• The Breach Report
  • Posts
  • Justice Department Charges Two Silk Typhoon Chinese Hackers with U.S. Treasury Breach

Justice Department Charges Two Silk Typhoon Chinese Hackers with U.S. Treasury Breach

Yin Kecheng and Zhou Shuai are two Chinese nationals that are charged with breaching the U.S. Treasury Department and over 100 other American businesses.

Author

Rob Waters
March 19, 2025 • ⏱️ Reading Time: 5 minutes

In partnership with

Welcome to the latest issue of The Breach Report, a cybersecurity newsletter from the creators of the Cybersecurity Careers Blog. Be sure to subscribe via email or RSS.

There’s a reason 400,000 professionals read this daily.

Join The AI Report, trusted by 400,000+ professionals at Google, Microsoft, and OpenAI. Get daily insights, tools, and strategies to master practical AI skills that drive results.

Yin Kecheng and Zhou Shuai among 12 Chinese hackers charged with U.S. Treasury breach

The United States Department of Justice confirmed that 12 Chinese hackers have been charged with hacking the U.S. Treasury and over 100 American organizations over the past decade. Two hackers, Yin Kecheng (尹 可成), aka “YKC” (“YIN”), and Zhou Shuai (周帅), aka “Coldface” (“ZHOU”), are confirmed members of APT 27, also known as Silk Typhoon.

Silk Typhoon is a Chinese state-sponsored hacking group known for conducting cyber espionage.

The Federal Bureau of Investigation includes Kecheng and Shuai on their Most Wanted list. Both are charged with the following crimes:

Conspiracy to Cause Damage To, and Obtain Information By Unauthorized Access To, Protected Computers, to Commit Wire Fraud, and to Commit Aggravated Identity Theft; Wire Fraud; Obtaining Information by Unauthorized Access to Protected Computers; Intentionally Causing Damage to Protected Computers; Aggravated Identity Theft; Money Laundering

- Federal Bureau of Investigation

Kecheng and Shuai are described as playing “key roles” in hacking over 100 American organizations and the U.S. Treasury. According to the Justice Department, they frequently hack targets “suppressing free speech and religious freedoms” and have carried out hacker-for-hire cyberattacks for over a decade.

Yin Kecheng and Zhou Shuai are on the FBI Most Wanted List for hacking the U.S. Treasury and over 100 other American organizations. The FBI is offering up to $2 million for information leading to the arrest of either individual.

Yin Kecheng and Zhou Shuai are on the FBI Most Wanted List for hacking the U.S. Treasury and over 100 other American organizations. The FBI is offering up to $2 million for information leading to the arrest of either individual. (Source: FBI)

Silk Typhoon used Microsoft Exchange, Palo Alto Networks Firewall, Citrix NetScaler, and Ivanti Pulse Connect Secure vulnerabilities

Microsoft published new research this week on how Silk Typhoon leveraged multiple vulnerabilities from Microsoft Exchange, Palo Alto Networks Firewalls, Citrix NetScaler, and Ivanti Pulse Connect Secure to hack into targets.

Microsoft has been tracking cyberattack activity from Silk Typhoon since 2020. The group is also tracked as APT 27 by Mandiant (now part of Google), using malware such as PANDORA, SOGU, and GHOST on its victims.

Prosecutors said the group's targets include U.S. defense contractors, tech companies, law firms, state and local governments, and universities.

Silk Typhoon typically utilizes spear phishing to gain initial access to a target network. It then moves laterally across cloud-hosted networks, manipulating service account permissions and exfiltrating data.

FBI offers $2 million reward for information leading to the arrest of Kecheng or Shuai

Kecheng was formally charged with hacking the U.S. Treasury in December 2024. Kecheng was sanctioned by the Treasury Department’s Office of Foreign Assets Control in February after linking Kecheng to China’s Ministry of State Security (MSS), the intelligence agency responsible for the country’s foreign intelligence collection.

The FBI offers a $2 million reward for information leading to Kecheng and Shuai's arrest and conviction.

Today’s Cyber Social Wall of Shame

For more information on Silk Typhoon, their tactics, and targets, check out the research report by Microsoft Threat Intelligence:

Until next time…

Rob Waters
Founder
The Breach Report + Cybersecurity Careers Blog


P.S. - Do you want to start a newsletter yourself?
You can with beehiiv. Create one today with a free trial.
Disclaimer: The Breach Report may contain affiliate links. Read our Advertising policy page.

Reply

or to participate.