Washington is intensifying its cyber offensive against China as geopolitical tensions spill over into cyberspace. On 5 March 2025, the US government announced two $2 million reward offers for information leading to the arrest or conviction of Chinese nationals Yin KeCheng and Zhou Shuai, accused of operating within an elite cyber-espionage network linked to the Chinese government.
The Department of State’s Bureau of International Narcotics and Law Enforcement Affairs issued the rewards under the Transnational Organized Crime Rewards Program (TOCRP), marking an escalation in US efforts to counter China’s state-backed cyber operations. The reward offers, indictments, and sanctions represent a whole-of-government approach to disrupting cybercrime networks operating beyond US jurisdiction. Officials say this strategy aims to choke off financial resources, increase pressure on cyber actors, and signal to foreign governments that state-backed cyber operations will have consequences.
Even more, the Department of Justice (DOJ) also unsealed two indictments against Yin and Zhou, detailing their alleged involvement in cyberattacks spanning more than a decade, including wire fraud, money laundering, aggravated identity theft, and violations of the Computer Fraud and Abuse Act. The Office of Foreign Assets Control (OFAC) has simultaneously sanctioned Zhou and his company, Shanghai Heiying Information Technology, in a coordinated move to freeze financial assets and disrupt cybercriminal funding.
Both men are believed to be key operatives within APT27—an advanced persistent threat (APT) group also known as Threat Group 3390, Emissary Panda, Iron Tiger, and Silk Typhoon. According to cybersecurity firms and intelligence agencies, APT27 has long been tied to China’s intelligence apparatus, conducting cyberespionage, intellectual property theft, and corporate hacking on behalf of state and private entities. The FBI investigation into APT27, launched in 2014, identified Yin as a central figure in cybercriminal activities between 2013 and 2015, while both Yin and Zhou were allegedly involved in hacking operations from 2018 to 2020. Their work, according to US officials, includes infiltrating government networks, financial institutions, and multinational corporations.
APT27 has been linked to cyberattacks on US defense contractors, aerospace firms, and financial institutions, with stolen data allegedly funneled into China’s military-industrial complex. As a whole, APT27 specializes in targeting high-value organizations, often using sophisticated tactics to breach secure networks, steal sensitive data, and remain undetected for extended periods. The group's modus operandi includes:
- Spear phishing campaigns – Luring victims into opening malicious links or attachments that deliver malware.
- Zero-day exploits – Using undiscovered software vulnerabilities to gain unauthorized access.
- Advanced remote access tools – Deploying malware that allows attackers to control networks from afar.
- Persistent backdoors – Maintaining access to compromised systems for extended surveillance.
The US is urging international cooperation to track down Yin and Zhou. Individuals with information are encouraged to contact the FBI at yin_zhou_info@fbi.gov or visit a US embassy or consulate.