{
	"id": "a3903e35-f391-4421-a9aa-21eccba77b11",
	"created_at": "2026-04-06T03:36:35.707348Z",
	"updated_at": "2026-04-10T03:27:18.020986Z",
	"deleted_at": null,
	"sha1_hash": "c8112da8d936892504d64792504862f7f8bc6dcf",
	"title": "U.S. Charges Three Chinese Hackers Who Work at Internet Security Firm for Hacking Three Corporations for Commercial Advantage",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 45714,
	"plain_text": "U.S. Charges Three Chinese Hackers Who Work at Internet\r\nSecurity Firm for Hacking Three Corporations for Commercial\r\nAdvantage\r\nPublished: 2017-11-27 · Archived: 2026-04-06 03:21:13 UTC\r\nAn indictment was unsealed today against Wu Yingzhuo, Dong Hao and Xia Lei, all of whom are Chinese\r\nnationals and residents of China, for computer hacking, theft of trade secrets, conspiracy and identity theft\r\ndirected at U.S. and foreign employees and computers of three corporate victims in the financial, engineering and\r\ntechnology industries between 2011 and May 2017.  The three Chinese hackers work for the purported China-based Internet security firm Guangzhou Bo Yu Information Technology Company Limited (a/k/a “Boyusec”).\r\nActing Assistant Attorney General for National Security Dana J. Boente, Acting U.S. Attorney Soo C. Song for the\r\nWestern District of Pennsylvania and Special Agent in Charge Robert Johnson of the FBI’s Pittsburgh Division\r\nannounced the charges.\r\nThe indictment alleges that the defendants conspired to hack into private corporate entities in order to maintain\r\nunauthorized access to, and steal sensitive internal documents and communications from, those entities’\r\ncomputers.  For one victim, information that the defendants targeted and stole between December 2015 and March\r\n2016 contained trade secrets.\r\n“Once again, the Justice Department and the FBI have demonstrated that hackers around the world who are\r\nseeking to steal our companies’ most sensitive and valuable information can and will be exposed and held\r\naccountable,” said Acting Assistant Attorney General Boente.  “The Justice Department is committed to pursuing\r\nthe arrest and prosecution of these hackers, no matter how long it takes, and we have a long memory.”\r\n“Defendants Wu, Dong and Xia launched coordinated and targeted cyber intrusions against businesses operating\r\nin the United States, including here in the Western District of Pennsylvania, in order to steal confidential business\r\ninformation,” said Acting U.S. Attorney Song.  “These conspirators masked their criminal conspiracy by\r\nexploiting unwitting computers, called ‘hop points,’ conducting ‘spearphish’ email campaigns to gain\r\nunauthorized access to corporate computers, and deploying malicious code to infiltrate the victim computer\r\nnetworks.”\r\n“In order to effectively address the cyber threat, a threat that respects no boundaries and continues to grow in both\r\nits scope and complexity, law enforcement must come together and transcend borders to target criminal actors no\r\nmatter where they are in the world,” said Special Agent in Charge Johnson.\r\nSummary of the Allegations\r\nAccording to the allegations of the Indictment:\r\nDefendants Wu, Dong, Xia, and others known and unknown to the grand jury (collectively, “the co-conspirators”)\r\ncoordinated computer intrusions against businesses and entities, operating in the United States and elsewhere. To\r\nhttps://www.justice.gov/opa/pr/us-charges-three-chinese-hackers-who-work-internet-security-firm-hacking-three-corporations\r\nPage 1 of 4\n\naccomplish their intrusions, the co-conspirators would, for example, send spearphishing e-mails to employees of\r\nthe targeted entities, which included malicious attachments or links to malware.  If a recipient opened the\r\nattachment or clicked on the link, such action would facilitate unauthorized, persistent access to the recipient’s\r\ncomputer.  With such access, the co-conspirators would typically install other tools on victim computers, including\r\nmalware the co-conspirators referred to as “ups” and “exeproxy.”  In many instances, the co-conspirators sought to\r\nconceal their activities, location and Boyusec affiliation by using aliases in registering online accounts,\r\nintermediary computer servers known as “hop points” and valid credentials stolen from victim systems. \r\nThe primary goal of the co-conspirators’ unauthorized access to victim computers was to search for, identify, copy,\r\npackage, and steal data from those computers, including confidential business and commercial information, work\r\nproduct, and sensitive victim employee information, such as usernames and passwords that could be used to\r\nextend unauthorized access within the victim systems.  For the three victim entities listed in the Indictment, such\r\ninformation included hundreds of gigabytes of data regarding the housing finance, energy, technology,\r\ntransportation, construction, land survey, and agricultural sectors. \r\nDefendants:  At all times relevant to the charges, the Indictment alleges as follows\r\nWu Yingzhuo, aka “mxmtmw,” “Christ Wu” and “wyz,” was a Chinese national and resident of\r\nGuangzhou.  Wu was a founding member and equity shareholder of Boyusec.\r\nDong Hao, aka “Bu Yi,” “Dong Shi Ye” and “Tianyu,” was a Chinese national and resident of Guangzhou. \r\nDong was a founding member and equity shareholder of Boyusec, who held the title of “Executive Director\r\nand Manager.”\r\nXia Lei, aka “Sui Feng Yan Mie,” was a Chinese national and resident of Guangzhou.  Xia was, at certain\r\ntimes relevant to the charges, an employee of Boyusec.\r\nVictims: Moody’s Analytics, Siemens AG (“Siemens”) and Trimble, Inc. (“Trimble”).\r\nTime period: As alleged in the Indictment, the conspiracy began at least as early as 2011 and continued to May\r\n2017.\r\nCrimes: Eight counts as follows (all defendants are charged in all counts).\r\nCount(s) Charge Statute Maximum Penalty\r\n1\r\nConspiring to commit computer\r\nfraud and abuse\r\n18 U.S.C. § 1030(b) 10 years\r\n2\r\nConspiring to commit trade\r\nsecret theft\r\n18 U.S.C. §§ 1832(a)(5) 10 years\r\n3 Wire fraud 18 U.S.C. § 1343 20 years\r\nhttps://www.justice.gov/opa/pr/us-charges-three-chinese-hackers-who-work-internet-security-firm-hacking-three-corporations\r\nPage 2 of 4\n\n4-8 Aggravated identity theft\r\n18 U.S.C. §§ 1028A(a)(1), (b),\r\n(c)(4), and 2\r\n2 years (mandatory\r\nconsecutive)\r\nAny sentence will be imposed by the court only after consideration of the U.S. Sentencing Guidelines and the\r\nfederal statute governing the imposition of a sentence, 18 U.S.C. § 3553.\r\nSummary of Defendants’ Conduct Alleged in the Indictment\r\nDefendant Victim Criminal Conduct\r\nWu Trimble\r\nIn 2015 and 2016, Trimble was developing a Global Navigation Satellite Systems\r\ntechnology designed to improve the accuracy of location data on mobile devices. \r\nIn January 2016, while this project was in development, Wu accessed Trimble’s\r\nnetwork and stole files containing commercial business documents and data\r\npertaining to the technology, including Trimble trade secrets.  In total, between\r\nDecember 2015 and March 2016, Wu and the other co-conspirators stole at least\r\n275 megabytes of data, including compressed data, which included hundreds of\r\nfiles that would have assisted a Trimble competitor in developing, providing and\r\nmarketing a similar product without incurring millions of dollars in research and\r\ndevelopment costs.\r\nDong Siemens\r\nIn 2014, Dong accessed Siemens’s computer networks for the purpose of\r\nobtaining and using employees’ usernames and passwords in order to access\r\nSiemens’ network. In 2015, the co-conspirators stole approximately 407\r\ngigabytes of proprietary commercial data pertaining to Siemens’s energy,\r\ntechnology and transportation businesses.\r\nXia\r\nMoody’s\r\nAnalytics\r\nIn or around 2011, the co-conspirators accessed the internal email server of\r\nMoody’s Analytics and placed a forwarding rule in the email account of a\r\nprominent employee.  The rule directed all emails to and from the employee’s\r\naccount to be forwarded to web-based email accounts controlled by the\r\nconspirators.  In 2013 and 2014, defendant Xia regularly accessed those web-based email accounts to access the employee’s stolen emails, which contained\r\nproprietary and confidential economic analyses, findings and opinions.\r\nAn indictment is merely an accusation and a defendant is presumed innocent unless proven guilty in a court of\r\nlaw.\r\nhttps://www.justice.gov/opa/pr/us-charges-three-chinese-hackers-who-work-internet-security-firm-hacking-three-corporations\r\nPage 3 of 4\n\nThe FBI, Naval Criminal Investigative Service and Air Force Office of Special Investigations conducted the\r\ninvestigation that led to the charges in the indictment. \r\nThe government’s case is being prosecuted by Assistant U.S. Attorney James T. Kitchen of the Western District of\r\nPennsylvania, and Cyber Counsel Jessica Romero and Trial Attorney Jennifer Kennedy Gellie of the National\r\nSecurity Division’s Counterintelligence and Export Control Section.\r\nSource: https://www.justice.gov/opa/pr/us-charges-three-chinese-hackers-who-work-internet-security-firm-hacking-three-corporations\r\nhttps://www.justice.gov/opa/pr/us-charges-three-chinese-hackers-who-work-internet-security-firm-hacking-three-corporations\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.justice.gov/opa/pr/us-charges-three-chinese-hackers-who-work-internet-security-firm-hacking-three-corporations"
	],
	"report_names": [
		"us-charges-three-chinese-hackers-who-work-internet-security-firm-hacking-three-corporations"
	],
	"threat_actors": [
		{
			"id": "761d1fb2-60e3-46f0-9f1c-c8a9715967d4",
			"created_at": "2023-01-06T13:46:38.269054Z",
			"updated_at": "2026-04-10T02:00:02.90356Z",
			"deleted_at": null,
			"main_name": "APT3",
			"aliases": [
				"GOTHIC PANDA",
				"TG-0110",
				"Buckeye",
				"Group 6",
				"Boyusec",
				"BORON",
				"BRONZE MAYFAIR",
				"Red Sylvan",
				"Brocade Typhoon"
			],
			"source_name": "MISPGALAXY:APT3",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775446595,
	"ts_updated_at": 1775791638,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c8112da8d936892504d64792504862f7f8bc6dcf.pdf",
		"text": "https://archive.orkl.eu/c8112da8d936892504d64792504862f7f8bc6dcf.txt",
		"img": "https://archive.orkl.eu/c8112da8d936892504d64792504862f7f8bc6dcf.jpg"
	}
}