{ "id": "fdb2627c-d5dc-4601-bfbe-bf446e27ba17", "created_at": "2026-04-06T00:10:01.850748Z", "updated_at": "2026-04-10T03:35:29.195717Z", "deleted_at": null, "sha1_hash": "dace3eb30a26f117de3211bc74b881ac522bf702", "title": "Treasury Sanctions China-based Hacker Involved in the Compromise of Sensitive U.S. Victim Networks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 46778, "plain_text": "Treasury Sanctions China-based Hacker Involved in the\r\nCompromise of Sensitive U.S. Victim Networks\r\nPublished: 2026-02-13 · Archived: 2026-04-05 22:24:11 UTC\r\nWASHINGTON — Today, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) is\r\ndesignating Zhou Shuai, a Shanghai-based malicious cyber actor and data broker, and his company, Shanghai\r\nHeiying Information Technology Company, Limited (Shanghai Heiying). In collaboration with another\r\nmalicious cyber actor, U.S.-sanctioned Yin Kecheng, Zhou Shuai illegally acquired, brokered, and sold data from\r\nhighly sensitive U.S. critical infrastructure networks. Malicious cyber actors, particularly those operating in\r\nChina, continue to be one of the greatest and most persistent threats to U.S. national security, as highlighted in the\r\nOffice of the Director of National Intelligence’s most recent Annual Threat Assessment.\r\n“Today’s action underscores our resolve to hold accountable malicious cyber actors like Zhou who continue to\r\ntarget U.S. government systems, the data of U.S. companies, and our citizens,” said Acting Under Secretary of the\r\nTreasury for Terrorism and Financial Intelligence Bradley T. Smith. “The United States is committed to disrupting\r\nall aspects of this criminal ecosystem leveraging all our available tools and authorities.”\r\nToday’s designation follows a series of recent Treasury designations aimed at combatting increasingly dangerous\r\ncyber activity committed by cybercriminals in China. This includes the January 17, 2025 designation of Yin\r\nKecheng and Sichuan Juxinhe Network Technology Company, Ltd. for their roles in the recent Department of the\r\nTreasury network compromise and the Salt Typhoon cyber group, respectively; the January 3, 2025 designation of\r\nIntegrity Technology Group, Inc. for its role in the Flax Typhoon intrusion set; and the December 10, 2024\r\ndesignation of Sichuan Silence Information Technology Company, Ltd. and one of its employees for their role in\r\ncompromising firewalls.\r\nToday, the Department of Justice is also unsealing indictments charging Yin Kecheng and Zhou Shuai based on\r\ntheir malicious cyber activity. Furthermore, the Department of State is announcing a Transnational Organized\r\nCrime Rewards Program offer of up to $2,000,000 for information leading to the arrest and/or conviction of Yin\r\nKecheng or Zhou Shuai. \r\nZhou shuai: chinese Hacker and data broker\r\nSince at least 2018, Zhou Shuai has acted as a data broker, selling illegally exfiltrated data and access to\r\ncompromised computer networks. At least some of this data was acquired by known China-backed malicious\r\ncyber actor and former Shanghai Heiying employee Yin Kecheng.  Yin Kecheng, who was sanctioned by OFAC\r\non January 17, 2025, was involved in the 2024 compromise of the Department of the Treasury’s network. Notable\r\nU.S. victims of Yin Kecheng and Zhou Shuai’s partnership include technology companies, a defense industrial\r\nbase contractor, a communications service provider, an academic health system affiliated with a university, and a\r\ngovernment county municipality. \r\nhttps://home.treasury.gov/news/press-releases/sb0042\r\nPage 1 of 3\n\nIn 2020, Zhou Shuai appeared to be working from a set of intelligence requirements that included targets within\r\nthe United States, Russia, and Western Europe. Data types of interest included telecommunications data, border\r\ncrossing data, data on personnel in religious research, data on media industry personnel, and data on public\r\nservants. These requirements almost certainly originated from the CCP’s intelligence services. In early 2021, Zhou\r\nShuai brokered the sale of documents stolen from a U.S. cleared defense contractor.\r\nOFAC is designating Zhou Shuai pursuant to Executive Order (E.O.) 13694, as further amended by E.O. 14144\r\n(“E.O. 13694, as further amended”), for being responsible for or complicit in, or having engaged in, directly or\r\nindirectly, activities related to gaining or attempting to gain unauthorized access to a computer or network of\r\ncomputers of a U.S. person, the United States, a U.S. ally or partner or a citizen, national, or entity organized\r\nunder the laws thereof, where such efforts originate from or are directed by persons located, in whole or\r\nsubstantial part, outside the United States and are reasonably likely to result in, or have materially contributed to, a\r\nsignificant threat to the national security, foreign policy, or economic health or financial stability of the United\r\nStates.\r\nShanghai heiying:  a haven for hackers\r\nZhou Shuai established Shanghai Heiying Information Technology Company, Limited (Shanghai Heiying) in\r\n2010 and is still its majority owner. Shanghai Heiying is a Shanghai-based cybersecurity company that has\r\nemployed numerous known China-backed malicious cyber actors, including Yin Kecheng.\r\nOFAC is designating Shanghai Heiying pursuant to E.O. 13694, as further amended, for being owned or\r\ncontrolled by, or having acted or purported to act for or on behalf of, directly or indirectly, Zhou Shuai, a person\r\nwhose property and interests in property are blocked pursuant to E.O. 13694, as further amended.\r\nSanctions implications\r\nAs a result of today’s action, all property and interests in property of the designated persons described above that\r\nare in the United States or in the possession or control of U.S. persons are blocked and must be reported to OFAC.\r\nIn addition, any entities that are owned, directly or indirectly, individually or in the aggregate, 50 percent or more\r\nby one or more blocked persons are also blocked. Unless authorized by a general or specific license issued by\r\nOFAC or exempt, U.S. sanctions generally prohibit all transactions by U.S. persons or within (or transiting) the\r\nUnited States that involve any property or interests in property of designated or otherwise blocked persons.\r\nViolations of U.S. sanctions may result in the imposition of civil or criminal penalties on U.S. and foreign persons.\r\nOFAC may impose civil penalties for sanctions violations on a strict liability basis. OFAC’s Economic Sanctions\r\nEnforcement Guidelines provide more information regarding OFAC’s enforcement of U.S. economic sanctions. In\r\naddition, financial institutions and other persons may risk exposure to sanctions for engaging in certain\r\ntransactions or activities with designated or otherwise blocked persons.  \r\nThe power and integrity of OFAC sanctions derive not only from OFAC’s ability to designate and add persons to\r\nthe SDN List, but also from its willingness to remove persons from the SDN List consistent with the law. The\r\nultimate goal of sanctions is not to punish, but to bring about a positive change in behavior. For information\r\nconcerning the process for seeking removal from an OFAC list, including the SDN List, please refer to OFAC’s\r\nFrequently Asked Question 897 here and to submit a request for removal, click here.\r\nhttps://home.treasury.gov/news/press-releases/sb0042\r\nPage 2 of 3\n\nClick here for more information on the individuals and entities designated today.\r\n###\r\nSource: https://home.treasury.gov/news/press-releases/sb0042\r\nhttps://home.treasury.gov/news/press-releases/sb0042\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://home.treasury.gov/news/press-releases/sb0042" ], "report_names": [ "sb0042" ], "threat_actors": [ { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "09031838-56db-4676-a2b2-4bc50d8b7b0b", "created_at": "2024-01-23T13:22:35.078612Z", "updated_at": "2026-04-10T02:00:03.519282Z", "deleted_at": null, "main_name": "Flax Typhoon", "aliases": [ "Ethereal Panda", "Storm-0919" ], "source_name": "MISPGALAXY:Flax Typhoon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f0eca237-f191-448f-87d1-5d6b3651cbff", "created_at": "2024-02-06T02:00:04.140087Z", "updated_at": "2026-04-10T02:00:03.577326Z", "deleted_at": null, "main_name": "GhostEmperor", "aliases": [ "OPERATOR PANDA", "FamousSparrow", "UNC2286", "Salt Typhoon", "RedMike" ], "source_name": "MISPGALAXY:GhostEmperor", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "86c7abc2-1b71-4665-b9e3-1594d6d15a4a", "created_at": "2023-09-07T02:02:47.367254Z", "updated_at": "2026-04-10T02:00:04.698935Z", "deleted_at": null, "main_name": "Flax Typhoon", "aliases": [ "Ethereal Panda", "RedJuliett" ], "source_name": "ETDA:Flax Typhoon", "tools": [ "BadPotato", "CHINACHOPPER", "China Chopper", "JuicyPotato", "LOLBAS", "LOLBins", "Living off the Land", "Metasploit", "Mimikatz", "SinoChopper", "SoftEther VPN" ], "source_id": "ETDA", "reports": null }, { "id": "d390d62a-6e11-46e5-a16f-a88898a8e6ff", "created_at": "2024-12-28T02:01:54.899899Z", "updated_at": "2026-04-10T02:00:04.880446Z", "deleted_at": null, "main_name": "Salt Typhoon", "aliases": [ "Earth Estries", "FamousSparrow", "GhostEmperor", "Operator Panda", "RedMike", "Salt Typhoon", "UNC2286" ], "source_name": "ETDA:Salt Typhoon", "tools": [ "Agentemis", "Backdr-NQ", "Cobalt Strike", "CobaltStrike", "Crowdoor", "Cryptmerlin", "Deed RAT", "Demodex", "FamousSparrow", "FuxosDoor", "GHOSTSPIDER", "HemiGate", "MASOL RAT", "Mimikatz", "NBTscan", "NinjaCopy", "ProcDump", "PsExec", "PsList", "SnappyBee", "SparrowDoor", "TrillClient", "WinRAR", "Zingdoor", "certutil", "certutil.exe", "cobeacon", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "fcff864b-9255-49cf-9d9b-2b9cb2ad7cff", "created_at": "2025-04-23T02:00:55.190165Z", "updated_at": "2026-04-10T02:00:05.361244Z", "deleted_at": null, "main_name": "Salt Typhoon", "aliases": [ "Salt Typhoon" ], "source_name": "MITRE:Salt Typhoon", "tools": [ "JumbledPath" ], "source_id": "MITRE", "reports": null }, { "id": "ea4726a4-3b7c-45db-a579-2abd4986941c", "created_at": "2025-11-01T02:04:53.002048Z", "updated_at": "2026-04-10T02:00:03.764362Z", "deleted_at": null, "main_name": "BRONZE FLAXEN", "aliases": [ "Ethereal Panda ", "Flax Typhoon " ], "source_name": "Secureworks:BRONZE FLAXEN", "tools": [ "Bad Potato", "Juicy Potato", "Metasploit", "Mimikatz", "SoftEther VPN" ], "source_id": "Secureworks", "reports": null }, { "id": "6477a057-a76b-4b60-9135-b21ee075ca40", "created_at": "2025-11-01T02:04:53.060656Z", "updated_at": "2026-04-10T02:00:03.845594Z", "deleted_at": null, "main_name": "BRONZE TIGER", "aliases": [ "Earth Estries ", "Famous Sparrow ", "Ghost Emperor ", "RedMike ", "Salt Typhoon " ], "source_name": "Secureworks:BRONZE TIGER", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434201, "ts_updated_at": 1775792129, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/dace3eb30a26f117de3211bc74b881ac522bf702.pdf", "text": "https://archive.orkl.eu/dace3eb30a26f117de3211bc74b881ac522bf702.txt", "img": "https://archive.orkl.eu/dace3eb30a26f117de3211bc74b881ac522bf702.jpg" } }