10 Chinese Nationals Charged With Large-Scale Hacking Of U.S. And International Victims On Behalf Of The Chinese Government

Matthew Podolsky, the Acting United States Attorney for the Southern District of New York; Sue J. Bai, the Head of the U.S. Department of Justice’s National Security Division; and Leslie R. Backschies, the Acting Assistant Director in Charge of the New York Field Office of the Federal Bureau of Investigation (“FBI”), announced the unsealing of a two-count criminal Indictment charging 10 defendants with a years-long hacking scheme committed through the Chinese company i-Soon.  At the direction of the People’s Republic of China (“PRC”) government, i-Soon employees hacked and attempted to hack victims across the globe, including a large religious organization in the U.S., critics and dissidents of the PRC government, a state legislative body, U.S. government agencies, the ministries of foreign affairs of multiple governments in Asia, and news organizations. i-Soon’s victims were of interest to the PRC government because, among other reasons, they were prominent overseas critics of the PRC government or because the PRC government considered them threatening to the rule of the Chinese Communist Party.  The 10 defendants remain at large.

Acting U.S. Attorney Matthew Podolsky said: “State-sponsored hacking is an acute threat to our community and national security. For years, these 10 defendants—two of whom we allege are PRC officials—used sophisticated hacking techniques to target religious organizations, journalists, and Government agencies, all to gather sensitive information for the use of the PRC. These charges will help stop these state-sponsored hackers and protect our national security. The career prosecutors of this Office and our law enforcement partners will continue to uncover alleged state-sponsored hacking schemes, disrupt them, and bring those responsible to justice.”

National Security Division Head Sue J. Bai said: “The Department of Justice will relentlessly pursue those who threaten our cybersecurity by stealing from our government and our people. Today, we are exposing the Chinese government agents directing and fostering indiscriminate and reckless attacks against computers and networks worldwide, as well as the enabling companies and individual hackers that they have unleashed. We will continue to fight to dismantle this ecosystem of cyber mercenaries and protect our national security.”  

Acting Assistant Director in Charge Leslie R. Backschies said: “The charges announced today expose the PRC’s continued attempts to spy on and silence anyone it deems threatening to the Chinese Communist Party. As alleged in the indictment, the Chinese government tried to conceal its efforts by working through a private company, but their actions amount to years of state-sponsored hacking of religious and media organizations, numerous government agencies in multiple countries, and dissidents around the world who dared criticize the regime. The FBI will continue to work tirelessly to disrupt our adversaries’ use of emerging technology to silence dissent and undermine the rule of law across the globe.”

As alleged in the Indictment:[1]

The PRC’s Ministry of State Security (“MSS”) had responsibility for the PRC’s domestic counterintelligence, non-military foreign intelligence, and aspects of the PRC’s political and domestic security. The PRC’s Ministry of Public Security (“MPS”) had responsibility for the PRC’s public and political security, including responsibility for law enforcement. To acquire information of interest to the PRC government in a manner that obscured their involvement, the PRC’s MSS and MPS used an extensive network of private companies and contractors in China to conduct unauthorized computer intrusions (“hacks”) in the U.S. and elsewhere.

One of those private companies was i-Soon.  From approximately 2016 through 2023, i-Soon and its personnel engaged in the numerous and widespread hacking of email accounts, cell phones, servers, and websites at the direction of, and in close coordination with, the PRC’s MSS and MPS. i-Soon generated tens of millions of dollars in revenue and at times had over 100 employees.

i-Soon’s primary customers were PRC government agencies.  It worked with at least 43 different MSS or MPS bureaus and charged the MSS and MPS between approximately $10,000 and $75,000 for each email inbox it successfully hacked.

The victims of i-Soon’s hacking included:

• A newspaper based in New York, New York, that publishes news related to China and is opposed to the Chinese Communist Party.
• An additional newspaper based in New York, New York.
• The U.S. Defense Intelligence Agency, an agency within the Department of Defense that specializes in defense and military intelligence.
• The U.S. Department of Commerce and the International Trade Administration, an agency within the Department of Commerce that promotes U.S. exports and defends against unfair trade practices.
• A religious organization based in the U.S. that has thousands of churches and congregations and millions of members.
• A Texas-based organization founded by a prominent critic of the PRC government focused on promoting human rights and religious freedom in China.
• A news service funded by the U.S. government that delivers uncensored domestic news to audiences in Asian countries, including China, and is headquartered in Washington, D.C.
• A state research university in the U.S.
• The New York State Assembly, a part of the legislature of the state of New York.
• A religious leader who lived outside of China and the U.S.
• A newspaper based in Hong Kong, China, that has actively covered the politics of Hong Kong and continues to do so today.
• The foreign ministry of Taiwan.
• The foreign ministry of India.
• The foreign ministry of South Korea.
• The foreign ministry of Indonesia.

In many instances, the PRC government was particularly interested in these victims because they had criticized the PRC government.  In other instances, the PRC government was particularly interested in foreign ministries because those foreign ministries were in communication with the U.S.

In some instances, i-Soon conducted its hacking at the direct request of the MSS or MPS. In other instances, i-Soon conducted hacks on its own initiative and then sold, or attempted to sell, the stolen data to different bureaus of the MSS or MPS.

i-Soon also trained MPS employees how to hack independently of i-Soon and offered a variety of hacking methods for sale to its customers.  i-Soon touted what it called a “industry-leading offensive and defensive technology” and a “zero-day vulnerability arsenal” used to successfully hack computer systems.  One of i-Soon’s products was software called the “Automated Penetration Testing Platform.” i-Soon advertised the platform’s ability to send email phishing attacks, to create files with malware that could provide access to victims’ computers if opened, and to clone websites of victims in order to induce them to submit personal information. An image of the interface for the Automated Penetration Testing Platform is below:

Another of i-Soon’s products was software that allowed the user to gain unauthorized access to online accounts or computer systems by deciphering passwords—also called “password cracking.” This platform was called the “Divine Mathematician Password Cracking Platform.” An image of the interface for the Divine Mathematician Password Cracking Platform is below:

i-Soon also sold software specifically designed to target victim accounts on a variety of computer systems and applications, including Microsoft Outlook; Gmail, the email service provided by Google LLC; the social media network X, formerly known as Twitter; the cellphone operating system Android; and the computer operating systems Windows, Macintosh, and Linux. i-Soon advertised its bespoke software as being able to overcome the unique defenses of these systems.

For example, with respect to Twitter, i-Soon sold software with the capability to send a victim a spear phishing link and then to obtain access to and control over the victim’s Twitter account. The software had the ability to access Twitter even without the victim’s password and to bypass multi-factor authentication. After a victim’s Twitter was compromised, the software could send tweets, delete tweets, forward tweets, make comments, and like tweets. The purpose of this software was to help i-Soon’s customers, including the PRC government, use hacked Twitter accounts to understand public opinion outside of China. For example, the software could be set to keep track of keywords appearing in tweets or messages. i-Soon referred to this software as its “Public Opinion Guidance and Control Platform (Overseas).” An image from the “Public Opinion Guidance and Control Platform (Overseas)” is below:

The 10 defendants charged are WU HAIBO, a/k/a “shutd0wn,” a/k/a “Boss Wu,” a/k/a “吴海波,” the Chief Executive Officer, and leader, of i-Soon; CHEN CHENG, a/k/a “lengmo,” a/k/a “Chief C,” a/k/a “Jesse Chen,” a/k/a “陈诚,” the Chief Operating Officer of i-Soon; WANG YAN, a/k/a “crysolo,” a/k/a “王堰,” the leader of one of i-Soon’s “penetration testing” teams; WANG ZHE, a/k/a “ken73224,” a/k/a “王哲,” the Sales Director of i-Soon; ZHOU WEIWEI, a/k/a “nullroot,” a/k/a “周伟伟,” the leader of i-Soon’s “Technology Research and Development Center”; WANG LIYU, a/k/a “PICNIC350116,” a/k/a “王立宇,” an MPS officer based in Chengdu, China; and SHENG JING, a/k/a “sjbible,” “盛晶,” the defendant, an MPS officer based in Shenzhen, China.

If you have information leading to the identification or location of these 10 defendants, please reach out to the Department of State at rewardsforjustice.net.

*               *                *

HAIBO, 43; CHENG, 40; GUODONG, 32; LI, 31; YAN, 35; ZHE, 44; WEIWEI, 37; LIANG, 28; LIYU, 36; and JING, 36, all nationals of China, are charged with conspiracy to commit computer intrusions, which carries a maximum sentence of five years in prison, and conspiracy to commit wire fraud, which carries a maximum sentence of 20 years in prison. 

The maximum potential sentences are prescribed by Congress and are provided here for informational purposes only, as any sentencing of the defendants will be determined by a judge.

Mr. Podolsky praised the outstanding work of the FBI.

The case is being prosecuted by the Office’s Complex Frauds and Cybercrime Unit. Assistant U.S. Attorneys Ryan B. Finkel, Steven J. Kochevar, and Kevin Mead are in charge of the prosecution.  Trial Attorney Gregory J. Nicosia Jr. of the National Security Division’s National Security Cyber Section provided valuable assistance.

The charges contained in the Indictment are merely accusations, and the defendants are presumed innocent unless and until proven guilty.