Under Pressure: US Charges China's APT-for-Hire Hackers

Apr 07 2025 · Views: 45,556

WASHINGTON, DC — The US Justice Department has charged 12 Chinese nationals accused of participating in a state-backed hack-for-hire operation that allegedly targeted dissidents, journalists, human rights groups, and multiple foreign ministries. The indictment names employees of the Chinese tech firm i-Soon and members of the APT27 hacking group, including actors tied to the Treasury Department breach disclosed in January.

The Indictments

Those charged include eight i-Soon employees, two officers from China’s Ministry of Public Security (MPS), and two members of APT27. Prosecutors allege that since 2016, i-Soon has operated as a hacking-for-hire vendor for Chinese security services, charging between $10,000 and $75,000 per compromised email inbox. In addition to carrying out cyber intrusions, i-Soon is accused of training MPS employees to hack independently and selling intrusion tools to outside customers.

APT27 actors Yin Kecheng and Zhou Shuai face separate indictments accusing them of a decade of intrusions into US organizations, ranging from municipalities to corporations. Kecheng, previously sanctioned for his role in the Treasury breach, is now formally charged with acting as a hacker for hire on behalf of Beijing’s intelligence apparatus.

Targets and Tactics

According to the Department of Justice, victims included US-based critics of Beijing, a major religious organization, journalists, NGOs, and government agencies in India, Indonesia, South Korea, and Taiwan. The cases highlight how hackers for hire blur the line between state operations and mercenary cybercrime. The defendants allegedly conducted intrusions both at the direction of the MPS and MSS and on their own initiative for profit.

The Justice Department also announced seizures of domains and server accounts linked to the campaigns, including the primary site used by i-Soon to advertise its services. The State Department is offering rewards of up to $2 million each for information leading to the capture of Yin and Zhou.

China’s Shadow Cyber Strategy

The connection between China’s government agencies and private contractors is well documented. A leak of over 500 documents in 2024 exposed i-Soon’s internal operations, showing how the firm functioned as a "secret APT" offering mercenary-style services while serving official state interests. Reports from CrowdStrike confirm a 150% increase in PRC-linked threat activity from 2023 to 2024, underscoring China’s dominance in nation-state cyber operations.

Political Pressure and Global Messaging

While extradition of the accused is unlikely, experts say the indictments serve a strategic purpose. By publicly naming and charging hackers for hire, US authorities aim to "name and shame" operators, disrupt their activities, and increase pressure on Beijing. Sanctions, domain seizures, and public exposure shrink the operating space for these cyber mercenaries and signal that their identities are known.

"These charges are one of the tools the US government can leverage," said Adam Meyers of CrowdStrike. "They send a message: we know who you are, we know what you are doing. Even without extradition, attribution and sanctions disrupt adversary operations and put global pressure on Beijing."

The indictments show the growing trend of hire a hacker models being absorbed into state strategies, where the line between private contractors and government-backed APTs becomes nearly indistinguishable.