On March 5, 2025, the U.S. Department of the Treasury’s Office of Foreign Assets Control designated a malicious cyber actor and data broker from China who illegally acquired, brokered and sold data from highly sensitive U.S. critical infrastructure networks. OFAC specifically designated Shanghai-based Zhou Shuai and Shanghai Heiying Information Technology Company, Limited, a company that Shuai owns or controls.
According to OFAC, Shuai was able to acquire some of the highly sensitive data with the help of Yin Kecheng, a known China-backed malicious cyber actor who was a former employee of Shanghai Heiying. Kecheng, who allegedly compromised the network of the U.S. Department of the Treasury in 2024, was recently designated by OFAC on January 17, 2025. Shuai allegedly partnered with Kecheng to hack several U.S.-based technology companies, including a defense industrial base contractor and a government county municipality. In early 2021, Shuai also allegedly brokered the sale of documents stolen from a U.S. cleared defense contractor. According to OFAC, in 2020, Shuai appeared to be targeting networks within the United States, Russia, and Western Europe in various areas of interest, including data related to telecommunications, border crossings, media industry personnel, and public servants.
The designations were imposed pursuant to Executive Order 13694, as amended by EO 14144, for engaging in cyber-enabled activities originating outside of the United States that threaten the national security, foreign policy or the economic health and stability of the United States. As a result of these designations, all property and interests in property of the designated persons within the United States or within the possession or control of a U.S. person are blocked, and U.S. persons are generally prohibited from engaging in transactions involving a designated person. Entities owned 50 percent or more by one or more blocked persons are also blocked.
On March 5, 2025, the Department of Justice also unsealed two separate indictments against Shuai and Kecheng for their alleged involvement in computer hacking conspiracies, from 2011 and the present, that targeted multiple U.S. victims, including companies, municipalities and for-profit organizations. According to the DOJ, arrest warrants for Kecheng and Shuai were issued; however, they both remain fugitives from justice. The DOJ also reported that, on March 4, 2025, a federal judge in the District of Columbia authorized the FBI to seize a VPS account and multiple domains allegedly involved in the criminal activity.
The Department of State’s Bureau of International Narcotics and Law Enforcement Affairs also announced two rewards of $2 million each for information leading to the arrest or conviction, in any country, of Kecheng and Shuai. The announcement of the rewards, which were offered on March 5, 2025 under the Transnational Organized Crime Rewards Program, were timed to coincide with actions taken by OFAC and the DOJ as part of a whole of government effort to combat malicious cyber actors.
U.S. Department of Treasury Press Release | DOJ Press Release | U.S. Department of State Press Release