{ "id": "7c6add7f-a7cc-4959-90c6-83b88001712e", "created_at": "2026-04-06T15:52:37.189306Z", "updated_at": "2026-04-10T13:11:59.395063Z", "deleted_at": null, "sha1_hash": "2b9f0c4efaf6a5a6816646f6b837ad76ad0a8f92", "title": "Seven International Cyber Defendants, Including “Apt41” Actors, Charged In Connection With Computer Intrusion Campaigns Against More Than 100 Victims Globally", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 53472, "plain_text": "Seven International Cyber Defendants, Including “Apt41” Actors,\r\nCharged In Connection With Computer Intrusion Campaigns\r\nAgainst More Than 100 Victims Globally\r\nPublished: 2020-09-16 · Archived: 2026-04-06 15:26:28 UTC\r\nIn August 2019 and August 2020, a federal grand jury in Washington, D.C., returned two separate indictments\r\ncharging five computer hackers, all of whom were residents and nationals of the People’s Republic of China\r\n(PRC), with computer intrusions affecting over 100 victim companies in the United States and abroad, including\r\nsoftware development companies, computer hardware manufacturers, telecommunications providers, social media\r\ncompanies, video game companies, non-profit organizations, universities, think tanks, and foreign governments,\r\nas well as pro-democracy politicians and activists in Hong Kong.\r\n The intrusions, which security researchers have tracked using the threat labels “APT41,” “Barium,” “Winnti,”\r\n“Wicked Panda,” and “Wicked Spider,” facilitated the theft of source code, software code signing certificates,\r\ncustomer account data, and valuable business information.  These intrusions also facilitated the defendants’ other\r\ncriminal schemes, including ransomware and “crypto-jacking” schemes, the latter of which refers to the group’s\r\nunauthorized use of victim computers to “mine” cryptocurrency. \r\nAlso in August 2020, the same federal grand jury returned a third indictment charging two Malaysian businessmen\r\nwho conspired with two of the Chinese hackers to profit from computer intrusions targeting the video game\r\nindustry in the United States and abroad.  Shortly thereafter, the U.S. District Court for the District of Columbia\r\nissued arrest warrants for the two businessmen.  On Sept. 14, 2020, pursuant to a provisional arrest request from\r\nthe United States with a view to their extradition, Malaysian authorities arrested them in Sitiawan.  The\r\ndepartment appreciates the significant cooperation and assistance provided by the Government of Malaysia,\r\nincluding the Attorney General’s Chambers of Malaysia and the Royal Malaysia Police.\r\nIn addition to arrest warrants for all of the charged defendants, in September 2020, the U.S. District Court for the\r\nDistrict of Columbia issued seizure warrants that resulted in the recent seizure of hundreds of accounts, servers,\r\ndomain names, and command-and-control (C2”) “dead drop” web pages used by the defendants to conduct their\r\ncomputer intrusion offenses.  The FBI executed the warrants in coordination with other actions by several private-sector companies, which included disabling numerous accounts for violations of the companies’ terms of service. \r\nIn addition, in partnership with the department, Microsoft developed and implemented technical measures to\r\nblock this threat actor from accessing victims’ computer systems.  The actions by Microsoft were a significant part\r\nof the overall effort to deny the defendants continued access to hacking infrastructure, tools, accounts, and\r\ncommand and control domain names.  In coordination with today’s announcement, the FBI has also released a\r\nLiaison Alert System (FLASH) report that contains critical, relevant technical information collected by the FBI for\r\nuse by specific private-sector partners.\r\n“The department of Justice has used every tool available to disrupt the illegal computer intrusions and\r\ncyberattacks by these Chinese citizens,” said Deputy Attorney General Jeffrey A. Rosen.  “Regrettably, the\r\nhttps://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer\r\nPage 1 of 4\n\nChinese communist party has chosen a different path of making China safe for cybercriminals so long as they\r\nattack computers outside China and steal intellectual property helpful to China.”\r\n “Today’s charges, the related arrests, seizures of malware and other infrastructure used to conduct intrusions, and\r\ncoordinated private sector protective actions reveal yet again the department’s determination to use all of the tools\r\nat its disposal and to collaborate with the private sector and nations who support the rule of law in cyberspace,”\r\nsaid Assistant Attorney General John C. Demers.  “This is the only way to neutralize malicious nation state cyber\r\nactivity.”\r\n“Today’s announcement demonstrates the ramifications faced by the hackers in China but it is also a reminder to\r\nthose who continue to deploy malicious cyber tactics that we will utilize every tool we have to administer justice,”\r\nsaid FBI Deputy Director David Bowdich. “The arrests in Malaysia are a direct result of partnership, cooperation\r\nand collaboration. As the cyber threat continues to evolve larger than any one agency can address, the FBI remains\r\ncommitted to being an indispensable partner to our federal, international and private sector partners to stop\r\nrampant cyber crime and hold those carrying out these kind of actions accountable.”\r\n“The scope and sophistication of the crimes in these unsealed indictments is unprecedented. The alleged criminal\r\nscheme used actors in China and Malaysia to illegally hack, intrude and steal information from victims\r\nworldwide,” said Michael R. Sherwin, Acting U.S. Attorney for the District of Columbia.  “As set forth in the\r\ncharging documents, some of these criminal actors believed their association with the PRC provided them free\r\nlicense to hack and steal across the globe.  This scheme also contained a new and troubling cyber-criminal\r\ncomponent – the targeting and utilization of gaming platforms to both defraud video game companies and launder\r\nillicit proceeds.”\r\n“The actions announced today reflect a years-long commitment by the FBI Washington Field Office to pursue the\r\nperpetrators of the computer intrusion campaigns described in the indictments, and to bring those perpetrators to\r\njustice,” said Acting Assistant Director in Charge James A. Dawson, FBI Washington Field Office. “This case\r\ndemonstrates the FBI’s dedication to pursuing these criminals no matter where they are, and to whom they may be\r\nconnected.” \r\nThe August 2019 indictment charged Zhang Haoran (张浩然), 35, and Tan Dailin (谭戴林), 35, with 25 counts of\r\nconspiracy, wire fraud, aggravated identity theft, money laundering, and violations of the Computer Fraud and\r\nAbuse Act (“CFAA”).  The indictment charged Zhang and Tan with participating in a “Computer Hacking\r\nConspiracy,” which targeted high-technology and similar organizations.  The indictment also charged that, as an\r\nadditional way to make money, Zhang and Tan participated in a “Video Game Conspiracy,” through which Zhang\r\nand Tan, together with others, sought to make money by hacking video game companies, obtaining and otherwise\r\ngenerating digital items of value (e.g., video game currency), and then selling such items for profit.  In several\r\ninstances, they used their unauthorized access to gaming company networks take action against other unrelated\r\ngroups engaged in the same fraudulent generation of gaming artifacts, thereby attempting to eliminate the criminal\r\ncompetition.\r\nOne of the August 2020, indictments charged Jiang Lizhi (蒋立志), 35, Qian Chuan (钱川), 39, and Fu Qiang (付\r\n强), 37, with nine counts of racketeering conspiracy, conspiracy to violate the CFAA, substantive violations of the\r\nCFAA, access device fraud, identity theft, aggravated identity theft, and money laundering.  The racketeering\r\nhttps://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer\r\nPage 2 of 4\n\nconspiracy pertained to the three defendants’ conducting the affairs of Chengdu 404 Network Technology\r\n(“Chengdu 404”), a PRC company, through a pattern of racketeering activity involving computer intrusion\r\noffenses affecting over 100 victim companies, organizations, and individuals in the United States and around the\r\nworld, including in Australia, Brazil, Chile, Hong Kong, India, Indonesia, Japan, Malaysia, Pakistan, Singapore,\r\nSouth Korea, Taiwan, Thailand, and Vietnam.  The defendants also compromised foreign government computer\r\nnetworks in India and Vietnam, and targeted, but did not compromise, government computer networks in the\r\nUnited Kingdom.  In one notable instance, the defendants conducted a ransomware attack on the network of a\r\nnon-profit organization dedicated to combating global poverty.\r\nThe defendants associated with Chengdu 404 employed sophisticated hacking techniques to gain and maintain\r\naccess to victim computer networks.  One example was the defendants’ use of “supply chain attacks,” in which the\r\nhackers compromised software providers and then modified the providers’ code to facilitate further intrusions\r\nagainst the software providers’ customers.  Another example was the hackers’ use of C2 “dead drops,” which are\r\nseemingly legitimate web pages that the hackers created, but which were surreptitiously encoded instructions to\r\ntheir malware.  However, they also employed publicly available exploits and tools, including the following\r\ncommon vulnerabilities and exposures (“CVE”):  CVE-2019-19781, CVE-2019-11510, CVE-2019-16920, CVE-2019-16278, CVE-2019-1652/CVE-2019-1653, and CVE-2020-10189.\r\nThe second August 2020 indictment charged Wong Ong Hua, 46, and Ling Yang Ching, 32, both Malaysian\r\nnationals and residents, with 23 counts of racketeering, conspiracy, identity theft, aggravated identity theft, access\r\ndevice fraud, money laundering, violations of the CFAA, and falsely registering domain names.  The indictment\r\nalleged that Wong and Ling conducted the affairs of Sea Gamer Mall, a Malaysian company founded by Wong,\r\nthrough a pattern of racketeering activity involving computer intrusion offenses targeting the video game industry\r\nin the United States, France, Japan, Singapore, and South Korea.  The indictment alleged that Wong and Ling\r\nworked with various hackers, including Zhang and Tan, to profit from the hackers’ criminal computer intrusions at\r\nvideo game companies. \r\nThe indictment against Zhang and Tan charges the defendants with two counts of conspiracy to commit computer\r\nfraud, which carries a maximum sentence of five years in prison; two counts of conspiracy to commit wire fraud,\r\nwhich carries a maximum sentence of 20 years in prison; five counts of wire fraud, which carries a maximum\r\nsentence of 20 years in prison; nine counts of intentional damage to a protected computer, which carries a\r\nmaximum sentence of 10 years in prison; four counts of unauthorized access to a protected computer, which\r\ncarries a maximum sentence of five years in prison; two counts of aggravated identity theft, which carries a\r\nmandatory sentence of two years in prison; and one count of money laundering, which carries a maximum\r\nsentence of 20 years in prison.\r\nThe indictment against Jiang, Qian, and Fu charges the defendants with one count of racketeering conspiracy,\r\nwhich carries a maximum sentence of 20 years in prison; one count of conspiracy to commit computer fraud,\r\nwhich carries a maximum sentence of five years in prison; one count of intentional damage to a protected\r\ncomputer, which carries a maximum sentence of 10 years in prison; one count of unauthorized access to a\r\nprotected computer, which carries a maximum sentence of five years in prison; one count of threatening to\r\ndamage a protected computer, which carries a maximum sentence of five years in prison; one count of access\r\ndevice fraud, which carries a maximum sentence of 10 years in prison; one count of identity theft, which carries a\r\nmaximum sentence of five years in prison; one count of aggravated identity theft, which carries a mandatory\r\nhttps://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer\r\nPage 3 of 4\n\nsentence of two years in prison; and one count of money laundering, which carries a maximum sentence of 20\r\nyears in prison.\r\nThe indictment against Wong and Ling charges the defendants with one count of racketeering conspiracy, which\r\ncarries a maximum sentence of 20 years in prison; one count of racketeering, which carries a maximum sentence\r\nof 20 years in prison; three counts of intentional damage to a protected computer, which carries a maximum\r\nsentence of 10 years in prison; five counts of unauthorized access to a protected computer, which carries a\r\nmaximum sentence of five years in prison; five counts of furthering fraud by unauthorized access to a protected\r\ncomputer, which carries a maximum sentence of five years in prison; two counts of access device fraud, which\r\ncarries a maximum sentence of 10 years in prison; two counts of identity theft, which carries a maximum sentence\r\nof five years in prison; one count of aggravated identity theft, which carries a mandatory sentence of two years in\r\nprison; and three counts of money laundering, which carries a maximum sentence of 20 years in prison.  The\r\nindictment also alleges false registration of domain names, which would increase the maximum sentence of\r\nimprisonment for money laundering to 27 years; the maximum sentence of imprisonment for unlawful access to a\r\nprotected computer to 10 years instead of five years; the maximum sentence of imprisonment for intentional\r\ndamage to a protected computer to 17 years instead of 10 years; and the mandatory sentence of imprisonment for\r\naggravated identity theft to four years instead of two years.\r\nThe maximum potential sentences in this case are prescribed by Congress and are provided here for informational\r\npurposes only; any sentencing's of the defendants will be determined by the assigned judge.\r\nThe investigation was conducted jointly by the U.S. Attorney’s Office for the District of Columbia, the National\r\nSecurity Division of the Department of Justice, and the FBI’s Washington Field Office.  The FBI’s Cyber Division\r\nassisted in the investigation and, along with FBI’s Cyber Assistant Legal Attachés and Legal Attachés in countries\r\naround the world, provided essential support.  Numerous victims cooperated and provided valuable assistance in\r\nthe investigation. \r\nThe department is also grateful to Microsoft, including Microsoft’s Threat Intelligence Center (MSTIC) and\r\nDigital Crimes Unit (DCU), to Google, including its Threat Analysis Group (TAG), to Facebook, and to Verizon\r\nMedia, including its Paranoids Advanced Cyber Threats Team, for the assistance they provided in this\r\ninvestigation.\r\nAssistant U.S. Attorney Demian Ahn of the District of Columbia, Assistant U.S. Attorney Tejpal Chawla of the\r\nDistrict of Columbia, and Trial Attorney Evan Turgeon of the National Security Division’s Counterintelligence\r\nand Export Control Section are prosecuting this case.\r\nThe Justice Department’s Office of International Affairs provided critical assistance. \r\nThe details contained in the charging document are allegations. The defendants are presumed innocent until\r\nproven guilty beyond a reasonable doubt in a court of law.\r\nSource: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer\r\nhttps://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer" ], "report_names": [ "seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "49822165-5541-423d-8808-1c0a9448d588", "created_at": "2022-10-25T16:07:23.384093Z", "updated_at": "2026-04-10T02:00:04.575678Z", "deleted_at": null, "main_name": "Barium", "aliases": [ "Brass Typhoon", "Pigfish", "Starchy Taurus" ], "source_name": "ETDA:Barium", "tools": [ "Agent.dhwf", "Agentemis", "Barlaiy", "BleDoor", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "Kaba", "Korplug", "POISONPLUG", "PlugX", "RbDoor", "RedDelta", "RibDoor", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "273a41a8-5115-4f55-865f-0960a765f18c", "created_at": "2022-10-25T16:07:24.397947Z", "updated_at": "2026-04-10T02:00:04.974605Z", "deleted_at": null, "main_name": "Wicked Spider", "aliases": [ "APT 22", "Bronze Export", "Bronze Olive", "Wicked Spider" ], "source_name": "ETDA:Wicked Spider", "tools": [ "Agent.dhwf", "AngryRebel", "Destroy RAT", "DestroyRAT", "DoublePulsar", "EternalBlue", "Farfli", "Gh0st RAT", "Ghost RAT", "Kaba", "Korplug", "Moudour", "Mydoor", "PCRat", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav" ], "source_id": "ETDA", "reports": null }, { "id": "945a572f-ebe3-4e2f-a288-512fe751cfa8", "created_at": "2022-10-25T16:07:24.413971Z", "updated_at": "2026-04-10T02:00:04.97924Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "G0044", "Leopard Typhoon", "Wicked Panda", "Winnti Group" ], "source_name": "ETDA:Winnti Group", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "FunnySwitch", "RbDoor", "RibDoor", "RouterGod", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "00e7a6ed-1880-4391-b0b9-1f46fae0e5cc", "created_at": "2025-08-07T02:03:24.591024Z", "updated_at": "2026-04-10T02:00:03.717645Z", "deleted_at": null, "main_name": "BRONZE EXPORT", "aliases": [ "TG-3279 ", "Wicked Spider " ], "source_name": "Secureworks:BRONZE EXPORT", "tools": [ "Conpee", "PlugX", "PwDump" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775490757, "ts_updated_at": 1775826719, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2b9f0c4efaf6a5a6816646f6b837ad76ad0a8f92.pdf", "text": "https://archive.orkl.eu/2b9f0c4efaf6a5a6816646f6b837ad76ad0a8f92.txt", "img": "https://archive.orkl.eu/2b9f0c4efaf6a5a6816646f6b837ad76ad0a8f92.jpg" } }