokers who endanger U.S. national security and other victims across the globe,” said U.S. Attorney Edward R. Martin, Jr. “The defendants in these cases have been hacking for the Chinese government for years, and these indictments lay out the strong evidence showing their criminal wrongdoing. We, again, demand that the Chinese government put a stop to these brazen cyber criminals who are targeting victims across the globe and then monetizing the data they have stolen by selling it across China.”
FBI and NCIS Collaboration: Tracking Malicious Actors
The FBI and Naval Criminal Investigative Service (NCIS) played pivotal roles in the investigation. “The defendants allegedly waged a yearslong hacking campaign against U.S.-based organizations to steal their data and sell it to various customers, some of whom had connections to the Chinese government,” said FBI Acting Assistant Director in Charge Roman Rozhavsky. Today’s indictment is the first step toward bringing these perpetrators to justice for endangering U.S. national security and causing significant financial losses for both U.S. and foreign companies. The FBI and our partners will continue to pursue these hostile cyber actors to the full extent of the law.”
NCIS Cyber Operations Field Office Special Agent in Charge Josh Stanley emphasized the threat posed to national security. “The defendants’ years-long hacking conspiracy to steal data from Cleared Defense Contractors that support the U.S. military—among many other U.S.-based victims—and sell it to customers with ties to the Chinese government poses a significant threat to our national security. NCIS remains committed to working with the FBI and our law enforcement partners around the world to expose malicious actors who seek to undermine the cybersecurity of the Department of the Navy.”
A Decade-Long Investigation: Unmasking Multiple Threat Groups
The announcement reflects nearly a decade of investigative work by the DOJ and FBI, targeting actors known by various aliases, including “APT27,” “Threat Group 3390,” “Bronze Union,” “Emissary Panda,” “Lucky Mouse,” “Iron Tiger,” “UTA0178,” “UNC 5221,” and “Silk Typhoon.”
The investigation involved two separate indictments. The first, a 19-count indictment against Yin in 2018, alleged conduct between August 2013 and December 2015, charging wire fraud, aggravated identity theft, and violations of the Computer Fraud and Abuse Act (CFAA). The second indictment, in 2023, charged both Yin and Zhou with similar offenses, including conspiracy, wire fraud, CFAA violations, aggravated identity theft, and money laundering, related to conduct between June 2018 and November 2020.
Technical Details: Sophisticated Hacking Techniques
According to the unsealed documents, Yin, Zhou, and their co-conspirators employed sophisticated hacking tools and techniques to overcome network defenses and avoid detection. They scanned victim networks for vulnerabilities, exploited them with advanced hacking techniques, and conducted reconnaissance within compromised networks. They installed malware to maintain persistent access and communicate with external servers, identified and stole data, and exfiltrated it to their servers. The stolen data was then sold to various customers, including those with ties to the PRC government and military.
Targeting U.S. Victims: Defense Contractors, Tech Firms, and More
Yin specifically targeted U.S.-based defense contractors, technology firms, and think tanks, openly discussing his preference for American victims. He used mapping software to identify vulnerabilities, stole network credentials, and utilized intermediary servers and malicious domains to access and exfiltrate data.
Yin and Zhou also targeted a broader range of victims, including law firms, communication service providers, local governments, healthcare systems, and think tanks. They exploited zero-day vulnerabilities, installed malware like web shells, and used hop point servers to exfiltrate data. Zhou brokered access to this data for financial profit, and they laundered cryptocurrency payments for their operational infrastructure.
The seized VPS account was used by Zhou to create VPNs, encrypt network traffic, and communicate with buyers interested in compromised networks. He also used it for victim reconnaissance. The seized domains were linked to Yin, with funds used to purchase network infrastructure traced back to his accounts. Notably, a VPS account controlled by Yin was connected to the Treasury compromise.
International Cooperation and Rewards for Information
The Department of State has offered rewards of up to $2 million each for information leading to the arrest of Yin and Zhou under the Transnational Organized Crime Rewards Program. The Department encourages the public to contact the FBI with any tips.
Private Sector Collaboration: Strengthening Cyber Defense
The investigation benefited from valuable assistance from private sector partners, including Microsoft, Volexity, Palo Alto Networks Unit 42, and Mandiant. Their expertise in threat intelligence and incident response played a crucial role in identifying and tracking the malicious activities of Yin and Zhou.
Legal Implications and Ongoing Investigation
The indictments are merely allegations, and the defendants are presumed innocent until proven guilty in a court of law. However, they underscore the U.S. government’s commitment to holding cybercriminals accountable and protecting national security. The FBI and NCIS continue to investigate malicious cyber activity associated with these defendants and threat actors, notifying affected victims as network intrusions are discovered.
This case serves as a stark reminder of the persistent and evolving threat landscape posed by state-sponsored cyber espionage. The U.S. government’s proactive measures, including indictments, sanctions, and asset seizures, demonstrate its resolve to defend against these threats and protect its critical infrastructure.
An indictment is merely an allegation and a defendant is presumed innocent unless and until proven guilty beyond a reasonable doubt in a court of law.
f_ykc_indictment_18-cr-00126.pdf
Contact
