Skip to main content
Press Release

Chinese Nationals with Ties to the PRC Government and “APT27” Charged in a Computer Hacking Campaign for Profit, Targeting Numerous U.S. Companies, Institutions, and Municipalities

For Immediate Release
U.S. Attorney's Office, District of Columbia
Department Seizes Virtual Private Server Account and Domains Tied to Malicious Activity to include the U.S. Department of Treasury Hack

            WASHINGTON – A federal judge in Washington, D.C., today, unsealed two separate indictments that allege Chinese nationals Yin Kecheng, 38, (尹 可成) a/k/a “YKC” (“YIN”) and Zhou Shuai, 45, (周帅) a/k/a “Coldface” (“ZHOU”) violated various federal statutes by participating in years-long, sophisticated computer hacking conspiracies that successfully targeted a wide variety of U.S.-based victims from 2011 to the present-day. According to the documents unsealed today, the defendants targeted a multitude of U.S. victim companies, municipalities, and organizations for profit, causing millions of dollars’ worth of damages. YIN and ZHOU, who have ties to the government of the People’s Republic of China (“PRC”), are alleged to have stolen and exfiltrated data from numerous U.S.-based technology companies, think tanks, defense contractors, government municipalities, and universities that they later brokered for sale. Arrest warrants have been issued for YIN and ZHOU, who both remain fugitives.

            The unsealing by the U.S. Attorney’s Office for the District of Columbia is part of the coordinated effort by Department of Justice (the “Department”), other U.S. Attorney’s Offices, the U.S. Department of Treasury (“Treasury”), and private sector partners that highlights the Chinese government’s unique role in intentionally promoting and protecting the wide-scale computer hacking activity by its citizens. According to court documents unsealed today, the PRC Ministry of Public Security (“MPS”) and Ministry of State Security (“MSS”) directed or financed Chinese hackers, such as the defendants, to conduct computer intrusions against high-value targets in the United States and elsewhere. Victims include U.S.-based critics and dissidents of the PRC, a large religious organization in the United States, the foreign ministries of multiple governments in Asia, and U.S. federal and state government agencies, including most recently in 2024.

            According to court documents, the MPS and MSS employed an extensive network of private companies and contractors in China to hack and steal information in a manner that obscured the PRC government’s direct involvement. By employing these hackers-for-hire, the PRC government further allowed these same hackers to profit by committing additional computer intrusions around the world with impunity, and then to sell stolen data through Chinese data brokers. The PRC government’s state-sponsorship and protection of these hackers resulted in the loss of sensitive, valuable and personal identification information that was a direct harm to U.S. entities and other foreign governments and victims.

            In conjunction with the unsealing, the Department announced the judicially authorized seizure of internet domains linked to YIN that he used in facilitating the conspiracy’s network intrusion activity. In addition, the Department announced the judicially authorized seizure of a Virtual Private Server (“VPS”) account linked to ZHOU that he used to facilitate network intrusion activity. In conjunction with these actions, the Treasury announced sanctions against ZHOU and his company Shanghai Heiying Information Technology company, Limited (“Shanghai Heiying”).  YIN was previously sanctioned for his role in the recent Treasury network compromise in January 2025.

“These indictments and actions show this Office’s long-standing commitment to vigorously investigate and hold accountable Chinese hackers and data brokers who endanger U.S. national security and other victims across the globe,” said U.S. Attorney Edward R. Martin, Jr. “The defendants in these cases have been hacking for the Chinese government for years, and these indictments lay out the strong evidence showing their criminal wrongdoing. We, again, demand that the Chinese government put a stop to these brazen cyber criminals who are targeting victims across the globe and then monetizing the data they have stolen by selling it across China.”

            “The defendants allegedly waged a yearslong hacking campaign against U.S.-based organizations to steal their data and sell it to various customers, some of whom had connections to the Chinese government,” said FBI Acting Assistant Director in Charge Roman Rozhavsky of the FBI Washington Field Office. “Today's indictment is the first step toward bringing these perpetrators to justice for endangering U.S. national security and causing significant financial losses for both U.S. and foreign companies. The FBI and our partners will continue to pursue these hostile cyber actors to the full extent of the law.”

            “The defendants’ years-long hacking conspiracy to steal data from Cleared Defense Contractors that support the U.S. military—among many other U.S.-based victims—and sell it to customers with ties to the Chinese government poses a significant threat to our national security,” said NCIS Cyber Operations Field Office Special Agent in Charge Josh Stanley. “NCIS remains committed to working with the FBI and our law enforcement partners around the world to expose malicious actors who seek to undermine the cybersecurity of the Department of the Navy.”

            “The Department of State appreciates the opportunity to collaborate with the Department of Treasury, FBI, and the U.S. Attorney’s Office for the District of Columbia in announcing today’s actions,” said Senior Bureau Official F. Cartwright Weiland of the Department of State’s Bureau of International Narcotics and Law Enforcement Affairs (INL). “With reward offers up to $2 million each for malicious cyber actors Zhou Shuai and Yin KeCheng under the Transnational Organized Crime Rewards Program, we ask the public to contact the FBI with tips to help bring these cybercriminals to justice.”

Overview

            Today’s announcement reflects nearly a decade-long effort by the Department and the FBI.   The action targets actors that various security researchers have historically referred to as “APT27,” “Threat Group 3390,” “Bronze Union,” “Emissary Panda,” “Lucky Mouse,” and “Iron Tiger,” and more recently referred to as “UTA0178,” “UNC 5221,” and “Silk Typhoon.” 

            The Department obtained a 19-count indictment against YIN on May 2, 2018 (the “2018 Indictment”) from a grand jury sitting in the United States District Court for the District of Columbia. The 2018 Indictment, which alleges conduct between August 2013 and December 2015, charges wire fraud, aggravated identity theft, and violations of the Computer Fraud and Abuse Act (“CFAA”).

            Another federal grand jury in the District of Columbia indicted both YIN and ZHOU on March 28, 2023 (the “2023 Indictment”), with similar offenses.  Specifically, the 2023 Indictment, which alleges conduct between June 2018 and November 2020, charges conspiracy, wire fraud, various violations of the CFAA, aggravated identity theft, and money laundering. 

            On March 4, 2025, a federal magistrate judge sitting in the District of Columbia authorized FBI to seize a VPS account and multiple internet domains involved in the criminal activity.  According to the unsealed affidavits in support of those warrants, ZHOU utilized the VPS account to create additional accounts used to facilitate computer intrusion activity and to discuss the sale of access to compromised computer networks. Separately, YIN utilized his own servers and stood up the seized domains to exploit victim computer networks to include networks at Treasury.

Computer Hacking Scheme

            As alleged in the documents unsealed today, at various points between August 2013 and December 2024, YIN, ZHOU, and their unindicted co-conspirators used sophisticated hacking tools and techniques in their efforts to overcome network defenses and avoid detection of numerous hardened targets in the United States and around the world. The defendants and their co-conspirators would routinely scan victim networks for vulnerabilities, exploit those vulnerabilities with sophisticated hacking techniques, and conduct reconnaissance once inside a victim’s network. The defendants and their co-conspirators and would install malware that would allow them to maintain persistent access and enable them to communicate with malicious external servers and other hacking infrastructure. The defendants and their co-conspirators would identify and steal data from the compromised networks by exfiltrating the data to servers under their control. The stolen data was then brokered for sale and provided to various customers, some of whom had connections to the PRC government and military.

Targeting of U.S. Victims

            According to the 2018 Indictment, YIN targeted U.S.-based defense contractors, technology firms, and think tanks, among other victims. The 2018 Indictment alleges YIN openly discussed his preference for targeting American victims. For example, on one occasion in September 2013, YIN told an associate he wanted to “mess with the American military” and “break into a big target” so that he could earn enough money to buy a car. YIN used mapping software to identify network vulnerabilities for the purpose of gaining unlawful access to victim computer and installing malware. YIN used stolen network credentials to maintain persistent access to victim networks and utilized intermediary servers or “hop points” and malicious domains to remotely access and exfiltrate victim computer data.

            According to the 2023 Indictment, YIN, ZHOU, and others targeted U.S.-based companies like technology and defense contractors, law firms, communication service providers, local governments, health care systems, and think tanks. The 2023 Indictment charges YIN and ZHOU with scanning victim networks for access points and also exploiting zero-day vulnerabilities. Once inside the networks, YIN other conspirators would then install malware such as web shells to maintain persistent access. YIN and other conspirators would then use hop point servers to exfiltrate stolen data to servers under YIN’s control. ZHOU then brokered access to such stolen data to interested third parties for a financial profit. The indictment further alleged that YIN, ZHOU, and other conspirators laundered cryptocurrency payments for their operational infrastructure from locations outside of the United States through the U.S. financial system.

            The affidavit in support of the seizure warrant for the VPS account alleges that ZHOU used servers created by the account in order to establish a virtual private network (“VPN”) that would encrypt network traffic such that the true location and IP address of the actor or actors would be obfuscated. ZHOU also used the VPS accounts to create other accounts through which he communicated with buyers who were interested in obtaining access to computer networks compromised by YIN. ZHOU also used the accounts for victim reconnaissance purposes.

            The affidavit in support of the seizure of the domains alleges that funds used to purchase computer network infrastructure used in numerous victim network breaches ultimately connected to an account registered in YIN’s name, from China, using an email address and phone number belonging to YIN. Of particular note, a virtual private server account controlled by YIN was associated with the compromise at Treasury.

            This case is being investigated by the FBI’s Washington Field Office and the Naval Criminal Investigative Service (NCIS) who continue to investigate malicious cyber activity associated with these defendants and threat actors and continue to notify affected victims immediately once any networks intrusions are discovered. The FBI’s Cyber Division and Department of Defense’s Cyber Crimes Center provided valuable assistance to the investigation.  Private partners from Microsoft, Volexity, Palo Alto Networks Unit 42, and Mandiant also provided valuable assistance with this investigation. The case is being prosecuted by Assistant U.S. Attorneys Jack F. Korba, and Tejpal S. Chawla, and National Security Division’s National Security Cyber Section Trial Attorney Tanner Kroeger. Paralegal Specialist Michael Watts and former Assistant U.S. Attorneys Demian Ahn and Opher Shweiki for the United States Attorney’s Office in the District of Columbia provided assistance on this case.

            An indictment is merely an allegation and a defendant is presumed innocent unless and until proven guilty beyond a reasonable doubt in a court of law.  

Updated March 5, 2025

Topics
Cybercrime
National Security
Press Release Number: 25-101