Inside the Great Firewall Part 3: Geopolitical and Societal Ramifications
Part 3 analyzes the GFW as geopolitical infrastructure: economic protectionism, the export of cyber sovereignty norms, and the emergence of an authoritarian coalition (Russia, Iran).
The Great Firewall as Geopolitical Infrastructure
The Great Firewall of China (GFW) represents far more than a technical construct; it is the digital expression of a strategic doctrine, one rooted in state control, authoritarian stability, and a redefinition of sovereignty in cyberspace. Where earlier generations of internet architecture were built around openness and interoperability, the GFW stands as a counter-model: a system that enforces not just censorship but also discipline, not merely blocking information but engineering a compliant digital citizenry.
Through this lens, the GFW becomes a cornerstone of China’s broader governance model, extending internal social control mechanisms into the digital realm while also projecting power abroad. It is both shield and sword: insulating the domestic population from undesired narratives and foreign influence, while exporting technologies, protocols, and ideological models of digital sovereignty to other authoritarian or aspiring technocratic regimes. What began as a reactive security tool has evolved into a dynamic governance platform, tightly integrated with national infrastructure, industrial policy, propaganda channels, and law enforcement systems. Its architecture, as seen in the leaked data, supports real-time behavioral tracking, regionally adaptive enforcement, and centralized orchestration across ISPs, ministries, and military-linked vendors.
Internal Social Control: Domestic Implementation and Ideological Containment
China’s domestic deployment of the Great Firewall (GFW) is not merely a digital barrier, it is an infrastructure for surveillance engineering that operates in service of ideological conformity and political control. The infrastructure revealed in the dataset showcases a system that is deeply embedded within the national internet architecture, capable of granular content classification, multi-layered traffic inspection, and adaptive suppression mechanisms. Every facet of user interaction, from HTTP headers and TLS handshakes to DNS queries and application telemetry, is a potential input for censorship decisions.
At its core, the GFW’s domestic function is ideological containment: a technical means to preempt the circulation of narratives, symbols, or software deemed threatening to Party legitimacy. The filtering mechanisms are not static, they exhibit dynamic heuristics that flag circumvention traffic patterns, encrypted tunnels, and access attempts to banned services such as Twitter, YouTube, Wikipedia, and GitHub. Logs and routing tables within the leaked data reveal strategic targeting of:
Foreign software update servers, to prevent the installation of tools like Signal or Tor,
Cloud services and content delivery networks (CDNs) associated with media organizations and dissident communities,
Online education portals and democracy-linked content, particularly around anniversaries of events like Tiananmen Square,
Religious and ethnic advocacy content, especially concerning Tibet, Xinjiang, and Falun Gong.
Functional repression logic map
By mapping these access patterns to regions, user sessions, and endpoints, the GFW enables adaptive, real-time suppression, a form of algorithmic censorship that not only blocks, but surveils. The presence of regionally distributed “probe agents,” remote configuration push systems, and memory-optimized Redis-based blacklist updates shows a scalable enforcement model designed to track and shape the narrative landscape at population scale. This is not passive filtering; it is proactive thought boundary enforcement, engineered to neutralize dissent before it propagates.
Economic Engineering and Domestic Substitution
By systematically blocking foreign SaaS and collaborative software, China nurtures its own domestic ecosystem. Excel-based audits from the dump show targeted suppression of applications such as Google Docs, Zoom, Dropbox, and Trello. These gaps are filled by Tencent Docs, DingTalk, and Huawei-developed platforms, illustrating how the GFW enables economic protectionism masquerading as cyber defense. This pattern is not incidental but strategic: the firewall constrains market access for foreign competitors under the guise of national security, while ensuring that data flows remain within the control of state-aligned corporations.
The substitution effect creates a dual outcome. First, it accelerates the adoption of domestic platforms that are deeply integrated with state surveillance and content moderation requirements, ensuring ideological conformity and technical compliance. Second, it generates an economic moat for Chinese firms by shielding them from the competitive pressures of global incumbents, allowing state-championed companies to scale rapidly in an artificially insulated market. What emerges is a model where censorship and market engineering are inseparable, cyber sovereignty and industrial policy reinforcing one another.
Economic Engineering Logic Map
At a macro level, this reveals how the GFW is not only an instrument of political control but also a lever of techno-nationalism. By positioning domestic software as the only viable option for collaboration, communication, and file sharing, the state ensures that innovation pipelines, venture capital flows, and user data remain under Beijing’s regulatory umbrella. The firewall thus becomes a structural barrier to globalization, producing not only ideological isolation but also a controlled economic environment where China’s champions can thrive at the expense of suppressed foreign rivals.
The Splinter Net or Balkanization of the Internet Map Effects
On the geopolitical stage, this model contributes to the fragmentation of the global internet. As China’s approach is emulated by other authoritarian regimes, the result is a “splinter-net” or a “Balkanization of the internet”, where national borders dictate not just content but also economic flows and digital standards. Beijing leverages its ecosystem as a form of soft power, exporting platforms like Huawei Cloud and Tencent Meeting to Belt and Road partner states, presenting them as secure alternatives to Western software while embedding latent channels of influence and surveillance. In doing so, the GFW does not simply defend China’s information space, it actively reshapes global digital norms, setting precedents for a world where censorship and economic self-sufficiency converge as tools of statecraft.
Regional Influence and the Export of Cyber Norms
As Beijing cements control internally, it also exports its digital governance model. Observed similarities in data retention mandates, DPI (Deep Packet Inspection) deployment, and application whitelisting mechanisms in countries such as Iran, Vietnam, and Russia suggest the emergence of a “cyber sovereignty coalition” modeled after the GFW. These states borrow not only the technical blueprints but also the ideological framing: the notion that national borders should extend into cyberspace, with governments controlling what citizens can access, publish, and share.
Chinese firms such as Huawei and ZTE play a central role in enabling this diffusion. By providing turnkey infrastructure, core routers, traffic gateways, and 5G networks, these companies ensure that the hardware and software underlying new digital environments embed the same logics of inspection and control that define the Chinese model. This makes Beijing’s digital governance framework not just a domestic fixture but an exportable package, bundled with financing through the Digital Silk Road initiative. The export is both technical and political, shaping authoritarian states’ capacity to replicate China’s approach under the banner of sovereignty and “information security.”
Logical Mapping of the Framework and Geographical / Political Players
The effect is a gradual normalization of state-mediated connectivity. Countries adopting GFW-style controls are not simply importing equipment; they are adopting a philosophy that treats information as a threat vector rather than a public good. Over time, this fosters interoperability among authoritarian regimes, creating channels for knowledge transfer, intelligence sharing, and shared censorship protocols. The outcome is a fragmented, parallel internet sphere where repression is standardized and commercialized, with China as the principal vendor of both ideology and infrastructure.
Societal Impact and Resistance
Since the Tiananmen Square protests in 1989, the Chinese Communist Party has treated the free flow of information as an existential threat to regime stability. The development of the Great Firewall must be understood in that context: it is not simply a security apparatus, but a continuation of the Party’s broader strategy to prevent mass mobilization by limiting access to ideas, narratives, and organizing tools. Over the decades, censorship has evolved from blunt blocking of foreign websites to a finely tuned system of VPN blacklists, URL tracebacks, and application-level analytics. These capabilities allow authorities to correlate individual users with dissent behavior in near-real-time, ensuring that politically sensitive searches, conversations, and digital gatherings are identified and neutralized before they can coalesce into movements. In effect, the firewall transforms the internet into an extension of the state’s security services, eroding anonymity and embedding surveillance into the mundane acts of browsing, messaging, or sharing.
Yet despite this pervasive control, resistance is both persistent and adaptive. Beginning with early proxy experiments in the 2000s, Chinese developers themselves have been central to the creation of circumvention tools. Shadowsocks, created in 2012 by a developer known as clowwindy, pioneered lightweight encrypted proxying that could slip past deep packet inspection. When Shadowsocks nodes began to be actively targeted, the community iterated with V2Ray (Project V), a modular platform with multiple transport protocols and obfuscation layers. This in turn inspired Trojan, which disguises proxy traffic as ordinary TLS to resist probing, and later Brook and Xray, forks that pushed further into stealth and flexibility. Each of these tools originated within Chinese coding circles, highlighting how resistance emerges from inside the very environment being controlled.
Cultural Dissent Map since Tiananmen
Culturally, dissent also manifests in creative forms. Social commentary critical of censorship and the Party circulates widely on Weibo, Bilibili, and WeChat before deletion, often employing satire, homophones, memes, or coded references to evade keyword filters. These “edge-ball” expressions illustrate both the limits of algorithmic censorship and the cultural resilience of Chinese netizens. Meanwhile, diaspora communities amplify resistance by publishing bypass techniques, hosting mirrors of blocked content, and maintaining repositories of circumvention code on platforms like GitHub, ensuring knowledge is never entirely erased inside the firewall.
The interplay between suppression and resistance thus produces an ongoing arms race. Each new round of GFW countermeasures provokes new tools, tactics, and cultural adaptations. While the firewall is formidable, it paradoxically nurtures an oppositional ecosystem that continually innovates around its constraints. Far from extinguishing dissent, the system creates a feedback loop of repression and resistance, embedding digital counterculture as a permanent feature of Chinese society. The result is a paradox: the GFW sustains authoritarian control, yet at the same time guarantees the continual reinvention of the very forms of resistance it seeks to eradicate.
Strategic Positioning in Global Cyber Norms
China’s long-term vision is visible through its participation in multilateral forums such as the UN’s Group of Governmental Experts (GGE) on ICT security and the Belt and Road Initiative’s “Digital Silk Road.” These initiatives provide diplomatic cover for Beijing’s promotion of “internet sovereignty” as a legitimate model of governance. In practice, this means embedding the logic of the Great Firewall into international policy discourse, presenting it not as censorship or repression but as a sovereign right of states to regulate information flows within their borders.
At the UN level, Chinese representatives have consistently argued for norms that emphasize non-interference in domestic internet policies, deliberately contrasting this with historical Western advocacy for a “free and open” internet. By reframing censorship as an extension of sovereignty, Beijing attempts to normalize state control as a global principle, effectively insulating its own practices from critique while empowering other governments to follow suit. The Digital Silk Road, meanwhile, operationalizes these ideas by providing infrastructure, financing, and governance templates to partner countries. Through fiber optic cables, 5G buildouts, and “smart city” packages, China creates an export pathway for both technology and ideology, linking development assistance with the adoption of Beijing’s governance model.
This approach positions China as more than a participant in global internet governance, it casts Beijing as a rule-setter. By aligning economic incentives with political norms, China gradually shifts the Overton window of global digital policy. What once would have been viewed as authoritarian overreach is rebranded as legitimate digital self-determination, creating a parallel order where the GFW’s logic is not an exception but an accepted standard.
Future Resistance and Possible Outcomes of Intensified Surveillance
If China accelerates its trajectory toward deeper electronic surveillance and repression, the societal and geopolitical consequences are likely to manifest in both predictable and disruptive ways. At the domestic level, a more comprehensive fusion of AI-driven monitoring, predictive policing, and ubiquitous biometric collection would further entrench a climate of self-censorship and fear. The integration of surveillance with economic and social systems, already evident in the Social Credit framework, would amplify the daily costs of dissent, making deviation from state narratives punishable not only through arrest but through exclusion from essential services, employment, and mobility. In such an environment, formal opposition is unlikely to survive, but informal networks of coded communication and underground technological innovation could expand, creating a dual society where repression coexists with hidden circuits of resistance.
Historically, such intense monitoring regimes often produce unintended consequences. The more pervasive and intrusive the surveillance, the more it incentivizes citizens and developers to innovate countermeasures, ranging from obfuscated communication protocols to subtle forms of cultural satire and resistance. As seen with Shadowsocks and subsequent projects, the very act of suppression can cultivate technical expertise and solidarity networks among those targeted. If the state further escalates, resistance may shift from individual acts of circumvention toward collective forms of digital underground culture, diaspora-supported communication hubs, and encrypted parallel ecosystems that remain resilient precisely because they are decentralized and adaptive.
Hypothetical Scenarios and Outcomes of Future Enhanced Surveillance
Externally, an increasingly repressive China risks catalyzing stronger responses from international actors. Multilateral organizations and democratic states may impose stricter technology export controls, sanctions on surveillance vendors, or coordinated support for civil-society circumvention efforts. At the same time, authoritarian-aligned states could take China’s model as a green light to expand their own controls, accelerating the Balkanization of the global internet. The result would be a sharper divide between “sovereign internets” that normalize repression and open networks that champion access, placing global institutions in a prolonged struggle over which model defines the standards of international governance.
The paradox, then, is that China’s tightening grip may secure short-term regime resilience at home while sowing the seeds of longer-term instability and resistance. As surveillance deepens, so too does the risk of overreach, where hyper-control undermines legitimacy and drives innovation in circumvention. On the world stage, Beijing’s hardening model could accelerate geopolitical polarization, forcing states to choose between integration into China’s censored, state-mediated sphere or alignment with more open, contested global frameworks. In both cases, the ultimate outcome is not stability, but fragility, a digital order defined less by uniform control than by the ceaseless negotiation between repression and resistance.
Conclusion
The Great Firewall is not just an internet control system, it is a pillar of China’s broader authoritarian toolkit. Its effectiveness lies in its quiet integration into daily digital life, shaping what can be seen, shared, or even imagined by hundreds of millions of citizens. Unlike blunt instruments of repression, the firewall functions with subtlety: it restricts choice by removing foreign competitors, embeds surveillance into domestic platforms, and fosters a normalized environment where censorship is an unremarkable fact of life. In this sense, the GFW is less a technical barrier than a lived reality, one that molds behavior and expectations in ways that reinforce the state’s authority.
China’s Authoritarian Toolkit
Its design reflects China’s governing philosophy of centralized control, national data sovereignty, and cyber hegemony. By asserting that information space is equivalent to territorial space, the firewall operationalizes Beijing’s belief that sovereignty extends to the digital domain. The system’s modular architecture, spanning deep packet inspection, SNI filtering, proxy interception, and state-managed content platforms, embodies a deliberate strategy to consolidate both power and legitimacy. It is not merely defensive but expansive: a mechanism for shaping global discourse, setting technical standards, and projecting influence abroad through the export of both infrastructure and ideology.
The evidence parsed from this leak lays bare the breadth and ambition of that vision. At home, the firewall enforces compliance and blunts dissent, ensuring that political stability is reinforced through technological design. Abroad, it provides a model for regimes seeking to replicate China’s balance of control and growth, creating a coalition of states aligned around the principles of cyber sovereignty. Taken together, the GFW is less an isolated technology than it is a strategic doctrine, one that defines China’s path toward digital authoritarianism and seeks to normalize it as a global standard.
Inside the Great Firewall Part 2: Technical Infrastructure
See the Great Firewall's technical blueprint. DomainTools Investigations details the TSG core, packet interception methods, and routines that detect tools like V2Ray/Psiphon.
Summary
This second installment in our series on the Great Firewall of China (GFW) focuses on the intricate technical infrastructure, operational logic, and strategic design underpinning China’s censorship ecosystem. Drawing from over 7,000 files in the 500GB GFW data dump, including internal spreadsheets, Visio network diagrams, packet captures, and metadata-rich control logs, this analysis offers an unprecedented reconstruction of the surveillance architecture at the heart of China's digital control apparatus.
At the core is the Traffic Secure Gateway (TSG) system: a modular, exportable DPI platform capable of application-layer proxying, SSL/TLS interception, and centralized policy enforcement. Designed with scale in mind, TSG is deployed across both national ISP backbones and regional access points, working in tandem with centralized command hubs such as the YGN Center. Integration with tools like Cyber Narrator, a suspected GFW dashboard, enables real-time session inspection, keyword flagging, and ruleset propagation across decentralized enforcement nodes.
Filtering is layered: SNI-based TLS detection isolates encrypted circumvention traffic (e.g., Psiphon, Shadowsocks, V2Ray), while URL, host header, and DNS hijack strategies block, redirect, or monitor suspect endpoints. Logs extracted from Redis telemetry, gohangout sessions, and custom firewall agents reveal fine-grained behavioral fingerprinting, tying user sessions to device IDs, session states, and remote IP patterns in near real time. The system also captures malformed packets, port scan anomalies, and misconfigured mirrors, supporting active countermeasure deployment through automated probe and reset mechanisms.
From spreadsheets detailing app endpoint behavior, user monitoring intervals, and hardware configurations to blueprint files illustrating node relationships and control flows, the data illustrates a highly centralized yet distributed architecture, built on cooperation between state-run ISPs, telecom vendors, university research labs, policy-design entities like the NCSC (National Counterintelligence and Security Center) and teams linked to Fang Binxing, the so-called father of the Great Firewall.
This report not only reveals how the GFW works but maps the operational logic, software structure, and institutional alignment driving it, setting the stage for deeper adversarial modeling and red team exploration in future entries.
The Great Firewall’s Purpose
The Great Firewall (GFW) is not merely a tool for filtering websites, it is the centerpiece of China’s digital repression strategy. Its technical architecture is designed not just to block content, but to control the behavior and perceptions of its users. Through mechanisms like Deep Packet Inspection (DPI), Server Name Indication (SNI) filtering, and active probing, the system enforces a state-defined version of reality where politically sensitive terms, foreign platforms, and civil society organizing are algorithmically suppressed. But beyond the code and configurations lies a deeper objective: manufacturing consensus by eliminating dissent before it forms. Through the GFW, the Chinese state does not only censor, it conditions. Platforms are scrubbed of forbidden narratives, while alternatives are either inaccessible or functionally degraded. Algorithms elevate compliant content and bury or erase anything that deviates from sanctioned ideology. This digital architecture is authoritarianism by proxy, embedding the logic of repression into every protocol layer.
At the same time, the GFW plays a crucial role in insulating China from global digital ecosystems. This is not just about keeping foreign narratives out, it is also about shielding Chinese data, behavior, and innovations from foreign intelligence collection and influence. The segmentation of China’s IPv6 networks, DNS sinkholes, and blackholing of VPN traffic represent a strategic decoupling from the global internet. Services like YouTube, Twitter, and Google are not merely blocked for ideological reasons; they are systematically replaced by domestic alternatives (e.g., Weibo, Baidu, Youku) which the state can surveil and manipulate. This creates a bifurcated internet: a “Splinternet” in which Chinese users live in an entirely separate informational universe, one optimized for control and ideological alignment. In this way, the GFW is both sword and shield, censoring the flow of dangerous information and shielding the population from outside influence, while enabling precise surveillance through data centralization and metadata capture. We will cover more on these issues in part three of this series on the Great Firewall; Inside The Great Firewall Part 3: Geopolitical and Societal Ramifications.
Vendor Integration: Building the Hardware and Software Foundations of the Great Firewall
The Great Firewall (GFW) is not a single product built by one agency; it is a distributed ecosystem of hardware, firmware, and software contributed by dozens of Chinese technology companies, each providing specialized modules under the supervision of state ministries. While telecommunications giants like China Telecom, China Unicom, and China Mobile operate the backbone infrastructure, the technical scaffolding of the firewall is delivered by a tightly knit network of trusted vendors and research labs. These vendors supply the routers, DPI (Deep Packet Inspection) cards, cryptographic modules, firmware updates, and orchestration platforms that allow the GFW to adapt to new protocols, scale across regions, and enforce rules at both the packet and behavioral levels.
Vendor Map
One illustrative example from the leaked data is A Hamson Technology Co., Ltd., a company specializing in trusted computing, secure CPUs, cryptographic chips, and embedded operating systems. Corporate materials show that A Hamson counts among its customers the People’s Bank of China, State Grid, telecom carriers, and the Ministry of Public Security, all organizations appearing repeatedly in the metadata and spreadsheets of the GFW dataset. This vendor’s expertise in secure embedded systems and cryptographic modules aligns closely with what is visible in the leak: router firmware customized for keyword filtering, MAAT logs referencing embedded modules, and OA spreadsheets documenting device-level “责任人” (responsible person) fields for trusted platform modules. Such vendors effectively build the “trusted endpoints” of the GFW, routers, DPI blades, and gateways that are not just network devices but active surveillance nodes, capable of memory inspection, SNI fingerprinting, and remote policy injection.
Beyond A Hamson, the dataset also references vendors like Venustech, Topsec, and Huaxin, each of which has long been suspected of Ministry of State Security (MSS) affiliation. These firms provide everything from traffic shaping algorithms to exportable control interfaces and smart gateway solutions, which can be adapted for both domestic censorship and overseas “cyber sovereignty” projects. By coordinating multiple vendors under unified policy frameworks, the Chinese state achieves two objectives simultaneously: it keeps censorship infrastructure modular and upgradable, and it insulates the core policy apparatus from direct exposure by dispersing technical tasks to “private” firms under national security mandates.
Logic Map
This structure explains the compartmentalized spreadsheets and Visio maps in the leak, regional operators work with vendor-supplied devices and dashboards but do not see the full system; vendors deliver modules that comply with MSS or MIIT standards without controlling overall policy. Together, this forms a state-industrial censorship complex that blends the agility of commercial R&D with the reach of government enforcement.
Core Technical Components
The Great Firewall (GFW) operates as a modular and hierarchical censorship system combining centrally managed orchestration with regionally distributed enforcement nodes. Its architecture, as revealed by internal logs and configuration schemas, revolves around dynamic packet inspection, traffic shaping, and fingerprint-based blocking, executed across both internet backbone infrastructure and local telecom gateways. At the core of this system lie Deep Packet Inspection (DPI) modules, which process TCP streams in real-time to extract HTTP headers, inspect TLS handshakes, and apply keyword filtering. These modules enforce protocol-aware blocking, often dynamically reacting to new patterns of encrypted circumvention traffic. Telemetry from MAAT (Monitoring and Analysis Audit Toolkit) exports and Gohangout logs show that DPI modules interface directly with Redis-backed rule engines to push immediate session resets or trigger stream flags. The presence of advanced JA3 and SNI fingerprinting, evidenced by log extracts matching V2Ray and Psiphon, demonstrates the GFW’s ability to identify encrypted channels even when domain information is obfuscated.
Large scale map pieced together of the Great Firewall from documentation within the dump
Additional files, including firewall monitoring exports and BGP route tables, indicate use of BGP prefix injection and routing hijacks, especially in cases of sinkhole or honeyport deployment. Sinkhole coordination appears distributed across regional telecom nodes, as seen in logs tied to "路由下发" (route issuance). IPv6 traffic is not exempt; spreadsheets such as “境内谷歌IPv6地址段” list specific address segments under active inspection, suggesting asymmetric routing filters or targeted isolation tactics. Finally, endpoint fingerprinting and active probing are routine: .vid telemetry exports show automated DNS/TLS/HTTP queries launched against suspected VPN exit nodes, with results fed into classification systems or further flagged for human review. This automation, spread across regionally deployed scanning agents, highlights a highly adaptive censorship strategy, one capable of matching user behavior to packet behavior in near real-time.
Monitoring and Logging Systems
The monitoring and logging infrastructure of the Great Firewall (GFW) is designed for pervasive visibility, continuous telemetry, and real-time policy enforcement. Key components include MAAT (Modular Automated Analysis Tool), Gohangout (a high-performance log processing framework), and Redis (a high-throughput in-memory data structure store), particularly the variant identified in logs as sd-redis. System logs such as firewall.sd.maat.status.txt capture status messages from firewalls across deployment nodes, indicating active polling of system states, service health, and traffic patterns. Meanwhile, MAAT acts as a central log aggregator and decision engine, ingesting stream data to feed classification engines. Gohangout configurations point to regex-based pattern extraction of domain names and behavior-triggered tags, likely used for classifying traffic by threat or censorship priority. Redis, via scripts like sd-redis-cli-info.txt, reveals in-memory statistics used for measuring response times, anomaly spikes, and user-session correlation.
More granular insights emerging from SQL-based telemetry indicate the GFW taps directly into production-level application telemetry, not just edge packet flows. This means that the system has visibility into how users are interacting with services in real-time, including authentication failures, long page loads, or forbidden response codes. These signals are likely used to dynamically update blacklists and whitelists, which are crucial components in filtering decisions. Blacklists identify VPN exit nodes, encrypted tunnel endpoints, and known circumvention platforms like Psiphon or V2Ray, while whitelists allow permitted services or government-approved content to flow without interference. Updates to these lists are driven by anomaly detection from the logs, matching both metadata (e.g., JA3/TLS fingerprints) and behavioral anomalies (e.g., repeated failed DNS queries or non-standard TLS extensions). This constant feedback loop demonstrates how the GFW is not just reactive but built for adaptive enforcement based on real-world usage patterns.
Endpoint and Device Mapping
One of the most revealing aspects of the Great Firewall (GFW) leak is the explicit linkage between physical infrastructure and the control logic that drives censorship operations. By cross-referencing internal spreadsheets along with telemetry logs from MAAT (Modular Application Audit Telemetry), we’ve reconstructed granular models that map the physical topology of surveillance networks to the logical flow of filtering and monitoring policies. Graphviz-based visualizations built from this data show how data packets are routed through a hierarchy of hardware, from edge-facing routers at telecom interchanges to midstream relays and deep packet inspection (DPI) modules. These DPI systems act as the primary content-filtering engines, enforcing keyword blacklists and TLS (Transport Layer Security) fingerprint-based rules. The data also identifies specific traffic redirection mechanisms, like sinkhole destinations, BGP (Border Gateway Protocol) rerouting triggers, and load-balancing scripts that dynamically respond to policy hits, suggesting an adaptive, programmable censorship environment.
What makes this infrastructure exceptionally traceable is the metadata present in device tracking sheets. Fields such as 设备类型 (Device Type), IP地址 (IP Address), 带宽 (Bandwidth), 使用率 (Usage Rate), and 责任人 (Responsible Party) expose a highly structured assignment of surveillance functions to individual device nodes and their regional operators. For example, specific router and relay MAC (Media Access Control) addresses are associated with application-layer inspection tasks or DNS query interception, depending on their role in the broader hierarchy. In tandem, OA (Office Automation) service logs and deployment documents indicate a centralized remote configuration push capability, allowing administrators in Beijing or provincial control centers to dispatch policy changes or firmware updates directly to edge units across the country. This strongly implies the presence of a secure command-and-control orchestration layer built atop LDAP-authenticated dashboards, with remote agents capable of rule enforcement and update ingestion in near real-time. The entire apparatus, as described in these files, operates as a tightly integrated censorship-industrial network with both technical and bureaucratic chains of command.
Behavioral Prediction Engines: Predictive Enforcement at National Scale
One of the most revealing discoveries from the leaked GFW dataset is the use of behavioral prediction systems that go beyond static rule enforcement. Evidence from application-layer sketch logs, memory and query telemetry and endpoint capture systems suggests the existence of real-time statistical baselining tools built to flag, and even act on, traffic that deviates from normal patterns before it explicitly violates any censorship policies.
This diagram shows the flow from session initiation through telemetry capture (CPU usage, memory, port activity, TLS parameters), then into the Redis-based MAAT logging system, which performs baseline comparisons against historical session profiles. Based on deviation and behavioral patterns, the session is assigned a risk score, which informs the enforcement logic, ranging from passive allowance to rerouting for deeper inspection or full termination.
These prediction mechanisms appear tightly integrated into the MAAT subsystem, where per-user session profiles are maintained and continuously compared against historical baselines. When a session exhibits abnormal latency, memory footprint, or access patterns, such as extended encrypted sessions, unexpected TLS version negotiation, or traffic bursts to unclassified IPs, the system preemptively routes the session through enhanced inspection modules, or terminates it altogether. This is done via a combination of Redis-based anomaly detectors, custom flagging in slow SQL query tables, and policy propagation recorded in MAAT static log sheets.
Notably, the system doesn’t only act after detection. For example, users opening encrypted proxies such as Shadowsocks or V2Ray may experience injection of failure responses or artificial latency even before their SNI or packet signatures match known blacklists. This illustrates that the GFW is not simply reactive, it is predictive. By monitoring systemic telemetry (CPU stats, session duration, port stability, TLS behavior), the firewall infers which sessions are likely to be circumvention attempts and flags them before content is even exchanged.
In essence, this subsystem makes the GFW function as a national-scale anomaly detection engine, assigning implicit trust scores to sessions in real time, and adapting its inspection depth accordingly. This significantly raises the bar for circumvention tool developers, as evading detection now requires mimicking not only protocol signatures but behavioral baselines, making tools like Psiphon or Lantern more vulnerable to dynamic fingerprinting.
Modular App Fingerprinting and Decision Systems
One of the most revealing components in the leaked dataset is the presence of a modular, multi-layered application fingerprinting system, which underpins much of the Great Firewall’s real-time traffic classification and enforcement logic. This system is not simply reliant on domain blacklists or static protocol rules but employs a dynamic, pluggable architecture where different modules, working in tandem, evaluate attributes of encrypted and plaintext traffic. The system performs deep traffic inspection based on JA3 TLS fingerprints (a method of profiling TLS client handshakes), Server Name Indication (SNI) strings, DNS query patterns, packet timing, and destination port behavior. Multiple heuristic layers are involved, where traffic is matched against known circumvention tools like Psiphon, Shadowsocks, and V2Ray, as well as commercial proxies and enterprise VPN suites.
The GFW’s fingerprinting pipeline does not stop at static rule matches. Once traffic flows are parsed by protocol modules, they are routed through behavioral filters that assess timing, packet size variability, and entropy characteristics. These traits are then scored by a lightweight machine learning classifier which, as seen in logs and decision outputs, assigns a confidence level to the classification. Depending on this confidence score, the decision engine passes traffic, flags it for review, or immediately disrupts the connection. This adaptive model, visible in both .maat telemetry and control command logs, suggests that the GFW does not operate purely on static lists, but instead evolves in near-real time by observing patterns and feeding results into training datasets. As a result, circumvention tools face a constantly shifting defensive surface, requiring continuous adaptation to avoid detection.
Decentralized Command Queues and Update Propagation
Another advanced feature uncovered in the dataset is the GFW’s tiered command-and-control architecture, which utilizes decentralized command queues to propagate filtering rules and scan directives and session control policies to regional enforcement nodes. This structure is not strictly top-down, but instead reflects a hub-and-spoke model whereby provincial or municipal GFW agents synchronize with national control hubs, receiving filtering updates while also reporting telemetry and detection feedback upstream. Evidence of this architecture is found in the spreadsheets and text files, which show user roles, scheduled update logs, and endpoint classifications across different administrative regions (e.g., Hebei, Guangdong, Shandong).
Decentralized command queue and update propagation architecture
Update propagation mechanisms leverage remote configuration push systems, likely built atop web-based dashboards and LDAP-authenticated portals. These dashboards, visible in screenshot metadata and firewall controller logs, allow mid-tier administrators to schedule specific control flows, like blacklisting domains, injecting TCP RST packets, or initiating SNI-based filtering routines, targeted to regionally scoped IP ranges. Importantly, logs document queue flushing events and propagation success messages, indicating that rule updates are both time-sensitive and segmented by endpoint type. This modular push architecture ensures that detection heuristics and filtering capabilities can be deployed asymmetrically, tailored to regional priorities, while maintaining coherence across the national censorship system. It reflects a careful balance between operational flexibility and central control.
TLS Fingerprinting and Misclassification Errors
One of the more subtle yet technically revealing aspects of the Great Firewall (GFW) uncovered in the dataset is its heavy reliance on TLS fingerprinting mechanisms, including SNI (Server Name Indication) filtering and JA3 hashing. These techniques allow the system to classify encrypted traffic streams based on patterns in the TLS handshake process without decrypting content. The presence of logs and spreadsheets detailing SNI strings, matched fingerprints, and decision rules indicates that GFW operators are deploying modern passive fingerprinting to identify circumvention tools such as V2Ray, Shadowsocks, and Psiphon, even when encryption obfuscates content.
However, the sophistication of this fingerprinting is limited by its deterministic nature. Probe logs and several domain block tables demonstrate that the firewall infrastructure occasionally misclassifies benign traffic, particularly when updates to JA3-based signatures lag behind app version changes or new cipher suite deployments. Several documented instances show IP addresses or domain names related to major cloud providers like AWS or Google Cloud being blackholed or scanned due to signature collisions with VPN protocols. These “false positives” result in degraded user experience, unjustified blocking of non-malicious content, and in some cases, traffic rerouting to sinkholes.
The logs also show evidence of manual overrides or rule exceptions being implemented in response to these false positives, particularly in files documenting snapshot telemetry or slow query logs. This suggests that while the GFW employs sophisticated fingerprinting techniques, its architecture still requires human intervention to fine-tune classifications and mitigate over-blocking. These observations speak to the brittle nature of relying on opaque machine-learned or static TLS fingerprints at scale, especially when interacting with a fast-evolving internet ecosystem. In practice, the GFW’s fingerprinting capabilities walk a tightrope between aggressive censorship and functional collateral damage, revealing exploitable pressure points for both adversarial red teams and policy advocates.
Protocol Deviation Handling and Anomaly Isolation
Another subtle yet technically sophisticated component set of the (GFW) is its capability to detect and respond to protocol deviations, instances where data flows do not conform to expected standards of HTTP, TLS, DNS, or QUIC traffic. These deviations are typically indicators of encrypted tunneling, obfuscation frameworks, or non-standard clients used for circumvention. The leaked telemetry logs, configuration spreadsheets, and packet inspection schemas provide evidence that the GFW uses a multi-layered response strategy against these anomalies.
At the first stage, stateful inspection engines scan for malformed packet structures, mismatched content-length headers, improper TLS handshake sequences, and DNS replies with unusual TTL values. Tools such as firewall.sd.maat.status.txt, slow query logs, and Redis-backed memory logs show that non-compliant behaviors are tagged with metadata flags like PROTO_DEVIATE, NONSTD_HEADER, or QUIC_FAULT. These sessions are then passed into either temporary quarantine routes, such as blackhole redirect IPs, or passed along for active probing to test for evasive tunneling behavior.
The second stage involves traffic replay and anomaly simulation, where the GFW replicates offending traffic patterns and injects them into sandboxed environments to confirm whether the payload corresponds to obfuscated VPNs, HTTP tunnels, or unauthorized encryption schemes. Logs document timed replay payloads and outbound test probes using crafted TLS or DNS packets. Some deviations are further escalated to manual triage teams or flagged in Graphviz-style flow control diagrams embedded in .vsd Visio files.
This protocol deviation handling system showcases not only the depth of the GFW’s reactive controls but also its ability to learn from emergent behavior, update heuristics dynamically, and enforce policy not just on known bad domains or IPs, but on the shape and rhythm of communication patterns themselves. This makes circumvention more difficult, as developers must now account for not only static blocklists but also behavioral anomaly detection systems embedded within China’s censorship infrastructure.
Integration of Surveillance Platforms and Data Fusion
One of the more formidable aspects of the Great Firewall’s (GFW) evolution is the integration of real-time network filtering with broader surveillance ecosystems. The data assessed from the 500GB breach confirms that firewall telemetry, such as flagged sessions, packet capture metadata, and access anomalies, is not siloed within the GFW apparatus. Instead, it feeds into centralized repositories where it is correlated with endpoint identity, system behavior, application telemetry, and even social profiling signals.
Logs analyzed from MAAT, sd-redis, and snapshot exports show distinct identifiers being used across firewall records, system monitors, and application-layer access logs. These identifiers, most notably persistent UUIDs, IMEI/IMSI hashes, and partial SSO tokens, indicate cross-platform tagging, likely used for behavioral correlation. This is supported by spreadsheets listing VPN server hits alongside cached user session data, and references to location-aware scanning logic embedded in regional configuration files. The presence of fields like 责任人 (responsible person) and user-role tags in spreadsheet metadata further indicates that system usage is attributable, not anonymized.
What emerges is a picture of data fusion at scale, where censorship enforcement is not merely technical, but linked to identity and reputation systems. It is likely that flagged activity within the GFW can escalate to surveillance review queues in platforms such as Skynet (天网) and Sharp Eyes (雪亮工程), integrating with national security databases. In this architecture, the GFW is not a wall, but a sieve, detecting, classifying, logging, and escalating infractions across bureaucratic and technological layers. The Chinese censorship regime thus operates not only as an information filter, but as a reputational sorting system, linking digital behavior to administrative consequences.
Remote Command Injection and Centralized Control Queues
One of the most significant revelations within the Great Firewall dataset is the use of remote command injection frameworks for real-time policy updates and enforcement. Analysis of the files, combined with metadata from .vsd network maps and firewall.sd.maat.status, suggests that the GFW supports a centralized command-and-control (C2) model for dynamically managing its censorship rules and behavioral triggers.
Unlike static firewall configurations typically associated with traditional network perimeter defense, the GFW employs push-based command execution. These are delivered to regional or localized DPI appliances, surveillance nodes, and edge routers via a tiered orchestration mechanism. The presence of fields like 部署方式 (deployment mode), 指令同步策略(instruction synchronization strategy), and 责任人 (responsible party) in the spreadsheet metadata illustrates a delegated enforcement model, where operators across various provinces and telecom backbones receive and execute filtering updates issued from a central authority, likely situated within Beijing or under Ministry of State Security (MSS) control.
The logs reveal that rule updates are batched and tagged with timestamps, UUIDs, and content categories, such as “VPN,” “sensitive term,” or “foreign platform.” In some cases, these are deployed with rollback triggers and can be toggled based on traffic spikes, public sentiment monitoring, or new circumvention tool detection. Custom scripts also suggest that updates can target infrastructure selectively, for example, only IPv6 subnets within 联通 (Unicom) in a specific region, or only mobile application traffic over TLS 1.3 from certain devices.
In essence, this system is not a passive firewall but a living censorship organism, capable of autonomous adaptation and centrally coordinated behavior modification. These command injection pathways are also likely tied into the metadata-based identity tracking system that feeds into China’s broader surveillance and social credit scoring architectures, ensuring that information control can be tuned at the individual, device, or regional level in real time.
China’s Social Credit Score System and the Great Firewall
The Chinese Social Credit Score System (SCS) is a sprawling, state-coordinated framework designed to promote "trustworthiness" and "moral behavior" among citizens, corporations, and institutions. Rooted in both government regulation and commercial participation, the system aggregates a wide array of behavioral, financial, legal, and social data to assign reputation-based scores to individuals and entities. The system is coordinated by central authorities like the National Development and Reform Commission (NDRC), the People’s Bank of China, and the Ministry of Public Security (MPS), with significant technical input from the Cyberspace Administration of China (CAC). These agencies collect data from legal rulings, bank transactions, police records, and even online activity logs. Citizens with high scores receive benefits such as loan approvals and travel priority, while low scores may lead to travel bans, throttled internet, and social blacklisting. Localized implementations by provincial governments and private corporations, such as Alibaba's Sesame Credit, create further layers of scoring, often blending regulatory enforcement with commercial incentives.
The Social Credit Score System in China Logic Diagram
Technical Logic Diagram of Great Firewall Infrastructure for GFW Social Credit Score System
Within this architecture, the Great Firewall (GFW) acts as a technical enforcement and behavioral surveillance mechanism. Data gathered through DPI (Deep Packet Inspection), TLS interception, domain access logs, and behavioral telemetry is used to infer intent and compliance with state-defined norms. For example, users accessing blocked VPN services, attempting to reach blacklisted content, or demonstrating encrypted communication patterns may be flagged in monitoring systems like MAAT or Gohangout. These logs, in turn, feed into centralized analytics platforms that may update regional or national blacklists. Importantly, this technical data is not just used for censorship, it is increasingly integrated into risk models that feed back into the social credit system. The GFW thus becomes more than a digital barrier; it acts as a behavioral sieve, shaping how trustworthiness is algorithmically defined and enforced across China. This convergence of technical infrastructure and socio-political governance represents a profound fusion of surveillance capitalism and state control, with escalating implications for digital human rights.
Conclusion
The Great Firewall’s architecture is not a singular construct but a federated, modular system that reflects a deeply integrated model of scalable repression and technical precision. Rather than centralized omniscience, the system operates through layered enforcement, with real-time monitoring nodes deployed at key internet exchange points (IXPs), backbone service providers, and regional telecom branches. These nodes feed data into centralized analysis engines and regional control centers, where behavioral patterns, encrypted traffic markers, and protocol anomalies are processed through tools like MAAT, Gohangout, and customized Redis-backed monitoring agents. At the application layer, heuristics detect circumvention behavior , such as the use of Psiphon, V2Ray, or Shadowsocks, using techniques like SNI filtering, JA3 fingerprinting, and connection scheduling flags. DNS responses are spoofed or dropped depending on classification rules, while sessions may be hijacked or redirected via sinkholes and TCP reset injections. The underlying telemetry reveals how regional operators execute policies set by central authorities, supported by MSS-linked vendors providing firmware, DPI modules, and command-and-control dashboards.
Despite this sophistication, the leaked data exposed fault lines, including regionally misconfigured mirrors that unintentionally broadcast blacklist UUIDs, and BGP anomalies suggesting overly aggressive routing filters. These lapses highlight both the bureaucratic silos and technical brittleness of enforcing censorship at scale. Nonetheless, the architectural strategy is resilient: it favors redundancy, localized enforcement autonomy, and reactive filtering rather than static rulesets. What emerges is not just a firewall in the traditional sense, but a living ecosystem of algorithmic governance. The next phase of analysis will step beyond the command-line telemetry and log files to examine the broader implications, the geopolitical consequences of codified information suppression, and the mounting human cost of building a surveillance state at the scale of 1.4 billion people.
APPENDIX: A File List
File list of dump translated from Mandarin
Network Research Report.docx
27712684_attachments_20220419-Zhang Qingfeng-Daily Communication Record.docx
695411_attachments_Phishing Website Detection System Manual.docx
27716205_attachments_Attachment 2: Revision Instructions for Dissertation Revisions after the Pre-Defense.docx
695502_attachments_Regulations on the Management of Mid-term Assessments for Dissertations of the Institute of Information Engineering, Chinese Academy of Sciences (Interim).doc
695678_attachments_Attachment 1: Midterm Report of Graduate Dissertation from University of Chinese Academy of Sciences - Wang Yu.docx
106109974_attachments_Kafka Component Parameters and Frequently Asked Questions.docx
47251516_attachments_2022.05 Daily Communication Minutes.docx
695678_attachments_Attachment 2: Midterm Assessment Registration Form for Graduate Dissertation from University of Chinese Academy of Sciences - Wang Yu.doc
106110644_attachments_Reflections on the Encrypted Video Content Recognition Test Invitational Competition - TikTok - Yang Chen.docx
47251516_attachments_20220601 - Zhang Qingfeng - Daily Communication Records.docx
695874_attachments_CMAF Research and Analysis.docx
47251516_attachments_20220620-Wang Meiqi-Daily Communication Minutes.docx
695874_attachments_Regulations on the Management of Mid-term Assessments of Degree Thesis of the Institute of Information Engineering, Chinese Academy of Sciences (Interim).doc
695874_attachments_Attachment 1: Midterm Report of Graduate Dissertation from University of Chinese Academy of Sciences - Wang Yu.docx
106113429_attachments_Kafka Component Parameters and Frequently Asked Questions.docx
49192059_attachments_20220915 - Gao Yue - Daily Communication Minutes.docx
695874_attachments_Attachment 2: Midterm Assessment Registration Form for Graduate Dissertation from University of Chinese Academy of Sciences - Wang Yu.doc
106113430_attachments_Reflections on the Encrypted Video Content Recognition Test Invitational Competition - TikTok - Yang Chen.docx
49192059_attachments_20220915 - Zhang Qingfeng - Daily Communication Record.docx
695874_attachments_CMAF Research and Analysis.docx
49192059_attachments_20220915 - Wang Meiqi - Daily Communication Record.docx
695874_attachments_Regulations on the Management of Mid-term Assessments of Degree Thesis of the Institute of Information Engineering, Chinese Academy of Sciences (Interim).doc
Analysis of the 500GB+ Great Firewall data breach revealing China’s state censorship network, VPN evasion tactics, and the operators behind it.
A Deep Dive into China’s 500GB+ Censorship Data Breach
Introduction
In a historic breach of China’s censorship infrastructure (September 2025), over 500 gigabytes of internal data were leaked from Chinese infrastructure firms associated with the Great Firewall (GFW). Researchers now estimate the full dump is closer to ~600 GB, with a single archive comprising around 500 GB alone.
The material includes more than 100,000 documents, internal source code, work logs, configuration files, emails, technical manuals, and operational runbooks. (WIRED) The number of files in the dump is reported to be in the thousands (though exact totals vary by source). (Bitdefender)
Among the revealed artifacts are:
RPM packaging server files (the packaging infrastructure used for distributing software artifacts)
Project management data (Jira, Confluence) showing internal tickets, feature requests, bug reports, and deployment histories
Communications and engineering documents showing how censorship tools are tested against VPNs, Tor, and other circumvention methods; e.g. methods of DPI, SSL fingerprinting, and filtering logic. (Tom's Hardware)
Deployment records indicating both domestic use (provinces like Xinjiang, Fujian, and Jiangsu) and export of censorship or surveillance systems to other countries, including Myanmar, Pakistan, Ethiopia, and Kazakhstan.
This report is the first in a three-part series which aims to document the dump’s contents, analyze its technical implications, and assess the geopolitical fallout stemming from the exposure of these sensitive tools and architectures.
Evidence of Failure and Oversight
The leaked IP logs and packet captures expose critical moments where the censorship apparatus faltered, revealing the inherent fragility of the Great Firewall’s distributed enforcement model. In multiple instances, cross-border leakage routes allowed foreign IPs to establish unfiltered sessions for extended periods, suggesting delays in rule propagation, temporary policy gaps, or the failure of heuristic detection systems. These lapses demonstrate that while the system is highly surveillant, it remains reactive and inconsistently enforced across regions.
Additionally, misconfigured mirrors inadvertently exposed internal blacklist data to external interfaces. These exposures included leaked regional UUIDs and configuration files, offering rare insight into the naming conventions and structural logic of localized rule deployment. Simultaneously, honeypot deployments on high-risk ports attracted and logged adversary interactions, including traceroutes and detailed packet-level reconnaissance, suggesting that foreign entities were already probing China’s defensive perimeter. These incidents, likely overseen by regional engineers or testbed maintainers, underscore the bureaucratic brittleness of a censorship regime built on siloed enforcement layers, inconsistent rule application, and latency in central-to-edge command synchronization.
The Nature of the Dump.
The dataset is a sprawling, multifaceted archive that lays bare the technical scaffolding of China's digital surveillance regime. It includes raw IP access logs from state-run telecom providers such as China Telecom, China Unicom, and China Mobile, revealing real-time traffic monitoring and endpoint interaction.*downloading and research of such data should be handled by professionals in protected environments due to potential malware and information*
Packet captures (PCAPs) and routing tables are paired with blackhole sinkhole exports, detailing how traffic is intercepted, redirected, or silently dropped. A trove of Excel spreadsheets enumerates known VPN IP addresses, DNS query patterns, SSL certificate fingerprints, and behavioral signatures of proxy services, offering insight into identification and blocking heuristics. Visio diagrams (.vsd/.vsdx) map out the internal firewall architecture, from hardware deployments to logical enforcement chains spanning various ministries and provinces. Application-layer logs dissect tools like Psiphon, V2Ray, Shadowsocks, and corporate proxy gateways, capturing how these are tested, fingerprinted, and throttled. The dataset also contains databases of FQDNs, SNI strings, application telemetry, and “sketch logs”, showing serialized behavioral data scraped from mobile apps. System-level monitoring exports reveal server CPU usage, memory utilization, stream session logs, and real-time user states. Crucially, metadata leaked from Word, Excel, and PowerPoint files exposes the usernames, organizational affiliations, and edit trails of engineers and bureaucrats working on censorship infrastructure. Finally, OCR-processed screenshots illustrate the UI panels of traffic control dashboards, logging mechanisms, and internal tooling, offering a visual window into how the Great Firewall is operated in practice.
The dataset includes:
Raw IP access logs from state-run service providers (e.g., China Telecom, Unicom, Mobile)
Packet captures (PCAPs), routing tables, and blackhole sinkhole exports
Excel spreadsheets listing VPN IPs, DNS logs, SSL certs, and proxy service patterns
Application-layer analyses of tools like Psiphon, V2Ray, Shadowsocks, and enterprise proxies
Databases of FQDNs (fully qualified domain names), SNI patterns, app telemetry, and app "sketch" logs
Monitoring exports for CPU usage, system state, user sessions, and stream logs
Metadata leaks from Word, Excel, and PowerPoint documents exposing usernames, organizations, and edit histories
OCR’d screenshots showing UI interfaces of control panels and logging dashboards
The Implications of a 500GB Breach
The leak of over 500 gigabytes of internal data from China's censorship infrastructure constitutes one of the most consequential exposures in the history of digital authoritarianism. Encompassing more than 7,000 files, the dataset provides not merely an isolated glimpse but an extended, multi-dimensional forensic cross-section of the Great Firewall's operational anatomy, revealing system telemetry, logic flows, user sessions, document metadata, application analyses, and network schematics. Far from being an accidental disclosure of logs, this archive represents a curated corpus likely compiled over a prolonged period, indicating either a trusted insider with comprehensive access or a methodical and externally orchestrated data exfiltration campaign.
Two plausible breach pathways emerge from the data. First, a deep internal compromise likely stems from an operator with privileged access, potentially a systems administrator, subcontractor, or disillusioned insider, working from a centralized infrastructure hub. The breadth of materials, including internal routing tables, packet captures, monitoring exports, and user-generated documents, suggests systemic access to both operational and administrative layers of the censorship stack. Metadata uniformity and filename consistency point to deliberate organization, likely done incrementally and with operational awareness. Alternatively, the diversity of systems accessed hints at a second possibility: a coordinated external exfiltration effort carried out by a sophisticated threat actor, such as a nation-state or specialized red team. In this scenario, misconfigurations in firewalls, insecure admin panels, and segmented network seams may have been exploited to gain footholds and siphon data over time. PCAP captures, CPU load logs, and Visio diagram exports suggest persistent access and automated tooling were in play.
Regardless of the breach mechanism, the consequences are profound. Technically, the leak has rendered much of China's detection arsenal obsolete: VPN heuristics, DPI rule sets, SNI-based fingerprinting algorithms, and application proxy classifiers are now open to scrutiny, replication, and evasion. Operationally, usernames, hostnames, and file authorship data risk exposing government contractors, telecom engineers, and researchers, increasing their vulnerability to naming and shaming, targeted sanctions, or exploitation by rival intelligence services. The documentation of flawed infrastructure, such as packet loss under scan load, looped sinkhole rules, and session state anomalies, presents ripe opportunities for adversarial exploitation. Strategically, this dataset arms censorship circumvention communities, policy advocates, and red teams with the ability to simulate and reverse-engineer enforcement logic, undermining the efficacy of centralized control. In sum, this breach collapses the asymmetry between censor and censored, offering, for the first time, a detailed blueprint of China’s digital surveillance leviathan.
Mapping the Human-Technical Interface
The organizational fingerprints uncovered within the leaked dataset provide a remarkably detailed view into the inner workings of the Great Firewall (GFW) and the ecosystem of actors that maintain and enforce it. Rather than a monolithic structure, the GFW emerges as a multi-tiered apparatus with clearly delineated, yet overlapping, spheres of responsibility. At the top are national censorship policy architects, likely operating under the auspices of the Ministry of State Security (MSS) or the Ministry of Industry and Information Technology (MIIT), who define strategic goals and traffic classification directives. These directives cascade down to regional enforcement units embedded within state-run ISPs like China Telecom, China Unicom, and China Mobile, where they are operationalized at backbone routers and internet exchange points. Academic collaborators, often based in state-linked institutions such as Tsinghua, USTC, or the Chinese Academy of Sciences, serve as technical force multipliers, crafting fingerprinting algorithms, traffic classifiers, and AI-driven detection heuristics. Finally, a shadow layer of software engineers and infrastructure operators maintain the technical systems, dashboards, scheduling agents, and rule propagation mechanisms that implement censorship policy at scale.
Screen shot from dump of console for management
Drawing from Excel logs, packet captures, and Visio topology diagrams, a clearer human and technical map is emerging. Dozens of usernames and hostnames traced across file metadata tie specific individuals to roles such as hardware engineering, data center administration, and network research. Internal monitoring logs document the real-time execution of regional scanning scripts; app-layer inspection routines flagging encrypted VPN protocols; and automated classification of TLS handshakes through SNI fingerprinting. Further network telemetry reveals sophisticated TCP/UDP port scanning patterns, clearly aligned with foreign traffic signature identification. Notably, even as these systems operate with impressive precision, lapses are evident: logs show instances of cross-border traffic escaping inspection, internal blacklist mirrors exposed through misconfiguration, and honeypots receiving foreign reconnaissance traffic. These data points not only reinforce the highly compartmentalized structure of GFW enforcement, but also highlight critical seams in its defensive perimeter, seams that adversaries could exploit with careful targeting.
Metadata Exposure: Attribution Through Digital Breadcrumbs
One of the most revealing and strategically valuable components of the GFW data dump lies not in the structured log files or architectural diagrams, but in the metadata accidentally embedded across thousands of files. These residual traces, often overlooked in threat modeling, offer a rare glimpse into the human and organizational machinery behind China’s censorship apparatus.
The dump exposes dozens of unique usernames, many of which follow consistent naming conventions indicative of internal departmental hierarchies. These include system-level account names (e.g., admin-jw, it_ops_lh, yunwei-wang) and author tags in Office documents, enabling correlation to individual operators. In many cases, authorship data and revision histories link technical documents, such as server topology diagrams, SQL queries, and application configuration logs, to specific personnel across government agencies, telecom subsidiaries, and third-party contractors.
Cross-referencing these metadata fields with known Chinese corporate entities and state-linked research institutes has enabled the construction of preliminary attribution clusters. These clusters show clear ties to China Telecom, China Unicom, and China Mobile, as well as connections to academic partners (including digital forensics labs) and MSS-linked infrastructure vendors such as Tietong, CETC, and provincial branches of the MIIT.
Notably, multiple files retain internal IP address references and machine hostnames mapped to sandbox and testbed environments used for evaluating censorship evasion tools. These include systems tagged for Psiphon, V2Ray, and Shadowsocks analysis. Some remote server addresses and reverse-proxy logs point to GFW staging zones used to pilot domain interdiction and traffic shaping prior to national rollout.
This corpus of metadata, when enriched through Whois pivots, OSINT facial recognition, and password reuse enumeration, allows for the development of organizational maps and adversary role modeling. These in turn can inform future red-team operations targeting the GFW’s human operators, backend infrastructure, and chain-of-command logic. With metadata drawn from Word, Excel, Visio, and network logs, researchers now hold the building blocks for a relational understanding of censorship personnel and policy execution, from engineers and system admins to project managers and analysts.
This is not just a technical leak, it is a rare unmasking of the people behind the policy.
Among the most valuable aspects of this dump are the accidental leaks of metadata that revealed:
Dozens of usernames tied to internal departments
System usernames and document authorship tied to technical operators and analysts
Organizational affiliations across telecoms, research labs, and suspected MSS-linked infrastructure vendors
Tracebacks to IP addresses tied to GFW testbed deployments and server farms
A correlation of this data has begun to yield early attribution clusters and organizational modeling, laying the groundwork for adversarial red teaming against censorship controls.
Organizational Fingerprints: Mapping the Bureaucracy Behind the Great Firewall
Beyond the technical evidence of censorship and traffic manipulation, the leaked dataset offers a rare opportunity to construct a socio-technical map of the Great Firewall (GFW) apparatus, not just how it works, but who builds it, who maintains it, and how China's censorship ecosystem is organizationally compartmentalized.
The metadata extracted from over 7,000 documents, spreadsheets, Visio network maps, text logs, dashboards, and software configuration files reveals a complex lattice of state-linked entities operating in tightly controlled silos. Through usernames, author tags, internal IP assignments, system banners, and internal routing headers, we’ve begun to correlate individuals to functional roles and institutional affiliations.
The internal architecture of the Great Firewall is supported by a network of organizations ranging from state-owned enterprises to elite research institutions and private sector vendors. Core traffic monitoring and enforcement responsibilities are handled by China Telecom, China Unicom, and China Mobile, whose infrastructure appears repeatedly in PCAP logs, IP registries, and system-level telemetry. Metadata from Visio diagrams and scanning scripts links regional enforcement activities to provincial branches such as 广东联通 and 河北电信, indicating decentralized operational cells. At the academic and research level, contributors from the Chinese Academy of Sciences, CNCERT, Tsinghua University, and USTC are implicated in traffic modeling, VPN fingerprinting, and algorithmic SNI detection, functioning in a science-to-policy pipeline. Additional entities like Huaxin, Venustech, and Topsec, believed to have ties to the Ministry of State Security (MSS), appear responsible for developing packet inspection hardware, “smart gateways,” and modular control interfaces. System topology files suggest regional hubs under provincial control, with metadata pointing to a tiered model of command, central rule authors in Beijing, and localized operators managing disruptions and resets.
Supporting this infrastructure is a suite of internal tools, including web dashboards for traffic classification, rule propagation, and keyword blacklisting, many of which rely on LDAP-based access and appear to be integrated with institutional Single Sign-On systems. Screenshots and logs expose dynamic control capabilities such as automated session disruption and region-specific enforcement thresholds. Crucially, the dataset reveals extensive metadata leakage: usernames and computer hostnames link individuals to telecom offices and technical roles; document authorship trails help establish personal and institutional attribution. The documents further expose how responsibilities are compartmentalized, illustrating a strict vertical segmentation between engineering, monitoring, and enforcement functions. Overlapping IP clusters, authorship patterns, and PCAP exports across regions hint at interagency coordination, albeit scoped and isolated. Together, these findings allow for the construction of an emerging socio-technical map of the GFW’s human infrastructure, forming the groundwork for attribution modeling and adversarial counter-censorship strategy.
Technical Overview: Core Mechanisms of the GFW Architecture
The leaked dataset exposes a highly modular and deeply integrated censorship architecture underlying the Great Firewall of China. Rather than operating as a single centralized filter, the GFW is revealed to be a distributed system of surveillance and control spanning national, regional, and local network layers. Its enforcement mechanisms include everything from DPI inspection at major internet exchange points to application-layer behavioral analysis and live session manipulation through web-based dashboards. Across the dataset, there is a recurring pattern of siloed technical roles operating under central orchestration, with regional enforcement nodes acting as both detection points and policy executors.
Network Topology Diagram (Five Rings Network 五环网络) - This image is a logical and physical network topology map included in the dump of a segmented enterprise or academic network system referred to as 五环核心 (Five Rings Core Network). It displays VLAN segmentation, inter-switch trunking, DHCP assignments, and guest/staff/IPv6/WiFi zones, possibly reflecting real-world infrastructure used in Chinese internal IT or censorship-research testbeds.
At the core of traffic interception are the state-run ISPs, China Telecom, China Unicom, and China Mobile, which serve as both service providers and surveillance intermediaries. Logs from these providers document the interception and classification of traffic based on packet content, with the use of deep packet inspection techniques. These techniques target TLS/HTTPS session metadata, such as (SNI) fields, and distinguish potentially suspicious connections based on protocol anomalies, including entropy, timing patterns, and payload structures. The infrastructure supports detection of known circumvention tools such as Shadowsocks, V2Ray, and Psiphon. Visio network diagrams show these DPI modules deployed at key peering points, especially in major metropolitan areas and provincial backbones, suggesting a tiered control model.
Application-level analysis is conducted using fingerprinting heuristics derived from both raw network characteristics and behavioral modeling. Various Excel spreadsheets and telemetry exports include references to TLS fingerprinting rules, heuristic classifiers for VPN/proxy traffic, and statistical models used to flag encrypted tunnels. These analyses rely on databases of SNI patterns, handshake behaviors, and traffic volume profiles. Simpler applications are captured through static indicators, while more sophisticated obfuscated traffic is subjected to sketch-based detection, a form of lightweight signature modeling. This reveals a layered approach to detection, with different modules specializing in different levels of granularity and evasiveness.
Online translation: Anonymous DNS Resolution System via Tor Network with DOH (DNS-over-HTTPS) Encryption
Routing logic and censorship enforcement are governed by automated scripts and control schemas that appear to be distributed from centralized locations to regional nodes. Python and shell scripts uncovered in the dataset automate the scanning of IP ranges, the classification of foreign nodes, and the deployment of routing directives. Routing tables, sinkhole IP lists, and blackhole redirects provide insight into how traffic is rerouted or silently dropped based on the policy logic defined upstream. Several control files appear to be distributed on a schedule or in response to live triggers, showing both manual and autonomous enforcement methods. This system likely allows Beijing-based control centers to push directives to provincial-level enforcement arms, where localized engineers and systems perform filtering or inspection with scoped authority.
Operational state is maintained through a robust internal monitoring ecosystem. Included in the leak are comprehensive exports of CPU usage, memory performance, service uptime logs, and stream-based telemetry. These system-wide diagnostics provide not only visibility into the technical health of enforcement systems, but also allow higher-level auditing of session disruptions, filtering efficacy, and infrastructure stability. Screenshots from management interfaces and logs from web-based control dashboards suggest that operators are provided with real-time analytics, interactive filtering toggles, and user/session views. Most of these systems rely on enterprise-grade authentication mechanisms, such as LDAP-based Single Sign-On (SSO), indicating tight coupling between enforcement tooling and institutional IT frameworks.
System Status Network Topology Diagram Organization: China Information and Communication Design Institute Co., Ltd. (中讯邮电咨询设计院有限公司)
An unexpected but critical component of the breach is the metadata embedded within documents and logs. Authorship tags, file paths, and computer hostnames have linked hundreds of documents to individual users, systems, and organizations. These human fingerprints offer unprecedented visibility into the organizational structure behind the GFW’s operation. Engineers, data analysts, lab researchers, and regional technicians are all traceable by name or system alias. Many entries refer to known ISPs, national labs, or university-affiliated nodes, suggesting that the enforcement apparatus spans a wide constellation of public-private partnerships, military-academic collaborations, and centralized policy deployment.
Together, these findings constitute a unique technical cross-section of the Chinese censorship-industrial complex, revealing not just what is filtered or how, but who enforces it, who maintains the infrastructure, and how decisions flow through the layered topology of digital control.
What Comes Next
This report represents only the first installment in a three-part investigative series into the unprecedented breach of China’s censorship apparatus. While this Part 1 has centered on exposing the dataset’s contents and evaluating its technical, organizational, and strategic significance, it is only the beginning. The sheer scale and complexity of the leak, over 500GB of internal GFW infrastructure data, demands a methodical, layered approach to fully grasp its implications. The next two parts in this series will delve even deeper, uncovering the architecture of China’s censorship regime and examining the wider consequences for global digital governance.
Part 2 – The Architecture will offer a forensic reconstruction of how the Great Firewall actually works at the technical level. Leveraging the internal Visio network diagrams, log schematics, scanning schedules, app fingerprinting routines, and heuristic rule exports uncovered in the dump, we will map the core design of the censorship stack. This includes how packets are intercepted, filtered, redirected, or dropped; how apps like Psiphon and V2Ray are detected at the protocol level; and how traffic shaping is deployed based on geography, ISP, or session context. The analysis will also break down the GFW’s modular enforcement structure, highlighting regional control points, the roles of telecom and research institutions, and the likely contribution of vendors with MSS affiliations in building out control interfaces and automated classifiers.
Part 3 – Geopolitics and The Fallout will address the broader implications. This breach does more than just reveal technical controls, it changes the strategic calculus of censorship resistance. We will assess how the exposure reshapes China’s ability to sustain its domestic information control and international cyber operations, and how it informs countermeasures by VPN developers, privacy advocates, and democratic governments. Ethical and legal questions will also be raised: what does responsible engagement with such data look like? And how should open societies use this moment to harden digital rights, strengthen transparency norms, and resist the spread of authoritarian control models abroad? With this series, we aim to present not just the most complete picture yet of the GFW, but a roadmap for pushing back against the machinery of state censorship.
A massive crypto wallet-drain conspiracy links fake trading sites to a single criminal IP address. See our investigative deep dive into how these orchestrated scams are draining user funds.
Cybercriminals are orchestrating a cryptocurrency “wallet drain” conspiracy that spans sketchy browser extensions, mobile profile phishing, and sham cryptocurrency trading platforms, all tied together by a single web of infrastructure. In this investigative deep dive, we expose how multiple scam websites such as medaigenesis[.]cc, novacrypt[.]net, and zzztd[.]com were hosted on the same server IP address, 8.221.100[.]222. These sites formed a coordinated infrastructure used to steal cryptocurrency from unsuspecting users. As of September 25, the A record for novacrypt[.]net stopped resolving to this IP address, which could indicate that the attackers have shifted infrastructure or that the domain has been taken down. The scams range from browser extension popups and iPhone configuration profile traps to fraudulent web trading apps, all of which are backed by clever social engineering. Below, we break down each component of this operation, provide code snippets and network maps, and outline Indicators of Compromise (IOCs) to help you recognize and avoid these threats.
MedAI Genesis – A Fake Medical DAO With a Draining Agenda
One of the more elaborate fronts in this scam network is medaigenesis[.]cc, which presents itself as a next generation healthcare initiative powered by blockchain and artificial intelligence. Styled as “MedAI Genesis,” the site promotes itself as the future of personalized health management, backed by buzzwords such as AI 5.0, on chain biometric data, and health NFTs.
“Redistribution of medical resources,” it claims. “Rise of the health currency.”
At first glance, it reads like a cryptocurrency investor’s dream married to a healthcare revolution. The platform boasts features like:
AI-driven medical consultation,
NFT-based health records,
On-chain health governance voting,
A utility token called MDAI.
But under the hood, this is a scam in a lab coat.
Instead of delivering health features, the site launches a wallet connect popup through a browser extension. Its objective is to drain cryptocurrency holdings under the guise of activating access features. The scam blends health tech themes with cryptocurrency mechanics to create a believable front that convinces victims to interact with their wallets, triggering the theft.
How it works: The CSS from Trust Wallet’s Chrome extension (ID egjidjbpglichdcondbcbdnbeeppgdph) is a key mechanism to provide styling and fonts. The risk arises when scammers replicate this styling to create a phishing site that appears identical to a legitimate Trust Wallet connect prompt. On a fake site, clicking “Connect” does not trigger a secure wallet handshake, instead, the site can hide code that makes your wallet approve a dangerous transaction. It may look like you are just connecting, but if you click approve, the scammer could get permission to take your money.
Scam in Action: Imagine visiting a new cryptocurrency platform and seeing a familiar professional-looking “Connect Trust Wallet” dialog. Believing it is safe, you click connect only to be asked to sign a transaction that silently hands control of your wallet to the scammer. Functions like setApprovalForAll or direct transfers can then be abused to drain assets if you approve.
Notably, the extension’s ID corresponds to a Trust Wallet extension listed on the official Chrome Web Store, which raised alarms. The extension’s review page is filled with reports of stolen funds, scam, and backdoors. It appears scammers either published a fake but convincing “Trust Wallet” extension or leveraged the legitimate one. Either way, its presence in the victim’s browser is what enables the “Fake Wallet Connect” popup to appear.
This tactic is especially dangerous because the CSS makes the interface appear authentic, while the real attack would occur in the underlying JavaScript. In this case, the phishing site (for example, a staged platform like “MedAI Genesis”) appears to still be under construction. The look-alike Trust Wallet pop-up is present in the code but not fully functional, as several links return errors or placeholders, and even the Telegram channel is commented out. These indicators suggest the threat actor could be staging the site for a future campaign. In the meantime, the page is decorated with fake features such as “AI-Powered diagnostic service payments” and “Global health data NFTization,” along with unverifiable profiles and logos from real companies like Pinksale and Binance Smart Chain. These credibility tricks are designed to lower a victim’s guard once the phishing flow is fully enabled.
Cleverly, the phishing kit may even embed Trust Wallet style fonts via chrome extension:// URLs to mimic the look of the genuine extension UI. This does not grant access to the real extension but enhances the deception.
Figure: CSS from the fake Trust Wallet extension loading a Binance font – indicating the extension is active on the page
Endgame: Once a victim signs the malicious transaction, the attacker has the permissions needed to siphon cryptocurrency assets at will. This is a classic wallet drain; a convincing façade powered by copied CSS and branding, but with the theft executed entirely by malicious JavaScript hidden beneath.
Fake Trust Wallet CSS code snippet for a popup:
Phishing via iPhone Profile: The Novacrypt “App”
Another facet of this scam nexus targets mobile users, especially iPhone owners, by distributing a malicious Apple configuration profile (.mobileconfig) that masquerades as a new cryptocurrency trading app called Novacrypt. Instead of a real app, victims end up installing a WebClip – essentially a fake app icon that opens a phishing site. This is a stealthy method to phish cryptocurrency exchange credentials via what appears to be a standard app installation.
How it works: The scammers set up a fake “App Store” download page prompting users to install the Novacrypt app for iOS. When the user agrees, they receive a .mobileconfig file from the Novacrypt site (e.g., novacrypt.net/.../Novacrypt.mobileconfig). This configuration profile, when opened on an iPhone, prompts the user to install a new profile, which most users interpret as installing an app or enabling certain functionality.
Let’s break down key parts of the Novacrypt mobileconfig payload:
Figure: Excerpt from the Novacrypt.mobileconfig file, showing it creates a WebClip named "Novacrypt" that opens a URL to h5.novacryptmax[.]com.
PayloadDisplayName = “Novacrypt” – The name shown to the user during install, making it appear official.
PayloadType = com.apple.webClip.managed – This indicates the profile will install a Web Clip (shortcut) on the home screen.
Label = “Novacrypt” – The label under the home screen icon, so it looks like a real app named Novacrypt.
URL = https://h5.novacryptmax[.]com/#/pages/auth/sign-in – The crux of the scam: this is the URL that the WebClip opens. It’s a fake login page on a domain (novacryptmax[.]com) that appears to be related to Novacrypt but is entirely under the scammer’s control.
Additionally, the profile includes a base64-encoded icon image (to make the WebClip icon resemble a legitimate app logo), and it is digitally signed (likely with a self issued certificate). Interestingly, the profile’s signature references “Let’s Encrypt” and a domain 360[.]icu, suggesting that the threat actor used a free certificate (possibly a deceptive one named to appear trustworthy) and potentially hosted the profile on a domain like 360[.]icu. This shows the lengths to which the scammers go to make the profile appear “verified” to the user.
Step-by-step, the attack unfolds as:
Bait – The victim receives a link (via email, social media, etc.) to download the “Novacrypt crypto trading app.” The link directs users to a page that mimics an official app store, prompting the installation of an iOS configuration profile.
Install – The user installs the profile on their iPhone, ignoring iOS warnings. Because the profile is named “Novacrypt” and has a nice icon, it appears legitimate. A new “Novacrypt” icon now appears on the home screen, as if a real app had been installed.
Phishing – When the victim taps the Novacrypt icon, it doesn’t launch a real app; instead, it quietly opens Safari to h5.novacryptmax[.]com/#/pages/auth/sign-in, a phishing webpage. The page likely impersonates a login screen for a cryptocurrency exchange or wallet.
Credentials Theft – Believing this to be part of setting up the app, the user enters their username, password, 2FA, etc. Those credentials are immediately sent to the attacker. The victim might even be redirected or shown an error after to avoid suspicion. Meanwhile, the attackers can use those stolen logins to empty the victim’s accounts or wallets on real exchanges.
H5.novacryptmax[.]com
This scheme abuses Apple’s enterprise device management feature to add a phishing shortcut on the user’s phone. It appears to install an app, but in reality it is only a bookmark to a fraudulent site. No malware is installed on the device, the “app” is simply Safari redirected to the attacker’s page.
The Novacrypt phish’s infrastructure reveals some interesting connections: the phishing site utilizes the domain novacryptmax[.]com (with subdomains such as h5., web., etc.), which was registered through the same registrar (Gname) as the other scam domains and hosted behind Cloudflare. The decoy download page was on novacrypt[.]net (hosted at 8.221.100[.]222), and its “App Store” button simply served the mobileconfig from that domain. There was even an Android variant attempt – the “Google Play” button on the site pointed to googleplay.nova-reviews[.]com (likely intended to drop an APK or guide Android users, though by the time of analysis, that domain wasn’t resolving).
The “ZZZTD” Web Trader - Fake Platform with Malicious Code
The third pillar of this scam nexus is a fake online cryptocurrency trading/investment platform hosted on zzztd[.]com (also on 8.221.100].]222). At first glance, zzztd[.]com appears to be a cryptocurrency or financial trading web application. However, buried in its code are suspicious scripts that suggest it may be stealing data or loading malware in the background.
On zzztd[.]com’s homepage, researchers found references to two main JavaScript files: chunk-vendors.f0dabee900057778.js and app.46e5246269e54881.js. These appear to be typical for a web app (the former likely containing third party library code, and the latter the app’s own code). The HTML uses <script defer> tags to load these, meaning they execute after the page loads:
Figure: Code snippet from zzztd[.]com loading JavaScript files for the web application. The defer attribute indicates these scripts run only after the HTML is parsed, ensuring the page renders first.
A VirusTotal scan of the app.46e5246269e54881.js file showed 0 antivirus detections, which isn’t uncommon for custom JavaScript (most AV engines don’t flag obfuscated JS files). However, the behavioral analysis on VirusTotal yielded a clue: it revealed that this script (or something it loaded) tried to contact a suspicious domain, anedhaude[.]xyz. That domain is not currently publicly active, but further investigation uncovered an Android Trojan sample (“ioeai.apk”) that also communicated with anedhaude[.]xyz. In other words, the zzztd[.]com web app shares infrastructure or code with known malware, strongly suggesting that if a user interacted with zzztd[.]com (or downloaded anything from it), they could be infected or have their data sent to the attackers’ server.
It’s possible that zzztd[.]com was set up to either phish for login credentialsto cryptocurrency accounts (by mimicking a trading dashboard and tricking users into inputting private keys or exchange logins) or to deliver malware (like the mentioned Android APK) to users under the guise of a mobile trading app. The site’s code, including references to an external C2 domain (anedhaude[.]xyz), is a red flag – legitimate cryptocurrency trading platforms wouldn’t embed calls to random .xyz domains. This pattern connects zzztd[.]com back to the same threat actor’s toolkit.
What ties MedAI Genesis, Novacrypt, and ZZZTD together? The investigation found that all these seemingly disparate scams were hosted on a single IP address: 8.221.100[.]222. This IP address (an Alibaba Cloud server in Asia) served as a one stop hosting hub for the scammer, hosting multiple domains for various fraud schemes. At least eight domains sharing this server have been identified, including those involved in the scams above and others:
medaigenesis[.]cc – Fake cryptocurrency/AI investment site (wallet drainer stage)
novacrypt[.]net – Host for the fake app mobileconfig and website
zzztd[.]com – Fake cryptocurrency trading platform with malicious JS
n58[.]bet – Likely another scam site (one reference suggests it was a fake gaming site in Chinese)
ewnai[.]com – A fake AI technology site
app.tiktoks[.]cc – A short lived domain
admin.zzztd[.]com, web.zzztd[.]com – Subdomains related to zzztd[.]com
web.novacrypt[.]net – Subdomain which, interestingly, was misconfigured to display content from EWN AI (ewnai[.]com), accidentally linking the Novacrypt scam to the EWN AI scam by content reuse.
Subdomain resolving to a different IP, hosting a fake gaming site.
kook1.ewnai[.]com (103.235.174.202)
Web.novacrypt[.]net (misconfigured to display content from EWN AI (ewnai[.]com)
Most of these domains were registered through the same registrar (Gname.com Pte. Ltd.), reinforcing that they are controlled by the same actor or group. Passive DNS records indicate that this infrastructure has been in use since at least April 2025 and remained active until August 2025, suggesting an ongoing campaign.
The threat actor behind this nexus appears to be quite versatile: not only targeting cryptocurrency investors through multiple avenues (sketchy extensions, fake apps, and fake platforms), but also dabbling in other forms of fraud, such as a fake TikTok Shop scam. One of the scam sites was a gaming/gambling site in Chinese, hinting that the operators might be based in or targeting users in East Asia (or trying a variety of lures to see what sticks). The range of themes, from AI startups to cryptocurrency exchanges to e-commerce, shows a wide-reaching fraud operation managed by a single actor.
Below is a network map connecting the key domains and infrastructure:
Figure: Network map of the scam nexus, showing domains hosted on 8.221.100[.]222 (center) and their relationships. The fake Trust Wallet popup and external phishing domains (novacryptmax[.]com, etc.) are also linked to the core cluster.
Despite the variety of themes these platforms use (AI token site, trading platform, mobile app), these scams share common tactics. They all rely on social engineering to get the victim to take a harmful action willingly, such as installing an extension or profile, clicking a connect button, or typing in a password. The technical traps (malicious code injection, webclip profiles, obfuscated scripts) are combined with psychological lures (shiny websites, promises of big profits, or urgent investment opportunities). It’s a potent mix that has likely claimed many victims.
Conclusion
This cluster of scams demonstrates how threat actors combine technical methods with deception to steal cryptocurrency. By controlling multiple domains and even a browser extension, they exploit trust at several levels: browser add-ons, app installation processes, and convincing web design. The single infrastructure behind these schemes also highlights how a determined attacker can leverage one setup to run multiple scams, from cryptocurrency theft to fake e-commerce.
Staying safe requires a mix of technical defenses and skepticism: avoid installing browser extensions or mobile profiles from unverified sources, double check URLs (a legit project won’t ask you to install a profile for an “app”), and be wary of any unexpected wallet transaction requests. As the “Cryptocurrency Drain Conspiracy” shows, even a legitimate looking prompt could be a trap. Always verify through official channels, and when in doubt, don’t click “Connect” or “Install”, that split second decision can make the difference between keeping your assets secure or seeing them wiped out.
Indicators of Compromise (IOCs)
For quick reference, here is a summary of known indicators associated with this scam nexus. Security teams and vigilant users can use these to detect or block related activity:
Indicator
Type
Description
8.221.100[.]222
IP Address
Hosting server for the scam websites (MedAI, Novacrypt, ZZZTD, etc.
medaigenesis[.]cc
Domain
Fraudulent “MedAI Genesis” cryptocurrency site (wallet drainer lure)
novacrypt[.]net
Domain
Website used to distribute malicious .mobileconfig (fake Novacrypt app)
h5.novacryptmax[.]com
Domain
Phishing site (opened by the iOS WebClip to steal login credentials)
novacryptmax[.]com
Domain
Related phishing domain (multiple subdomains like h5., web., etc. on Cloudflare)
googleplay.nova-reviews[.]com
Domain
Fake Google Play link used on Novacrypt site (intended to target Android users)
Inside Salt Typhoon: China’s State-Corporate Advanced Persistent Threat
Salt Typhoon is a Chinese state-sponsored cyber threat group aligned with the Ministry of State Security (MSS), specializing in long-term espionage operations targeting global telecommunications infrastructure. Active since at least 2019, Salt Typhoon has demonstrated advanced capabilities in exploiting network edge devices, establishing deep persistence, and harvesting sensitive communications metadata, VoIP configurations, lawful intercept data, and subscriber profiles from telecom providers and adjacent critical infrastructure sectors.
Executive Summary
Salt Typhoon is a Chinese state-sponsored cyber threat group aligned with the Ministry of State Security (MSS), specializing in long-term espionage operations targeting global telecommunications infrastructure. Active since at least 2019, Salt Typhoon has demonstrated advanced capabilities in exploiting network edge devices, establishing deep persistence, and harvesting sensitive communications metadata, VoIP configurations, lawful intercept data, and subscriber profiles from telecom providers and adjacent critical infrastructure sectors.
Salt Typhoon operates with both direct MSS oversight and the support of pseudo-private contractor ecosystems, leveraging front companies and state-linked firms to obscure attribution. Recent legal and intelligence reporting confirms that Salt Typhoon maintains operational ties to i-SOON (Anxun Information Technology Co., Ltd.), a prominent MSS contractor known for enabling offensive cyber operations through leased infrastructure, technical support, and domain registration pipelines.
Salt Typhoon’s targeting profile spans the U.S., U.K., Taiwan, and EU, with confirmed breaches in at least a dozen U.S. telecom firms, multiple state National Guard networks, and allied communications providers. Their campaigns utilize bespoke malware, living-off-the-land binaries (LOLBINs), and stealthy router implants, and are notable for their use of publicly trackable domains registered with false U.S. personas, marking a rare lapse in tradecraft among advanced Chinese threat actors.
Background
Salt Typhoon is a state-sponsored advanced persistent threat (APT) group attributed to the People’s Republic of China (PRC) and aligned specifically with the Ministry of State Security (MSS). First observed in 2019, the group has become increasingly active and visible through public indictments, technical advisories, and leaked contractor documents—exposing not only its campaigns but also the hybrid contractor-state model behind its operations.
Salt Typhoon is part of a larger naming taxonomy introduced by Microsoft, which classifies Chinese nation-state actors under the “Typhoon” label. It is believed to overlap with or operate in conjunction with previously known clusters such as Ghost Emperor (Kaspersky), FamousSparrow (ESET), Earth Estrie (Trend Micro), and UNC2286 (Mandiant). Some infrastructure and malware characteristics have also shown ties to UNC4841, further blurring attribution boundaries within China’s expansive APT ecosystem.
What distinguishes Salt Typhoon from other PRC-linked actors is its direct targeting of global telecommunications infrastructure for long-term signals intelligence (SIGINT) collection. The group has demonstrated sophisticated tradecraft in:
Maintaining long-dwell persistence via firmware/rootkit implants,
Harvesting lawful intercept data, VoIP configurations, and subscriber metadata from telecom providers,
And using plausibly deniable contractor infrastructure to obscure attribution.
This report consolidates known intelligence, indictments, IOCs, and operational profiles for Salt Typhoon to support attribution, detection, and threat modeling.
Salt Typhoon within the Chinese Nation-State Cyber Intelligence Structure
Salt Typhoon represents not merely a loose collection of intrusion campaigns, but a state-directed cyber espionage program embedded within the operational apparatus of the People’s Republic of China (PRC). Its activity is consistent with the model observed across other PRC “Typhoon” actors: centralized tasking from the Ministry of State Security (MSS), supplemented by the use of contractor and front-company ecosystems that provide scalable infrastructure, tooling, and deniability. The group’s consistent focus on U.S. telecommunications providers, defense-adjacent networks, and allied critical infrastructure sectors is aligned with MSS priorities of foreign intelligence collection, counterintelligence support, and preparation of the battle space.
Although the MSS remains the primary beneficiary of Salt Typhoon operations, technical overlaps with missions traditionally associated with the People’s Liberation Army Strategic Support Force (PLA SSF) suggest that elements of the PLA’s mandate, particularly communications exploitation, SIGINT, and critical infrastructure disruption planning—are also served by this program. By embedding implants in routers, VPN gateways, and telecom backbone equipment, Salt Typhoon delivers persistent access not only for espionage but also for long-term contingency operations, ensuring that PRC intelligence and military planners can monitor, disrupt, or degrade communications infrastructure if required during geopolitical crises. In this sense, Salt Typhoon should be understood as a dual-use capability: a cyberespionage engine serving day-to-day intelligence needs while simultaneously providing the technical foundation for potential wartime cyber operations.
MSS and PLA Roles
Ministry of State Security (MSS):
The MSS is the primary civilian intelligence service responsible for foreign intelligence, counterintelligence, and cyber-enabled espionage.
Salt Typhoon shows operational hallmarks of MSS regional bureaus, particularly the Chengdu presence, leveraging local contractors and front companies.
Firms like Sichuan Juxinhe and Beijing Huanyu Tianqiong are assessed to be either fronts or semi-integrated subsidiaries, mirroring MSS’s historical practice of using corporate cut-outs.
People’s Liberation Army (PLA):
PLA units (particularly under the Strategic Support Force) have historically targeted communications infrastructure for SIGINT and C4ISR disruption.
While PLA attribution to Salt Typhoon is less direct, the targeting of backbone and edge routers suggests technical overlap with PLA’s mandate to prepare battlefields in cyberspace.
Contractors such as Sichuan Zhixin Ruijie may provide dual-use capabilities for both MSS espionage and PLA operational readiness.
Chinese Corporate Hacking Support Infrastructure
The recent joint cybersecurity advisory (August 2025) shed light on three Chinese companies implicated in supporting the operations of Salt Typhoon: Sichuan Juxinhe Network Technology (四川聚信和), Beijing Huanyu Tianqiong Information Technology (北京寰宇天穹), and Sichuan Zhixin Ruijie Network Technology (四川智信锐捷). Each entity demonstrates a different operational model: front companies serving as covers for MSS-linked divisions, and contractors providing technical products and services with both defensive and offensive applications. This model aligns closely with previously documented ecosystems, such as the exposure of i-SOON (安洵科技), where corporate structures serve dual purposes as commercial entities and enablers of state espionage campaigns.
Salt Typhoon-Linked Firms
Sichuan Juxinhe Network Technology
Likely MSS front company, minimal legitimate business presence.
Unusual element: 15 software copyrights possibly registered on behalf of an MSS division.
Fits classic indicators of a cut-out entity used to mask state cyber operations.
Beijing Huanyu Tianqiong Information Technology
Founded in 2021, coinciding with early Salt Typhoon activity.
Operates a Zero Trust Defense Lab, offering both legitimate security services (penetration testing, IR) and products with potential C2 and covert access functions (e.g., Shadow Network).
Evidence suggests hybrid role: front company characteristics with some self-sustaining innovation, patents, and recruitment efforts.
Proximity to Sichuan Zhixin Ruijie’s Chengdu office suggests co-location strategy for operational synergy.
Sichuan Zhixin Ruijie Network Technology
Established 2018, later certified as a high-tech SME and contractor for government/military clients.
Products such as router control systems and network traffic monitoring platforms possess clear offensive potential.
Functions as a legitimate contractor rather than a pure front, demonstrating how PRC state cyber programs leverage existing commercial capacity for deniable operations.
Parallels and Overlaps with i-SOON
The Salt Typhoon corporate ecosystem echoes the i-SOON leaks (2024), which revealed:
Direct contracting relationships between Chinese intelligence services (MSS, PLA) and nominally private cybersecurity companies.
Use of hybrid companies mixing legitimate commercial activities with covert offensive cyber tasks.
Shared personnel pools, with employees oscillating between state agencies, private firms, and academic research labs.
Like i-SOON, Salt Typhoon’s supporting companies illustrate how the PRC cyber apparatus blurs the lines between state, semi-private, and private entities. Both ecosystems leverage:
Front companies (minimal digital presence, few employees, registered IP) to obscure attribution.
Legitimate contractors (with patents, certifications, government clients) to provide scalable, high-quality tools and services.
Innovation-driven hybrids, balancing R&D, patents, and proprietary software development with covert tasking.
Front Company Infrastructure
Multiple companies have been sanctioned or named as enablers in Salt Typhoon’s tradecraft, including:
Sichuan Juxinhe Network Technology Co., Ltd.: Tied to Yin Kecheng; facilitated domain control, server management, and malware staging.
Shanghai Heiying Information Technology Co., Ltd.: Tied to Zhou Shuai; enabled data laundering and resale of stolen network access.
These entities provided infrastructure, logistics, and plausible deniability, allowing MSS operators to mask espionage as commercial or third-party actions.
Ties to i-SOON: China’s Hacker-for-Hire Engine
i-SOON (Anxun Information Technology Co., Ltd.) is a Chinese cyber contractor linked to both the Ministry of State Security (MSS) and Ministry of Public Security (MPS). The company gained international attention following a 2024 GitHub data leak that exposed internal documents, tools, and tasking relationships with state clients.
i-SOON operates as a pseudo-private offensive cyber firm, bridging the gap between state priorities and a scalable, deniable contractor ecosystem. Their services include:
Threat actor support tooling (e.g., internal C2 kits)
OSINT scraping and target profiling modules
Confirmed Connections to Salt Typhoon
Statement
Supporting Link(s)
Zhou Shuai worked in i‑SOON's Strategic Consulting Division
"Beijing Leveraging Freelance Hackers …" — IC3 PSA, March 2025 (Internet Crime Complaint Center) "Justice Department Charges 12 Chinese Contract Hackers …" — DOJ press release, March 5, 2025 (Department of Justice)
Yin Kecheng operated within the i‑SOON‑aligned ecosystem
NextGov, "US charges 12 Chinese nationals …" — NextGov, Mar 5, 2025 (Nextgov/FCW) DOJ "Chinese Nationals With Ties to the PRC Government" press release (Department of Justice) OFAC / Treasury Sanctions notice re: Yin Kecheng (U.S. Department of the Treasury)
Operational Deniability: Salt Typhoon’s use of i-SOON demonstrates how the MSS leverages contractor cutouts to distance itself from direct attribution.
Scalable Infrastructure: The company’s support enabled Salt Typhoon to deploy repeatable, automated domain registration templates, malware logistics, and support tooling.
Repeatable Tradecraft: Patterns seen in Salt Typhoon’s infrastructure (e.g., ProtonMail Whois records, registrant personas, toolkits) align with systems leaked in the i-SOON dump—suggesting shared toolchains or operational guidance.
Strategic Implications
Operational Flexibility: The PRC can allocate missions across fronts and contractors depending on risk tolerance and technical requirements.
Attribution Challenges: By embedding cyber operations within commercial ecosystems, Beijing complicates efforts by defenders to distinguish legitimate activity from state-directed espionage.
Sustainability: Firms like Huanyu Tianqiong and Zhixin Ruijie may represent a next generation of i-SOON-style contractors, where state-directed offensive tasks are embedded within otherwise legitimate market-facing companies.
Geographic Concentration: The clustering of these firms in Chengdu and Beijing reflects established hubs for MSS-linked cyber operations, similar to how i-SOON operated from Hainan.
Strategic Placement
Salt Typhoon should be understood not as a single APT but as a programmatic campaign, reflecting MSS tasking and PLA technical priorities.
It operates at the intersection of espionage and contractor ecosystems, embodying China’s blended cyber force structure:
MSS → espionage, influence, covert penetration
PLA → strategic SIGINT, military preparation, infrastructure disruption
Corporate cut-outs → tools, cover, scalability
This layered integration allows Salt Typhoon to persist globally, masking state direction behind a facade of “legitimate” Chinese technology firms.
Known Campaigns & Motivations
Salt Typhoon has carried out a series of highly targeted cyber espionage campaigns since at least 2019, primarily focused on telecommunications infrastructure, military networks, and intelligence collection across strategic geographies. These operations are consistent with Ministry of State Security (MSS) tasking, reflecting objectives such as signals intelligence acquisition, persistent access to critical infrastructure, and preparation of the battle-space for potential geopolitical escalation.
Below is a breakdown of major campaigns attributed to Salt Typhoon:
Timeframe: Early to Late 2024 Region: United States Victims: AT&T, Verizon, T-Mobile, Lumen, Windstream, and other major telecoms Tactics: Exploitation of router/firewall CVEs, configuration hijacking, long-dwell persistence Data Exfiltrated:
Subscriber metadata
Call detail records (CDRs)
VoIP infrastructure configs
Lawful intercept logs Motivation: To collect high-value SIGINT across U.S. telecom layers, including surveillance of communications and infrastructure maps. Likely tasking involved PRC state priorities around counterintelligence and strategic insight into U.S. domestic and foreign communications channels.
Timeframe: March–December 2024 Region: United States Victims: State-level National Guard military networks Tactics: Exploitation of VPN gateways and edge devices; lateral movement Data Exfiltrated:
Network diagrams
VPN configs
Credentials
Incident response playbooks Motivation: Preparation of the battle space and long-term espionage within defense-adjacent infrastructure. Access to National Guard systems may serve to identify mobilization thresholds, crisis response mechanisms, or gaps in Cybersecurity posture.
Time-frame: 2023–2024 Region: United Kingdom Victims: Unspecified entities within government, military, transportation, and telecom sectors Tactics: Edge device compromise, deep persistence, VoIP and metadata collection Data Exfiltrated:
Communications routing info
Geo-location metadata
Secure messaging infrastructure details Motivation: Strategic espionage against a key U.S. ally and Five Eyes member. Objectives likely included monitoring of UK national security communications, potential identification of surveillance chokepoints, and tactical SIGINT acquisition.
Timeframe: 2022–2023 Region: Netherlands, Germany, France, and other EU states Victims: Small-to-mid-tier internet service providers (ISPs) Tactics: Exploitation of firmware and remote management services Persistence:
Custom router implants
Backdoored updates Motivation: Infrastructure-level access in support of broader SIGINT harvesting and as potential staging points for operations elsewhere in Europe. These footholds may enable covert redirection of traffic, credential theft, or passive surveillance of encrypted communications.
Timeframe: Ongoing (2019–Present) Region: Global – activity observed across U.S., Taiwan, EU, and Southeast Asia Infrastructure:
Domains registered using fake U.S. identities and ProtonMail accounts
Toolkits developed or leased via i-SOON (Anxun Information Technology Co., Ltd.) Motivation: These campaigns reflect China’s shift toward a contractor-enabled cyber espionage model, allowing deniability while scaling operations. i-SOON support enables Salt Typhoon to outsource infrastructure management, domain procurement, and OPSEC tooling, aligning with MSS tradecraft evolution toward privatized cyber outsourcing.
Domain Infrastructure & Tradecraft
Salt Typhoon has developed and sustained a large-scale, repeatable domain registration infrastructure that has enabled the public attribution of at least 45 domains to its campaigns between 2020 and 2025. This extensive exposure represents a significant operational security failure for a Chinese state-aligned threat group, especially compared to the more opaque infrastructure practices seen in other MSS-directed operations.
The domains were consistently registered using ProtonMail email addresses and fabricated U.S. personas, often featuring plausible American names and residential addresses in cities like Los Angeles and Miami. Common registrant names included:
Monica Burch (Los Angeles)
Monica Gonzalez Serrano (Burgos)
Shawn Francis (Miami)
Tommie Arnold (Miami)
Geralyn Pickens (linked to overlapping UNC4841 infrastructure)
Larry Smith (Illinois)
This infrastructure supported several key phases in Salt Typhoon’s intrusion lifecycle:
Several domains mimicked legitimate technology or telecom services, enhancing perceived authenticity. Notable examples include:
cloudprocenter[.]com
imap.dateupdata[.]com
requiredvalue[.]com
e-forwardviewupdata[.]com
dateupdata[.]com
availabilitydesired.us
Domain Registration, Infrastructure & Tradecraft
Salt Typhoon’s domain infrastructure exhibits a contractor-driven, modular tradecraft aligned with long-term scalability and operational deniability. Unlike traditional Chinese APTs that rely on obscure or concealed infrastructure, Salt Typhoon routinely registers English-language domains using fabricated U.S. personas, a notable operational security lapse that reflects the outsourcing of infrastructure to pseudo-private contractors, including entities like i‑SOON, Zhixin Ruijie, and Huanyu Tianqiong.
While prior assessments emphasized domains mimicking telecom portals (e.g., routerfirmwareupdate[.]net, servicecloudconnect[.]com), updated analysis of actor-controlled domains reveals a different pattern:
Many domains employ action-oriented language (getdbecausehub[.]com, solveblemten[.]com, lookpumrron[.]com) that simulates benign SaaS or internal productivity tools.
A smaller subset of nonsensical domain names (xdmgwctese[.]com) points to automated or randomized generation—possibly for backup C2s.
Direct telecom brand mimicry is absent in this dataset, indicating a shift toward subtle obfuscation over spoofing.
Infrastructure telemetry shows:
Consistent use of ProtonMail accounts for Whois registration, often in combination with fictitious U.S. addresses (e.g., Lena, IL or Miami, FL).
Clustering around shared DNS hosts, including value-domain.com, and common TLS issuers such as GoDaddy Secure and Sectigo RSA DV CA.
Timeline analysis reveals batch provisioning of domains and certificates, indicative of centralized tooling and bulk operational logistics.
This tradecraft suggests integration with dual-use contractor toolkits (e.g., Shadow Network/Defense), where C2 channels are disguised as routine update or sync services. It reinforces the hypothesis that Salt Typhoon operates as a state-aligned offensive platform fueled by commercial intermediaries, blurring the line between espionage infrastructure and legitimate cloud services.
This approach underscores the hybrid MSS contractor model: the Ministry of State Security directs tasking while corporate cut-outs register domains, lease infrastructure, and package turnkey C2 kits. The resulting infrastructure is repeatable and industrialized, but not airtight. Its reliance on predictable naming templates, overlapping infrastructure, and false U.S. identities creates attributional fingerprints that defenders can exploit for pivoting.
Top fake registrant names:
Shawn Francis (8 domains)
Monica Burch, Tommie Arnold, Larry Smith (4–5 each)
Others include “Geralyn Pickens” and privacy placeholders like “Domain Admin” or “REDACTED FOR PRIVACY”
Email Domains:
protonmail.com used in 47% of records, indicating consistent OPSEC tooling reuse.
Registrant Addresses:
Most addresses list Miami, FL or Lena, IL, using street names like “Lowland Drive” and “Trails End Road,” suggesting automation, scraped identity data or just creative writing.
Salt Typhoon’s decision to register domains using fabricated U.S.-based identities and ProtonMail accounts, rather than relying on anonymized Whois services or privacy proxies, may reflect a calculated tradecraft decision rather than simple OPSEC failure. This approach allowed the group to craft infrastructure that appeared more legitimate to automated detection systems, phishing targets, and threat intelligence filters, thereby increasing the likelihood of successful intrusion or lateral movement. The use of plausible names (e.g., “Shawn Francis,” “Monica Burch”) and real-sounding U.S. addresses likely helped the domains blend into domestic traffic patterns and evade geo-IP or heuristic-based scrutiny. Moreover, the repeated structure and reuse of ProtonMail accounts suggest a contractor-enabled, semi-automated provisioning model, likely stemming from entities like i‑SOON. This infrastructure pipeline likely prioritized speed, scalability, and low-friction staging environments over long-term stealth. While it ultimately enabled attribution and exposure, it reveals a key insight into the industrialization of Chinese cyber operations: where the demand for deniability is often subordinated to operational efficiency and technical convenience.
DNS & Name Server Infrastructure
Analysis of DNS records reveals significant clustering around shared name server infrastructure, indicating that Salt Typhoon domains are not provisioned independently but rather through centralized pipelines. Many of the identified domains resolve to the same or closely related sets of authoritative name servers, often hosted within low-density VPS environments controlled by a limited number of providers. This pattern reduces operational overhead for the attackers, allowing bulk management of dozens of domains from a single administrative point, but it also introduces a major attributional weakness. By pivoting on recurring NS records, defenders can uncover entire clusters of infrastructure tied to Salt Typhoon, even when individual domains use different registrars, registrant details, or privacy-protection services. The concentration of these resources strongly suggests the involvement of contractor-managed hosting accounts or automation scripts, reinforcing the view that Salt Typhoon relies on semi-privatized service providers to industrialize domain management at scale.
Name Server Hosts (Top):
irdns.mars.orderbox-dns.com (8 domains)
ns4.1domainregistry.com and value-domain.com (5–6 each)
MonoVM-branded servers like earth.monovm.com, mars.monovm.com also appear
Name Server IP Clusters:
162.251.82.125, 162.251.82.252, and 162.251.82.253 support up to 7 domains each
Salt Typhoon prefers commercial domain-validated (DV) certificates issued by authorities such as GoDaddy and Sectigo, deliberately avoiding free certificate providers like Let’s Encrypt. This choice reflects an intent to make their infrastructure appear more legitimate to both automated security systems and human analysts, since certificates from well-known commercial issuers are less likely to trigger suspicion than those from free, disposable services. The use of DV certificates also allows operators to rapidly provision SSL/TLS coverage across large batches of domains with minimal validation requirements, streamlining the deployment of C2 and staging servers. While this practice raises the cost and complexity slightly compared to using free providers, it demonstrates Salt Typhoon’s emphasis on credibility and persistence over short-term economy, fitting with their long-dwell operations against telecom and defense-adjacent networks. For defenders, the clustering of GoDaddy- and Sectigo-issued certificates across multiple Salt Typhoon domains provides an additional pivot point, exposing infrastructure reuse and linking seemingly unrelated assets back to the same operational ecosystem.
*.myorderbox.com appeared across 4 domains, indicating use of wildcard certs from shared panels
Durations:
Certificates typically last 366 days, aligning with default DV settings
Timeline:
Issuance ranges from late 2024 to present, directly aligning with publicly known Salt Typhoon campaign windows
Tradecraft Insights & Behavioral Patterns
Insights into Salt Typhoon’s tradecraft and behavioral patterns highlight a disciplined but contractor-driven approach that balances operational sophistication with repeatable, industrialized methods. The group consistently targets telecom and defense-adjacent infrastructure, using edge devices as durable entry points to achieve long-term persistence and intelligence collection. Their domain and infrastructure choices reveal reliance on bulk registration pipelines, shared DNS backends, and commercial DV certificates, suggesting a semi-outsourced model where private firms handle provisioning at scale. On the operational side, Salt Typhoon implants exhibit regular beaconing intervals, encrypted communications disguised as service updates, and selective exfiltration of metadata such as call records, VoIP configs, and lawful intercept logs. Despite attempts at obfuscation, their preference for predictable domain theming, clustering around specific registrars, and infrastructure overlaps across campaigns creates investigative seams that defenders can exploit, underscoring the tension between scalability and stealth in their tradecraft.
Strategic Implications
Salt Typhoon’s infrastructure carries clear strategic implications for both attribution and defense. Its scalability, enabled by outsourced provisioning through pseudo-private contractors, shows that future campaigns can be rapidly spun up with minimal overhead. At the same time, the template-driven nature of its setup, relying on recurring domain themes, registrar preferences, and automation pipelines, introduces predictable patterns that defenders can baseline and monitor. Most importantly, persistent OPSEC lapses such as the reuse of identical fake personas, recycled name server and certificate infrastructure, and reliance on a small pool of providers (notably PDR, MonoVM, and GMO) create durable fingerprints. This combination of scale and sloppiness means Salt Typhoon campaigns can be tracked over time using passive DNS clustering, SSL certificate pivots, registrar telemetry, and persona overlap, offering defenders viable opportunities to anticipate and disrupt the group’s infrastructure before it matures into active operations.
Attributable: due to OPSEC oversights and reuse of NS/CN/IPs.
These characteristics make it possible to track future campaigns using:
Passive DNS clusters
Reused fake personas or address strings
SSL cert patterns
Registrar telemetry from known providers (PDR, MonoVM, GMO)
Targeting Profiles
Named Individuals & Indictments
Public attribution of Salt Typhoon’s operations has revealed the involvement of named Chinese nationals tied to cyberespionage infrastructure, contractor networks, and front companies aligned with the Ministry of State Security (MSS). These individuals have been subject to U.S. indictments, sanctions, and international arrest warrants, providing rare legal and intelligence visibility into the human operators behind Salt Typhoon’s campaigns.
Yin Kecheng
Status: Indicted (DOJ), Sanctioned (OFAC), FBI wanted; $2 million reward issued for information leading to arrest.
Role: Key infrastructure operator and hacker for Salt Typhoon; believed to have led or coordinated exfiltration and long-term C2 operations.
Affiliations: Tied to Sichuan Juxinhe Network Technology Co., Ltd., a front company sanctioned by the U.S. for enabling espionage against U.S. telecom providers.
Links to i-SOON: Embedded in broader contractor ecosystem supporting MSS-directed cyber ops (Source: DOJ, NextGov, FBI).
Managed domain registration, DNS ops, malware C2 routing
Target Geography
United States (primary), U.K., Netherlands, Taiwan
Motivation Profile: Yin’s role suggests a SIGINT-centric mission, focused on covert, technical persistence inside telecommunications networks to enable real-time surveillance and metadata harvesting on behalf of the MSS.
Role: Broker and strategic operator involved in Salt Typhoon’s data resale and operational planning.
Affiliations:
Former employee of Shanghai Heiying Information Technology Co., Ltd., a data brokerage firm sanctioned for selling compromised infrastructure access.
Worked within the Strategic Consulting Division of i-SOON, an MSS-linked contractor with deep involvement in cyberespionage tooling and infrastructure provisioning.
Activities: Played a role in coordinating front-company logistics, C2 setup, and interfacing with MSS tasking structures (Source: DOJ, FBI, IC3).
Credential harvesting, resale of access, contractor task coordination
Infrastructure Role
Brokered stolen data, set up domain/PaaS infrastructure, interfaced with tool developers
Target Geography
U.S. state networks, Taiwan gov’t, Southeast Asian targets
Operational Synergy Between Yin & Zhou
Dimension
Interaction
C2 Infrastructure
Zhou coordinated domain registrations via i-SOON; Yin operated C2 protocols and malware handlers
Campaign Phases
Zhou managed pre-access enablement and persona creation; Yin executed and maintained post-access persistence
Toolchain Overlap
Shared use of ProtonMail identities, scripted Whois templates, and internal tools leaked in the i-SOON GitHub breach
Contractor Ecosystem
Both leveraged pseudo-commercial resources for scalable ops with MSS deniability
Implications for Attribution & Defense
The identification of Yin Kecheng and Zhou Shuai as central figures within Salt Typhoon's operational structure illustrates the group’s hybridized threat architecture, wherein distinct roles are distributed between technical operators and strategic brokers. This configuration is emblematic of a broader trend in Chinese cyber espionage: the convergence of state objectives with contractor-enabled execution.
Yin Kecheng, operating within the i‑SOON-aligned ecosystem and affiliated with Sichuan Juxinhe Network Technology Co., Ltd., is positioned as a core technical enabler—responsible for domain infrastructure, implant deployment, and network exploitation. His work supports the persistent collection of high-value SIGINT from U.S. and allied telecommunications systems.
In contrast, Zhou Shuai (alias Coldface), as an indicted operator and data broker behind Shanghai Heiying Information Technology, represents the strategic/logistical tier of the adversary model. His activities center on the resale, exfiltration coordination, and monetization of stolen data, often functioning as a bridge between operational teams and institutional customers (e.g., MSS units or secondary clients).
Together, these roles reinforce three defining characteristics of Salt Typhoon:
A Layered Adversary Model: Salt Typhoon is structured to separate tasking, execution, and monetization across organizational layers, mirroring corporate operational design. Strategists like Zhou interface with planners and consumers of intelligence, while technicians like Yin handle access and persistence operations.
Geopolitically Aligned SIGINT Targeting: The campaigns attributed to Salt Typhoon are consistent with Chinese state intelligence priorities: telecommunications metadata, National Guard network maps, lawful intercept systems, and VoIP infrastructure—each of which supports surveillance, counterintelligence, and wartime preparation objectives.
Deniable Outsourcing through i‑SOON and Pseudo-Private Fronts: The use of companies such as i‑SOON, Juxinhe, and Heiying exemplifies the PRC’s plausible deniability strategy, delegating technical tradecraft to commercial entities while maintaining indirect command-and-control via the Ministry of State Security. This contractor-enabled cyber espionage model provides scalability, compartmentalization, and diplomatic insulation.
In total, the Yin Zhou configuration is a case study in modern Chinese cyber operational design: contractor-driven, state-aligned, and strategically layered, with each actor occupying a clearly defined but mutually reinforcing position within the broader offensive ecosystem.
Final Assessment
Salt Typhoon stands as a premier exemplar of Ministry of State Security (MSS)-directed cyber espionage, executed through a contractor-enabled operational model that blends state tasking with private-sector tradecraft. This group embodies the evolving doctrine of the Chinese cyber apparatus: plausibly deniable intrusion capability at scale, leveraging a network of technology firms, freelance operators, and corporate front entities.
Salt Typhoon’s operational architecture is significantly shaped by its integration with firms like i‑SOON (Anxun Information Technology Co., Ltd.), as well as affiliated contractors such as Sichuan Juxinhe and Shanghai Heiying. These organizations provide both the logistical substrate, domain registrations, infrastructure management, and toolkits, and the personnel support needed to execute MSS priorities without direct attribution. This contractor hybridization illustrates the maturation of China’s cyber outsourcing economy, where state objectives are achieved via technically sophisticated but commercially masked operations.
From a detection and tracking perspective, Salt Typhoon represents one of the most publicly exposed and traceable “Typhoon” groups to date. Their repeated use of:
ProtonMail email accounts,
fabricated U.S.-based personas, and
consistent domain naming and hosting practices
has enabled defenders to build infrastructure-based detections, correlate activity across campaigns, and map the actor’s footprint across global telco and government targets.
Despite these OPSEC lapses, Salt Typhoon has demonstrated high capability in: long-dwell access; lawful intercept system compromise; and configuration hijacking across telecom, defense, and critical infrastructure layers.
The group’s campaigns, tools, and contractor dependencies reflect a broader shift within Chinese offensive cyber strategy, away from monolithic APT groups and toward fragmented, contractor-leveraged, industrial-scale operations. This model poses significant challenges for attribution, legal countermeasures, and international response.
In sum, Salt Typhoon is not merely another state-backed APT. It is a prototype of China’s next-generation cyber espionage model, where covert access is privatized, capabilities are modular, and deniability is built into every layer of the intrusion lifecycle.
Last Known Residence: Shanghai, China (Federal Bureau of Investigation)
Legal Status & Sanctions
OFAC Designation: Yin Kecheng is sanctioned by the U.S. Treasury (OFAC) for his involvement in the Salt Typhoon cyber espionage campaign, including a network breach at the U.S. Department of the Treasury. (U.S. Department of the Treasury)
Indictments: Charged via DOJ press releases — the March 5, 2025, Justice Department action links him to unauthorized access, data exfiltration, wire fraud, identity theft, and conspiracy with i‑SOON‑aligned actors. (Department of Justice)
Reward: U.S. authorities (State Department / Transnational Organized Crime Rewards program) have offered up to $2,000,000 for information leading to his arrest or conviction. (Federal Bureau of Investigation)
Role and Alleged Actions
MSS‑aligned actor: He is affiliated with (or working for) China’s Ministry of State Security (MSS) as a cyber actor. (U.S. Department of the Treasury)
Infrastructure operator: Alleged to have operated or given direction over intrusions into U.S. telecom and internet service provider networks, via Sichuan Juxinhe Network Technology Co. Ltd., among others. (U.S. Department of the Treasury)
Malware usage: In DOJ / FBI statements, accused of using tools such as PlugX to maintain persistence, reconnaissance, and data exfiltration from multiple victim networks. (Federal Bureau of Investigation)
Personal Details:
While Yin Kecheng has no widely publicized hacker handle like “White” or “0ktapus” actors, the following alias is mentioned in DOJ materials:
YKCAI — Possibly short for “Yin Kecheng China AI” or a custom alias derived from initials.
Additional OSINT from leaks (like the i‑SOON GitHub archive) may associate email aliases, QQ numbers, or internal employee codes (e.g., ykc_ops@163[.]com, yk@isoon[.]cn) — but these have not been publicly confirmed.
Involvement in the Chinese Hacking Ecosystem
Yin Kecheng is reportedly part of:
The contractor-enabled MSS ecosystem, specifically through Sichuan Juxinhe Network Technology Co., Ltd.
This company appears to be a shell for MSS cyber ops, functioning like i‑SOON in providing leased infrastructure, phishing support, domain pipelines, etc.
Reports also indicate:
Overlap with APT27 (Emissary Panda) and UNC4841 infrastructure.
He is implicated in breaches of critical infrastructure, particularly telecom and data center targets in the U.S., Taiwan, and the EU.
Part of a broader strategy to outsource technical operators under cover of “private” Chinese companies (like Huanyu Tianqiong and Zhixin Ruijie).
Position Within the Diaspora
Not a forum-branded figure (e.g. not known to frequent Ghost Market, HackForum equivalents)
Instead, fits the quasi-civilian, contractor-for-the-state model — part of China’s hacker-for-hire wave following 2018+
Possibly involved in internal MSS training pipelines (speculation based on role and patterns seen in other MSS-aligned operators)
May be a technical leader rather than an OPSEC/espionage strategist
Zhou Shuai ("Coldface")
Chinese Name & Translation
Romanization: Zhou Shuai
Simplified Chinese: 周帅 (Zhōu Shuài)
周 (Zhōu) — a common Chinese surname
帅 (Shuài) — means “handsome”, “commander”, or “to lead”
Identity & Biographical Data
Field
Known / Alleged Data
Date of Birth (Used in filings)
July 9, 1979
Place of Birth / Nationality
China / Chinese citizenship
Physical Characteristics
Black hair, brown eyes (from FBI wanted poster)
Last Known Location
Shanghai, China
Known Roles, Activities & Connections
Data Broker & Infrastructure Operator: According to U.S. Treasury/OFAC, Zhou Shuai runs or is majority‑owner of Shanghai Heiying Information Technology Company, Limited, and is involved in brokering stolen data and network access. (U.S. Department of the Treasury)
Contractor Ecosystem: He is tied to China’s “hacker‑for‑hire” ecosystem—specifically the private sector firms used by the MSS and MPS to carry out intrusions and data theft. He’s alleged to have operated both under tasking and on his own initiative. (Department of Justice)
Target Types & Data: Victims include technology firms, cleared defense contractors, think tanks, government entities, foreign ministries, etc. Stolen data includes personally identifying info, telecommunications/border‑crossing data, personnel info of religious/media sectors, etc. (U.S. Department of the Treasury)
Legal Charges & Sanctions: Charged by DOJ in March 2025 alongside Yin Kecheng for wire fraud, unauthorized access, identity theft, conspiracy, etc. Also sanctioned by OFAC. (U.S. Department of the Treasury)
Zhou is named in the DOJ indictment tied to APT27 operations and alongside Yin Kecheng in large‑scale global intrusion campaigns. (Department of Justice)
He is listed in sanction documents as part of the i‑SOON contracting / hacker‑for‑hire supply chain. (Department of Justice)
Activity Span: Public reports indicate activity from ~2018 through 2025. Data shows that some of his operations include brokering exfiltrated data, managing or enabling infrastructure, participating in profit‑oriented intrusions. (U.S. Department of the Treasury)
Front Companies & Institutional Support
Sichuan Juxinhe Network Technology Co., Ltd.
Front company tied to Yin Kecheng; involved in Salt Typhoon’s infrastructure ops like domain registration and staging. (U.S. Department of the Treasury, Reuters)
Shanghai Heiying Information Technology Co., Ltd.
Owned and operated by Zhou Shuai; used to broker stolen data and support contractor-enabled tradecraft. (U.S. Department of the Treasury)
i-SOON (Anxun Information Technology Co., Ltd.)
Recruiter and operational facilitator blending covert state tasking (MSS/MPS) with outsourced hacker-for-hire ecosystems.
Area 2‑b, Building A, No. 2, Sports New Village, North Side of Minjiang West Road, Deyang, Sichuan, 618000, China (sanctions.lursoft.lv)
No well‑advertised public-facing “corporate product site” located via open sources. Mostly known via sanctions listings.
Sanctioned by OFAC on January 17, 2025 for direct involvement in Salt Typhoon campaigns targeting U.S. telecommunications infrastructure. (U.S. Department of the Treasury)
Shanghai Heiying Information Technology Company, Ltd. (上海黑英信息技术有限公司)
Room J2518, No. 912, Yecheng Road, Jiading Industrial District, Shanghai, 201800, China (Sanctions List Search)
Also best known via OFAC SDN list; I did not find a public “official website” clearly naming their offerings tied to the activities.
OFAC sanctions (March 5, 2025) describe the company under Zhou Shuai, charging that it was involved in brokering stolen data from critical infrastructure and linked to Salt Typhoon’s activity. (U.S. Department of the Treasury)
Beijing Huanyu Tianqiong Information Technology
Corporate records show it is based in Beijing, with state backing. Specific street address less clearly published in OFAC but mentioned in Kharon/Royal Government records. (kharon.com)
Public product/service site not clearly identified; this appears to be more of a cyber‑contractor/technology firm rather than consumer‑facing.
Named in a joint international advisory report as one of three Chinese companies linked to Salt Typhoon.
Based in Sichuan Province, Chengdu, founded ~2018. Recognized as a “small/medium enterprise” and on provincial “high‑tech enterprise” lists. Precise address (street level) was cited in local / provincial company register documents per Kharon. (kharon.com)
No public “product site” in major Western sources; possibly has local Chinese domain or presence, but open‑source verification limited.
Named in the same advisory (Kharon) as providing cyber‑related services to MSS / PLA bodies and being tied in leadership/shared ownership with Beijing Huanyu Tianqiong.
Newly Identified Domains Likely Linked to Continued Activity from PoisonSeed E-Crime Actor
DomainTools Investigations identified a set of malicious domains registered since 01 June 2025 likely linked to the ecrime actor publicly known as PoisonSeed. These domains primarily spoof the email platform SendGrid and are likely attempting to compromise enterprise credentials of SendGrid customers. They display fake Cloudflare CATPCHA interstitials to add legitimacy to malicious domains before redirecting targeted users to phishing pages. We did not identify specific targets, but public information indicates PoisonSeed’s historical target scope comprises cryptocurrency platforms and enterprise environments.
PoisonSeed tactics, techniques, and procedures (TTPs) bear similarities to those historically linked to SCATTERED SPIDER. There has been significant media reporting about SCATTERED SPIDER adversary in recent weeks due to high-profile compromises against retailers, grocery chains, insurance providers, and airlines across the U.S., the U.K. and Canada. Some of these compromises led to significant business disruption. We have no evidence to connect the recently identified domains to operations against companies within these sectors; however, potential links between these actors is notable given the impact of recent compromises.
New PoisonSeed Infrastructure
Industry reporting originally identified the PoisonSeed actor in April 2025. That report described PoisonSeed’s use of SendGrid phishing domains to facilitate cryptocurrency theft. In May 2025, the Mimecast Threat Research team published a blog describing similar activity in which an actor leveraged phishing campaigns impersonating service providers such as SendGrid to deliver fraudulent notifications to the providers’ users. The ultimate objective of these campaigns was to harvest enterprise credentials and use them to facilitate further phishing campaigns and lateral movement within targeted enterprise environments.
Mimecast reported that a key element of the phishing campaigns was the use of fake Cloudflare CAPTCHA interstitials. Specifically, these interstitial pages included fake Cloudflare Ray ID data. Additionally, domain registration and hosting patterns included:
Domains registered via the NiceNIC International Group Co. registrar
Domain names primarily containing references to SendGrid, as well as more generic digital services such as single sign-on (SSO) and login portals
Hosting on IP addresses assigned to the provider Global-Data System IT Corporation (AS42624)
We identified 21 domains registered since 01 June 2025 that match the elements identified in the Mimecast blog post. The majority of these domains reference SendGrid, and those that do not were co-hosted on IP addresses alongside SendGrid-spoofing domains and referenced other, more generic digital services. Information from URLScan.io showed that several of these domains displayed fake Cloudflare CAPTCHA interstitials and contained fake Cloudflare Ray ID data consistent with public reporting.
Example of fake Cloudflare Ray ID from Mimecast Blog
Fake Cloudflare Ray ID from newly-registered domain mysandgrid[.]com
Table 1. PoisonSeed Domains Registered Since 1 June 2025
We have uploaded a list of several hundred domains identified with the same fingerprint to our Github for further research, analysis, and hunting.
Relationship to SCATTERED SPIDER
Mimecast’s blog attributed the malicious activity to SCATTERED SPIDER - an ecrime adversary engaged in financially-motivated activity since 2022 Our research indicates that the activity is likely attributable to the PoisonSeed actor based on use of the fake Cloudflare CAPTCHA interstitials and domain naming and registration similarities. However, it is plausible that PoisonSeed has historical or current connections to SCATTERED SPIDER.
The SCATTERED SPIDER adversary is linked to a diverse group of threat actors referred to as “The Com.” The adversary’s early operations typically combined smishing, SIM-swapping, and MFA push-notification fatigue to gain access to enterprise environments. However, the nature of a group like The Com has likely allowed SCATTERED SPIDER membership to change over time with new members bringing new skill sets such as advanced social engineering techniques aimed at companies’ IT helpdesks as well as ransomware affiliations. Additionally, former SCATTERED SPIDER operators may have left the group and continued to use some of the TTPs historically used by the adversary in new criminal operations.
It is plausible that similarities between PoisonSeed’s operations and those of SCATTERED SPIDER could be the result of PoisonSeed actors having a level of affiliation with the adversary itself or, more generally, with The Com collective. Additional research into PoisonSeed activity is necessary to more definitively establish this connection.
Assessment
The infrastructure identified in this blog highlights ongoing efforts by ecrime actors such as PoisonSeed to use tactics, techniques, and procedures (TTPs) historically similar to SCATTERED SPIDER. These actors are likely continuing to leverage these TTPs to compromise enterprise credentials to facilitate a range of malicious activity including phishing campaigns, cryptocurrency theft, data theft, and extortion.
Editor's note: Research for this article was conducted in July 2025, and conclusions are based on the information available at that time.
Inside the Kimsuky Leak: How the “Kim” Dump Exposed North Korea’s Credential Theft Playbook
A rare and revealing breach attributed to a North Korean-affiliated actor, known only as “Kim” as named by the hackers who dumped the data, has delivered a new insight into Kimsuky (APT43) tactics, techniques, and infrastructure. This actor's operational profile showcases credential-focused intrusions targeting South Korean and Taiwanese networks, with a blending of Chinese-language tooling, infrastructure, and possible logistical support. The “Kim” dump, which includes bash histories, phishing domains, OCR workflows, compiled stagers, and rootkit evidence, reflects a hybrid operation situated between DPRK attribution and Chinese resource utilization.
Contents: Part I: Technical Analysis Part II: Goals Analysis Part III: Threat Intelligence Report
Executive Summary
A rare and revealing breach attributed to a North Korean-affiliated actor, known only as “Kim” as named by the hackers who dumped the data, has delivered a new insight into Kimsuky (APT43) tactics, techniques, and infrastructure. This actor's operational profile showcases credential-focused intrusions targeting South Korean and Taiwanese networks, with a blending of Chinese-language tooling, infrastructure, and possible logistical support. The “Kim” dump, which includes bash histories, phishing domains, OCR workflows, compiled stagers, and rootkit evidence, reflects a hybrid operation situated between DPRK attribution and Chinese resource utilization.
Screen shot of the adversary’s desktop VM
This report is broken down into three parts:
Technical Analysis of the dump materials
Motivation and Goals of the APT actor (group)
A CTI report compartment for analysts
While this leak only gives a partial idea of what the Kimusky/PRC activities have been, the material provides insight into the expansion of activities, nature of the actor(s), and goals they have in their penetration of the South Korean governmental systems that would benefit not only DPRK, but also PRC.
Phrack article
Without a doubt, there will be more coming out from this dump in the future, particularly if the burned assets have not been taken offline and access is still available, or if others have cloned those assets for further analysis. We may revisit this in the future if additional novel information comes to light.
Part I: Technical Analysis
The Leak at a Glance
The leaked dataset attributed to the “Kim” operator offers a uniquely operational perspective into North Korean-aligned cyber operations. Among the contents were terminal history files revealing active malware development efforts using NASM (Netwide Assembler), a choice consistent with low-level shellcode engineering typically reserved for custom loaders and injection tools. These logs were not static forensic artifacts but active command-line histories showing iterative compilation and cleanup processes, suggesting a hands-on attacker directly involved in tool assembly.
File list of dump
In parallel, the operator ran OCR (Optical Character Recognition) commands against sensitive Korean PDF documents related to public key infrastructure (PKI) standards and VPN deployments. These actions likely aimed to extract structured language or configurations for use in spoofing, credential forgery, or internal tool emulation.
Privileged Access Management (PAM) logs also surfaced in the dump, detailing a timeline of password changes and administrative account use. Many were tagged with the Korean string 변경완료 (“change complete”), and the logs included repeated references to elevated accounts such as oracle, svradmin, and app_adm01, indicating sustained access to critical systems.
The phishing infrastructure was extensive. Domain telemetry pointed to a network of malicious sites designed to mimic legitimate Korean government portals. Sites like nid-security[.]com were crafted to fool users into handing over credentials via advanced AiTM (Adversary-in-the-Middle) techniques.
Finally, network artifacts within the dump showed targeted reconnaissance of Taiwanese government and academic institutions. Specific IP addresses and .tw domain access, along with attempts to crawl .git repositories, reveal a deliberate focus on high-value administrative and developer targets.
Perhaps most concerning was the inclusion of a Linux rootkit using syscall hooking (khook) and stealth persistence via directories like /usr/lib64/tracker-fs. This highlights a capability for deep system compromise and covert command-and-control operations, far beyond phishing and data theft.
Artifacts recovered from the dump include:
Terminal history files demonstrating malware compilation using NASM
OCR commands parsing Korean PDF documents related to PKI and VPN infrastructure
PAM logs reflecting password changes and credential lifecycle events
Phishing infrastructure mimicking Korean government sites
IP addresses indicating reconnaissance of Taiwanese government and research institutions
Linux rootkit code using syscall hooking and covert channel deployment
Credential Theft Focus
The dump strongly emphasizes credential harvesting as a central operational goal. Key files such as 136백운규001_env.key (The presence of 136백운규001_env.key is a smoking gun indicator of stolen South Korean Government PKI material, as its structure (numeric ID + Korean name + .key) aligns uniquely with SK GPKI issuance practices and provides clear evidence of compromised, identity-tied state cryptographic keys.) This was discovered alongside plaintext passwords, that indicate clear evidence of active compromise of South Korea’s GPKI (Government Public Key Infrastructure). Possession of such certificates would allow for highly effective identity spoofing across government systems.
PAM logs further confirmed this focus, showing a pattern of administrative account rotation and password resets, all timestamped and labeled with success indicators (변경완료: Change Complete). The accounts affected were not low-privilege; instead, usernames like oracle, svradmin, and app_adm01, often used by IT staff and infrastructure services, suggested access to core backend environments.
These findings point to a strategy centered on capturing and maintaining access to privileged credentials and digital certificates, effectively allowing the attacker to act as an insider within trusted systems.
Leaked .key files (e.g., 136백운규001_env.key) with plaintext passwords confirm access to GPKI systems
PAM logs show administrative password rotations tagged with 변경완료 (change complete)
Admin-level accounts such as oracle, svradmin, and app_adm01 repeatedly appear in compromised logs
Phishing Infrastructure
The operator’s phishing infrastructure was both expansive and regionally tailored. Domains such as nid-security[.]com and webcloud-notice[.]com mimicked Korean identity and document delivery services, likely designed to intercept user logins or deploy malicious payloads. More sophisticated spoofing was seen in sites that emulated official government agencies like dcc.mil[.]kr, spo.go[.]kr, and mofa.go[.]kr.
Whoisof domains created by dysoni91@tutamail[.]com
Historical Whois of webcloud-notice[.]com
Burner email usage added another layer of operational tradecraft. The address jeder97271[@]wuzak[.]com is likely linked to phishing kits that operated through TLS proxies, capturing credentials in real time as victims interacted with spoofed login forms.
These tactics align with previously known Kimsuky behaviors but also demonstrate an evolution in technical implementation, particularly the use of AiTM interception rather than relying solely on credential-harvesting documents.
Domain connections map
Domains include: nid-security[.]com, html-load[.]com, webcloud-notice[.]com, koala-app[.]com, and wuzak[.]com
Phishing kits leveraged TLS proxies for AiTM credential capture
Malware Development Activity
Kim’s malware development environment showcased a highly manual, tailored approach. Shellcode was compiled using NASM, specifically with flags like -f win32, revealing a focus on targeting Windows environments. Commands such as make and rm were used to automate and sanitize builds, while hashed API call resolution (VirtualAlloc, HttpSendRequestA, etc.) was implemented to evade antivirus heuristics.
The dump also revealed reliance on GitHub repositories known for offensive tooling. TitanLdr, minbeacon, Blacklotus, and CobaltStrike-Auto-Keystore were all cloned or referenced in command logs. This hybrid use of public frameworks for private malware assembly is consistent with modern APT workflows.
A notable technical indicator was the use of the proxyres library to extract Windows proxy settings, particularly via functions like proxy_config_win_get_auto_config_url. This suggests an interest in hijacking or bypassing network-level security controls within enterprise environments.
Manual shellcode compilation via nasm -f win32 source/asm/x86/start.asm
Use of make, rm, and hash obfuscation of Win32 API calls (e.g., VirtualAlloc, HttpSendRequestA)
GitHub tools in use: TitanLdr, minbeacon, Blacklotus, CobaltStrike-Auto-Keystore
Proxy configuration probing through proxyres library (proxy_config_win_get_auto_config_url)
Rootkit Toolkit and Implant Structure
The Kim dump offers deep insight into a stealthy and modular Linux rootkit attributed to the operator’s post-compromise persistence tactics. The core implant, identified as vmmisc.ko (alternatively VMmisc.ko in some shells), was designed for kernel-mode deployment across multiple x86_64 Linux distributions and utilizes classic syscall hooking and covert channeling to maintain long-term undetected access.
Google Translation of Koh doc: Rootkit Endpoint Reuse Authentication Tool
“This tool uses kernel-level rootkit hiding technology, providing a high degree of stealth and penetration connection capability. It can hide while running on common Linux systems, and at the kernel layer supports connection forwarding, allowing reuse of external ports to connect to controlled hosts. Its communication behavior is hidden within normal traffic.
The tool uses binary merging technology: at compile time, the application layer program is encrypted and fused into a .ko driver file. When installed, only the .ko file exists. When the .ko driver starts, it will automatically decompress and release the hidden application-layer program.
Tools like chkrootkit, rkhunter, and management utilities (such as ps, netstat, etc.) are bypassed through technical evasion and hiding, making them unable to detect hidden networks, ports, processes, or file information.
To ensure software stability, all functions have also passed stress testing.
Supported systems: Linux Kernel 2.6.x / 3.x / 4.x, both x32 and x64 systems”.
Implant Features and Behavior
This rootkit exhibits several advanced features:
Syscall Hooking: Hooks critical kernel functions (e.g., getdents, read, write) to hide files, directories, and processes by name or PID.
SOCKS5 Proxy: Integrated remote networking capability using dynamic port forwarding and chained routing.
PTY Backdoor Shell: Spawns pseudoterminals that operate as interactive reverse shells with password protection.
Encrypted Sessions: Session commands must match a pre-set passphrase (e.g., testtest) to activate rootkit control mode.
Once installed (typically using insmod vmmisc.ko), the rootkit listens silently and allows manipulation via an associated client binary found in the dump. The client supports an extensive set of interactive commands, including:
+p # list hidden processes
+f # list hidden files
callrk # load client ↔ kernel handshake
exitrk # gracefully unload implant
shell # spawn reverse shell
socks5 # initiate proxy channel
upload / download # file transfer interface
These capabilities align closely with known DPRK malware behaviors, particularly from the Kimsuky and Lazarus groups, who have historically leveraged rootkits for lateral movement, stealth, persistence, and exfiltration staging.
Observed Deployment
Terminal history (.bash_history) shows the implant was staged and tested from the following paths:
.cache/vmware/drag_and_drop/VMmisc.ko
/usr/lib64/tracker-fs/vmmisc.ko
Execution logs show the use of commands such as:
insmod /usr/lib64/tracker-fs/vmmisc.ko
./client 192.168.0[.]39 testtest
These paths were not random—they mimic legitimate system service locations to avoid detection by file integrity monitoring (FIM) tools.
Deployment map
This structure highlights the modular, command-activated nature of the implant and its ability to serve multiple post-exploitation roles while maintaining stealth through kernel-layer masking.
Strategic Implications
The presence of such an advanced toolkit in the “Kim” dump strongly suggests the actor had persistent access to Linux server environments, likely via credential compromise. The use of kernel-mode implants also indicates long-term intent and trust-based privilege escalation. The implant's pathing, language patterns, and tactics (e.g., use of /tracker-fs/, use of test passwords) match TTPs previously observed in operations attributed to Kimsuky, enhancing confidence in North Korean origin.
OCR-Based Recon
A defining component of Kim’s tradecraft was the use of OCR to analyze Korean-language security documentation. The attacker issued commands such as ocrmypdf -l kor+eng "file.pdf" to parse documents like 별지2)행정전자서명_기술요건_141125.pdf (“Appendix 2: Administrative Electronic Signature_Technical Requirements_141125.pdf”) and SecuwaySSL U_카달로그.pdf (“SecuwaySSL U_Catalog.pdf”). These files contain technical language around digital signatures, SSL implementations, and identity verification standards used in South Korea’s PKI infrastructure.
This OCR-based collection approach indicates more than passive intelligence gathering - it reflects a deliberate effort to model and potentially clone government-grade authentication systems. The use of bilingual OCR (Korean + English) further confirms the operator’s intention to extract usable configuration data across documentation types.
OCR run on Korean PDFs
OCR commands used to extract Korean PKI policy language from PDFs such as (별지2)행정전자서명_기술요건_141125.pdf and SecuwaySSL U_카달로그.pdf
The forensic evidence contained within the logs, specifically SSH authentication records and PAM outputs, provides clear technical confirmation of the operator’s tactics and target focus.
Several IP addresses stood out as sources of brute-force login attempts. These include 23.95.213[.]210 (a known VPS provider used in past credential-stuffing campaigns), 218.92.0[.]210 (allocated to a Chinese ISP), and 122.114.233[.]77 (Henan Mobile, China). These IPs were recorded during multiple failed login events, strongly suggesting automated password attacks against exposed SSH services. Their geographic distribution and known history in malicious infrastructure usage point to an external staging environment, possibly used for pivoting into Korean and Taiwanese systems.
Beyond brute force, the logs also contain evidence of authentication infrastructure reconnaissance. Multiple PAM and OCSP (Online Certificate Status Protocol) errors referenced South Korea’s national PKI authority, including domains like gva.gpki.go[.]kr and ivs.gpki.go[.]kr. These errors appear during scripted or automated access attempts, indicating a potential strategy of credential replay or certificate misuse against GPKI endpoints, an approach that aligns with Kim’s broader PKI-targeting operations.
Perhaps the most revealing detail was the presence of successful superuser logins labeled with the Korean term 최고 관리자 (“Super Administrator”). This suggests the actor was not just harvesting credentials but successfully leveraging them for privileged access, possibly through cracked accounts, reused credentials, or insider-sourced passwords. The presence of such accounts in conjunction with password rotation entries marked as 변경완료 (“change complete”) further implies active control over PAM-protected systems during the operational window captured in the dump.
Together, these logs demonstrate a methodical campaign combining external brute-force access, PKI service probing, and administrative credential takeover, a sequence tailored for persistent infiltration and lateral movement within sensitive government and enterprise networks.
Superuser login events under 최고 관리자 (Super Administrator)
Part II: Goals Analysis
Targeting South Korea: Identity, Infrastructure, and Credential Theft
The “Kim” operator’s campaign against South Korea was deliberate and strategic, aiming to infiltrate the nation’s digital trust infrastructure at multiple levels. A central focus was the Government Public Key Infrastructure (GPKI), where the attacker exfiltrated certificate files, including .key and .crt formats, some with plaintext passwords, and attempted repeated authentication against domains like gva.gpki.go[.]kr and ivs.gpki.go[.]kr. OCR tools were used to parse Korean technical documents detailing PKI and VPN architectures, demonstrating a sophisticated effort to understand and potentially subvert national identity frameworks. These efforts were not limited to reconnaissance; administrative password changes were logged, and phishing kits targeted military and diplomatic webmail, including clones of mofa.go[.]kr and credential harvesting through adversary-in-the-middle (AiTM) proxy setups.
Attempts at user account authentication
Servlet requests for KR domains
Beyond authentication systems, Kim targeted privileged accounts (oracle, unwadm, svradmin) and rotated credentials to maintain persistent administrative access, as evidenced by PAM and SSH logs showing elevated user activity under the title 최고 관리자 (“Super Administrator”). The actor also showed interest in bypassing VPN controls, parsing SecuwaySSL configurations for exploitation potential, and deployed custom Linux rootkits using syscall hooking to establish covert persistence on compromised machines. Taken together, the dump reveals a threat actor deeply invested in credential dominance, policy reconnaissance, and system-level infiltration, placing South Korea’s public sector identity systems, administrative infrastructure, and secure communications at the core of its long-term espionage objectives.
Taiwan Reconnaissance
Among the most notable aspects of the “Kim” leak is the operator’s deliberate focus on Taiwanese infrastructure. The attacker accessed a number of domains with clear affiliations to the island’s public and private sectors, including tw.systexcloud[.]com (linked to enterprise cloud solutions), mlogin.mdfapps[.]com (a mobile authentication or enterprise login portal), and the .git/ directory of caa.org[.]tw, which belongs to the Chinese Institute of Aeronautics, a government-adjacent research entity.
This last domain is especially telling. Accessing .git/ paths directly implies an attempt to enumerate internal source code repositories, a tactic often used to discover hardcoded secrets, API keys, deployment scripts, or developer credentials inadvertently exposed via misconfigured web servers. This behavior points to more technical depth than simple phishing; it indicates supply chain reconnaissance and long-term infiltration planning.
Taiwanese target map
The associated IP addresses further reinforce this conclusion. All three, 163.29.3[.]119, 118.163.30[.]45, and 59.125.159[.]81, are registered to academic, government, or research backbone providers in Taiwan. These are not random scans; they reflect targeted probing of strategic digital assets.
Summary of Whois & Ownership Insights
118.163.30[.]45
Appears as part of the IP range used for the domain dtc-tpe.com[.]tw, linked to Taiwan’s HINET provider (118.163.30[.]46 )Site Indices page of HINET provider.
163.29.3[.]119
Falls within the 163.29.3[.]0/24 subnet identified with Taiwanese government or institutional use, notably in Taipei. This corresponds to B‑class subnets assigned to public/government entities IP地址 (繁體中文).
59.125.159[.]81
Belongs to the broader 59.125.159[.]0–59.125.159[.]254 block, commonly used by Taiwanese ISP operators such as Chunghwa Telecom in Taipei
Taken together, this Taiwan-focused activity reveals an expanded operational mandate. Whether the attacker is purely DPRK-aligned or operating within a DPRK–PRC fusion cell, the intent is clear: compromise administrative and developer infrastructure in Taiwan, likely in preparation for broader credential theft, espionage, or disruption campaigns.
IPs linked to Taiwanese academic/government assets: 163.29.3[.]119, 118.163.30[.]45, 59.125.159[.]81
Git crawling suggests interest in developer secrets or exposed tokens
Hybrid Attribution Model
The “Kim” operator embodies the growing complexity of modern nation-state attribution, where cyber activities often blur traditional boundaries and merge capabilities across geopolitical spheres. This case reveals strong indicators of both North Korean origin and Chinese operational entanglement, presenting a textbook example of a hybrid APT model.
On one hand, the technical and linguistic evidence strongly supports a DPRK-native operator. Terminal environments, OCR parsing routines, and system artifacts consistently leverage Korean language and character sets. The operator’s activities reflect a deep understanding of Korean PKI systems, with targeted extraction of GPKI .key files and automation to parse sensitive Korean government PDF documentation. These are hallmarks of Kimsuky/APT43 operations, known for credential-focused espionage against South Korean institutions and diplomatic targets. The intent to infiltrate identity infrastructure is consistent with North Korea’s historical targeting priorities. Notably, the system time zone on Kim's host machine was set to UTC+9 (Pyongyang Standard Time), reinforcing the theory that the actor maintains direct ties to the DPRK’s internal environment, even if operating remotely.
However, this actor’s digital footprint extends well into Chinese infrastructure. Browser and download logs reveal frequent interaction with platforms like gitee[.]com, baidu[.]com, and zhihu[.]com, highly popular within the PRC but unusual for DPRK operators who typically minimize exposure to foreign services. Moreover, session logs include simplified Chinese content and PRC browsing behaviors, suggesting that the actor may be physically operating within China or through Chinese-language systems. This aligns with longstanding intelligence on North Korean cyber operators stationed in Chinese border cities such as Shenyang and Dandong, where DPRK nationals often conduct cyber operations with tacit approval or logistical consent from Chinese authorities. These locations provide higher-speed internet, relaxed oversight, and convenient geopolitical proximity.
Browser History viewing Taiwanese and Chinese sites
The targeting of Taiwanese infrastructure further complicates attribution. Kimsuky has not historically prioritized Taiwan, yet in this case, the actor demonstrated direct reconnaissance of Taiwanese government and developer networks. While this overlaps with Chinese APT priorities, recent evidence from the “Kim” dump, including analysis of phishing kits and credential theft workflows, suggests this activity was likely performed by a DPRK actor exploring broader regional interests, possibly in alignment with Chinese strategic goals. Researchers have noted that Kimsuky operators have recently asked questions in phishing lures related to potential Chinese-Taiwanese conflicts, implying interest beyond the Korean peninsula.
Some tooling overlaps with PRC-linked APTs, particularly GitHub-based stagers and proxy-resolving modules, but these are not uncommon in the open-source malware ecosystem and may reflect opportunistic reuse rather than deliberate mimicry.
IMINT Analysis: Visual Tradecraft and Cultural Camouflage
A review of image artifacts linked to the "Kim" actor reveals a deliberate and calculated use of Chinese social and technological visual content as part of their operational persona. These images, extracted from browser history and uploads attributed to the actor, demonstrate both strategic alignment with DPRK priorities and active cultural camouflage within the PRC digital ecosystem.
Uploads of images by Kim found in browser history
Images downloaded from aixfan[.]com
The visual set includes promotional graphics for Honor smartphones, SoC chipset evolution charts, Weibo posts featuring vehicle registration certificates, meme-based sarcasm, and lifestyle imagery typical of Chinese internet users. Notably, the content is exclusively rendered in simplified Chinese, reinforcing prior assessments that the operator either resides within mainland China or maintains a working digital identity embedded in Chinese platforms. Devices and services referenced, such as Xiaomi phones, Zhihu, Weibo, and Baidu, suggest intimate familiarity with PRC user environments.
Operationally, this behavior achieves two goals. First, it enables the actor to blend in seamlessly with native PRC user activity, which complicates attribution and helps bypass platform moderation or behavioral anomaly detection. Second, the content itself may serve as bait or credibility scaffolding (e.g. A framework to give the illusion of trust to allow for easier compromise ) in phishing and social engineering campaigns, especially those targeting developers or technical users on Chinese-language platforms.
Some images, such as the detailed chipset timelines and VPN or device certification posts, suggest a continued interest in supply chain reconnaissance and endpoint profiling—both tradecraft hallmarks of Kimsuky and similar APT units. Simultaneously, meme humor, sarcastic overlays, and visual metaphors (e.g., the “Kaiju’s tail is showing” idiom) indicate the actor’s fluency in PRC netizen culture and possible mockery of operational security breaches—whether their own or others’.
Taken together, this IMINT corpus supports the broader attribution model: a DPRK-origin operator embedded, physically or virtually, within the PRC, leveraging local infrastructure and social platforms to facilitate long-term campaigns against South Korea, Taiwan, and other regional targets while maintaining cultural and technical deniability.
Attribution Scenarios:
Option A: DPRK Operator Embedded in PRC
Use of Korean language, OCR targeting of Korean documents, and focus on GPKI systems strongly suggest North Korean origin.
Use of PRC infrastructure (e.g., Baidu, Gitee) and simplified Chinese content implies the operator is physically located in China or benefits from access to Chinese internet infrastructure.
Option B: PRC Operator Emulating DPRK
Taiwan-focused reconnaissance aligns with PRC cyber priorities.
Use of open-source tooling and phishing methods shared with PRC APTs could indicate tactical emulation.
The preponderance of evidence supports the hypothesis that “Kim” is a North Korean cyber operator embedded in China or collaborating with PRC infrastructure providers. This operational model allows the DPRK to amplify its reach, mask attribution, and adopt regional targeting strategies beyond South Korea, particularly toward Taiwan. As this hybrid model matures, it reflects the strategic adaptation of DPRK-aligned threat actors who exploit the permissive digital environment of Chinese networks to evade detection and expand their operational playbook.
Targeting Profiles
The “Kim” leak provides one of the clearest windows to date into the role-specific targeting preferences of the operator, revealing a deliberate focus on system administrators, credential issuers, and backend developers, particularly in South Korea and Taiwan.
In South Korea, the operator’s interest centers around PKI administrators and infrastructure engineers. The recovered OCR commands were used to extract technical details from PDF documents outlining Korea’s digital signature protocols, such as identity verification, certificate validation, and encrypted communications, components that form the backbone of Korea’s secure authentication systems. The goal appears to be not only credential theft but full understanding and potential replication of government-trusted PKI procedures. This level of targeting suggests a strategic intent to penetrate deeply trusted systems, potentially for use in later spoofing or identity masquerading operations.
PKI attack targets
In Taiwan, the operator shifted focus to developer infrastructure and cloud access portals. Specific domains accessed, like caa.org[.]tw/.git/, indicate attempts to enumerate internal repositories, most likely to discover hardcoded secrets, authentication tokens, or deployment keys. This is a classic supply chain targeting method, aiming to access downstream systems via compromised developer credentials or misconfigured services.
Additional activity pointed to interaction with cloud service login panels such as tw.systexcloud[.]com and mlogin.mdfapps[.]com. These suggest an attempt to breach centralized authentication systems or identity providers, granting the actor broader access into enterprise or government networks with a single credential set.
Taken together, these targeting profiles reflect a clear emphasis on identity providers, backend engineers, and those with access to system-level secrets. This reinforces the broader theme of the dump: persistent, credential-first intrusion strategies, augmented by reconnaissance of authentication standards, key management policies, and endpoint development infrastructure.
South Korean:
PKI admins, infrastructure engineers
OCR focus on Korean identity standards
Taiwanese:
Developer endpoints and internal .git/ repos
Access to cloud panels and login gateways
Final Assessment
The “Kim” leak represents one of the most comprehensive and technically intimate disclosures ever associated with Kimsuky (APT43) or its adjacent operators. It not only reaffirms known tactics, credential theft, phishing, and PKI compromise, but exposes the inner workings of the operator’s environment, tradecraft, and operational intent in ways rarely observed outside of active forensic investigations.
At the core of the leak is a technically competent actor, well-versed in low-level shellcode development, Linux-based persistence mechanisms, and certificate infrastructure abuse. Their use of NASM, API hashing, and rootkit deployment points to custom malware authorship. Furthermore, the presence of parsed government-issued Korean PDFs, combined with OCR automation, shows not just opportunistic data collection but a concerted effort to model, mimic, or break state-level identity systems, particularly South Korea's GPKI.
The operator’s cultural and linguistic fluency in Korean, and their targeting of administrative and privileged systems across South Korean institutions, support a high-confidence attribution to a DPRK-native threat actor. However, the extensive use of Chinese platforms like gitee[.]com, Baidu, and Zhihu, and Chinese infrastructure for both malware hosting and browsing activity reveals a geographical pivot or collaboration: a hybrid APT footprint rooted in DPRK tradecraft but operating from or with Chinese support.
Most notably, this leak uncovers a geographical expansion of operational interest; the actor is no longer solely focused on the Korean peninsula. The targeting of Taiwanese developer portals, government research IPs, and .git/ repositories shows a broadened agenda that likely maps to both espionage and supply chain infiltration priorities. This places Taiwan, like South Korea, at the forefront of North Korean cyber interest, whether for intelligence gathering, credential hijacking, or as staging points for more complex campaigns.
The threat uncovered here is not merely malware or phishing; it is an infrastructure-centric, credential-first APT campaign that blends highly manual operations (e.g., hand-compiled shellcode, direct OCR of sensitive PDFs) with modern deception tactics such as AiTM phishing and TLS proxy abuse.
Organizations in Taiwan and South Korea, particularly those managing identity, certificate, and cloud access infrastructure, should consider themselves under persistent, credential-focused surveillance. Defensive strategies must prioritize detection of behavioral anomalies (e.g., use of OCR tools, GPKI access attempts), outbound communications with spoofed Korean domains, and the appearance of low-level toolchains like NASM or proxyres-based scanning utilities within developer or admin environments.
In short: the “Kim” actor embodies the evolution of nation-state cyber threats—a fusion of old-school persistence, credential abuse, and modern multi-jurisdictional staging. The threat is long-term, embedded, and adaptive.
Part III: Threat Intelligence Report
TLP WHITE:
Targeting Summary
The analysis of the “Kim” operator dump reveals a highly focused credential-theft and infrastructure-access campaign targeting high-value assets in both South Korea and Taiwan. Victims were selected based on their proximity to trusted authentication systems, administrative control panels, and development environments.
Pastebin raw links: Used for payload staging and malware delivery
IP Addresses
External Targets (Taiwan):
163.29.3[.]119 National Center for High-performance Computing
118.163.30[.]45 Taiwanese government subnet
59.125.159[.]81 Chunghwa Telecom
Brute Forcing / Infrastructure Origins:
23.95.213[.]210 VPS provider with malicious history
218.92.0[.]210 China Unicom
122.114.233[.]77 Henan Mobile, PRC
Internal Host IPs (Operator Environment)
192.168.130[.]117
192.168.150[.]117
192.168.0[.]39
Operator Environment: Internal Host IP Narrative
The presence of internal IP addresses such as 192.168.130[.]117, 192.168.150[.]117, and 192.168.0[.]39 within the dump offers valuable insight into the attacker’s local infrastructure, an often-overlooked element in threat intelligence analysis. These addresses fall within private, non-routable RFC1918 address space, commonly assigned by consumer off-the-shelf (COTS) routers and small office/home office (SOHO) network gear.
The use of the 192.168.0[.]0/16 subnet, particularly 192.168.0.x and 192.168.150.x, strongly suggests that the actor was operating from a residential or low-profile environment, not a formal nation-state facility or hardened infrastructure. This supports existing assessments that North Korean operators, particularly those affiliated with Kimsuky, often work remotely from locations in third countries such as China or Southeast Asia, where they can maintain inconspicuous, low-cost setups while accessing global infrastructure.
Moreover, the distinction between multiple internal subnets (130.x, 150.x, and 0.x) may indicate segmentation of test environments or multiple virtual machines running within a single NATed network. This aligns with the forensic evidence of iterative development and testing workflows seen in the .bash_history files, where malware stagers, rootkits, and API obfuscation utilities were compiled, cleaned, and rerun repeatedly.
Together, these IPs reveal an operator likely working from a clandestine, residential base of operations, with modest hardware and commercial-grade routers. This operational setup is consistent with known DPRK remote IT workers and cyber operators who avoid attribution by blending into civilian infrastructure. It also suggests the attacker may be physically located outside of North Korea, possibly embedded in a friendly or complicit environment, strengthening the case for China-based activity by DPRK nationals.
T1592 , Technical Information DiscoveryT1590 , Network Information
Exfiltration
T1041 , Exfiltration over C2 ChannelT1567.002 , Exfil via Cloud Services
Tooling and Capabilities
The actor’s toolkit spans multiple disciplines, blending malware development, system reconnaissance, phishing, and proxy evasion:
NASM-based shellcode loaders: Compiled manually for Windows execution.
Win32 API hashing: Obfuscated imports via hashstring.py to evade detection.
GitHub/Gitee abuse: Tooling hosted or cloned from public developer platforms.
OCR exploitation: Used ocrmypdf to parse Korean PDF specs related to digital certificates and VPN appliances.
Rootkit deployment: Hidden persistence paths including /usr/lib64/tracker-fs and /proc/acpi/pcicard.
Proxy config extraction: Investigated PAC URLs using proxyres-based recon.
Attribution Confidence Assessment
Attribution Candidate
Confidence Level
DPRK-aligned (Kimsuky)
High, Native Korean targeting, GPKI focus, OCR behavior
China-blended infrastructure
Moderate, PRC hosting, Gitee usage, Taiwan focus
Solely PRC Actor
Low-to-Moderate, Tooling overlap but weak linguistic match
Assessment: The actor appears to be a DPRK-based APT operator working from within or in partnership with Chinese infrastructure, representing a hybrid attribution model.
Defensive Recommendations
Area
Recommendation
PKI Security
Monitor usage of .key, .sig, .crt artifacts; enforce HSM or 2FA for key use
Phishing Defense
Block domains identified in IoCs; validate TLS fingerprints and referrer headers
Endpoint Hardening
Detect use of nasm, make, and OCR tools; monitor /usr/lib*/tracker-* paths
Network Telemetry
Alert on .git/ directory access from external IPs; monitor outbound to Pastebin/GitHub
Taiwan Focus
Establish watchlists for .tw domains targeted by PRC-originating IPs
Admin Accounts
Review usage logs for svradmin, oracle, app_adm01, and ensure rotation policies
APPENDIX A
Overlap or Confusion with Chinese Threat Actors
There is notable evidence of operational blur between Kimsuky and Chinese APTs in the context of Taiwan. The 2025 “Kim” data breach revealed an attacker targeting Taiwan whose tools and phishing kits matched Kimsuky’s, yet whose personal indicators (language, browsing habits) suggested a Chinese national. Researchers concluded this actor was likely a Chinese hacker either mimicking Kimsuky tactics or collaborating with them.. In fact, the leaked files on DDoS Secrets hint that Kimsuky has “openly cooperated with other Chinese APTs and shared their tools and techniques”. This overlap can cause attribution confusion - a Taiwan-focused operation might initially be blamed on China but could involve Kimsuky elements, or vice versa. So far, consensus is that North Korean and Chinese cyber operations remain separate, but cases like “Kim” show how a DPRK-aligned actor can operate against Taiwan using TTPs common to Chinese groups, muddying the waters of attribution.
This report highlights the resurfacing of SpyNote activity by the same actor in a previous DTI report and provides additional information around the recent activity and changes in tactics since the prior report.
Deceptive websites are mimicking popular Android application install pages on the Google Play Store to lure victims into downloading AndroidOS SpyNote malware, a potent Android RAT used for surveillance, data exfiltration, and remote control. This report highlights the resurfacing of SpyNote activity by the same actor in the previous DTI report in April and provides additional information around the recent activity and changes in tactics since the prior report. Notably, the actor made minor changes in IP resolutions and added additional anti-analysis in the APK dropper in an attempt to protect the SpyNote payload from detection.
Details
SpyNote is a highly intrusive Android Remote Access Trojan (RAT) with extensive capabilities for surveillance, data exfiltration, and device manipulation. It can remotely control a device’s camera and microphone, manage phone calls, and execute commands. Of particular concern is its keylogging functionality, which targets application credentials and abuses Android’s Accessibility Services to steal two-factor authentication (2FA) codes. Beyond data theft, SpyNote can also perform on-device actions like displaying overlay attacks for clickjacking. If granted administrator privileges, it gains the power to remotely wipe data, lock the device, or install additional malicious applications, making it a formidable threat for espionage and cybercrime.
The pages shown below are static clones, using HTML and CSS copied from the actual Google Play Store to appear legitimate. Their primary purpose is to trick users into downloading and installing an Android application package (.apk file). The “Install” button triggers a JavaScript function to download an .apk file directly from the malicious website.
The download() function is the core of the page’s malicious functionality.
It creates a hidden iframe and sets its source to a JavaScript URI that triggers a navigation to Chrome.apk. This is a common technique to initiate a file download from the browser without the user leaving the current page.
Malware Execution
1. Initial Dropper Decrypts Payload: The first APK reads encrypted assets, generates a key from its manifest, and decrypts the second-stage SpyNote payload.
The malware employs a dynamic payload technique to conceal its primary functions, loading them from a separate file only after the application is installed and running. This is achieved using a code injection method known as DEX Element Injection. The malware uses reflection to access and modify the app’s core ClassLoader at runtime, inserting its own malicious code elements at the very beginning of the code lookup path. This forces the Android system to prioritize and execute the malicious code over the app’s legitimate code, enabling it to bypass static security analysis and hijack application functions to intercept data.
The AndroidManifest file is protected and contains details needed to retrieve the AES decryption key from the Chrome.apk. In this case, the package name “rogcysibz.wbnyvkrn.sstjjs” is needed to retrieve the 16-byte AES key “62646632363164386461323836333631”.
Decrypted 000 + 001 (SpyNote * its assets/base dex File containing its C2 configurations) b81febd19a457e6814d7e28d68742ae25fc4cf6472289a481e262048e9d8eee4 703d62470d31866ccecb66f0083084c478e9e92916041216ec8d839afed0d0d6
Within the assets/base/ folder there are two files: 000 and 001. The dropper essentially works by joining the 000 and 001 files (combined_assets). It then decrypts the combined assets with the AES key before gzip decompresses it. The resulting file is the SpyNote APK, which it loads in. This happens once the user installs the dropper, runs it, and taps a prompt in the app’s load screen. The decrypted file is another APK that the dropper loads which contains the main SpyNote functionality and configuration details for the command-and-control server (C2).
2. SpyNote Payload Loads C2 Logic: The main SpyNote APK dynamically loads another DEX file from its own `assets/base` folder. This DEX file contains the actual C2 connection logic.
3. C2 Logic Establishes Connection: The dynamically loaded DEX file contains the code to build the WebSocket URL for the C2 server.
In previously reported configurations, the C2s were hardcoded directly in the functions for sending traffic. In recent samples, they use control flow obfuscation and identifier obfuscation through random variations of o, O, and 0 for all names in an attempt to make it difficult to understand the program’s logic through static analysis.
Sample identifier obfuscation in a loaded DEX file:
4. C2 Domain Selection Logic: A utility method selects a domain from a predefined list, making the malware more resilient.
5. Hardcoded C2 Domain List: The final destination is a simple class that acts as a container for the hardcoded C2 domains.
Threat Actor Analysis
The threat actor distributing SpyNote malware exhibits persistence and limited technical adaptability. They consistently use deceptive Google Play Store clones to lure victims, a social engineering tactic that remains central to their operations. Despite previous exposure, their infrastructure remains confined to two primary IP addresses, showing a restricted capacity for diversification, though they do rotate specific IP resolutions. The anti-analysis techniques used in their APK droppers are relatively simple, employing basic obfuscation and dynamic payload decryption to protect the SpyNote payload.
The APK filenames suggest the spoofed brands or applications fall into these categories:
Social & Dating Apps: iHappy, CamSoda, Kismia, yome, TmmTmm
This actor is suspected of broadly targeting consumers with lures mimicking popular applications, including those related to fashion, social networking, and general utilities, as well as ubiquitous apps like Chrome and Zoom. This wide net, coupled with the surveillance and data exfiltration capabilities of SpyNote, strongly suggests a financially motivated objective. While the delivery code contains Chinese language comments, the specific attribution for this persistent and opportunistic threat actor remains unknown.
Conclusion
This report details a persistent SpyNote malware campaign by an actor relying on deceptive Google Play Store clones for delivery. Key technique changes were the dynamic payload decryption and DEX element injection used by the initial dropper, which conceals SpyNote’s core functions and hijacks app behavior, and the control flow and identifier obfuscation applied to the C2 logic to hinder static analysis. The actor’s limited infrastructure adaptability and broad consumer targeting for financial gain highlight their opportunistic yet effective approach. This persistent activity underscores the ongoing threat of mobile RATs and the need for continuous vigilance against social engineering tactics, even from actors with limited technical sophistication.
Security Recommendations
To better protect consumers from threats like SpyNote, key players in the security ecosystem can enhance their defenses:
Browser Developers: Consider strengthening built-in malicious site warnings to automatically flag and block access to deceptive download pages such as fake Google Play Store sites. This helps users avoid suspicious sites entirely.
Android Antivirus Providers and Mobile OS Developers: Focus on advancing automated analysis of app downloads to quickly detect and prevent the installation of harmful software, even when it tries to hide. This provides a crucial layer of defense directly on the device.
Mobile VPN Providers: Explore integrating network-level security features that automatically filter out or alert to connections to known malicious servers. This adds another protective barrier, stopping threats before they can reach the user’s device.
From Laptops to Laundromats: How DPRK IT Workers Infiltrated the Global Remote Economy
This report maps the entire ecosystem of a DPRK IT worker infiltration scheme: key actors, GitHub aliases, laundering flows, shell companies, fake domains, platform infiltration, wallet infrastructure, and global enablers. We also examine the national security implications of the scheme, as well as how lax corporate hiring standards allowed North Korean operatives not just to get paid, but to access critical infrastructure, intellectual property, and production code.
Introduction
Over the last five years, the Democratic People’s Republic of Korea (DPRK) has transitioned from smash-and-grab cryptocurrency raids to a more covert, scalable model of economic warfare: the global deployment of disguised IT workers.
Orchestrated by elite units under the Reconnaissance General Bureau (RGB), these operatives acquire remote employment with U.S. and international tech firms using forged or stolen identities. Once embedded, they receive crypto-based salaries and redirect those earnings into the DPRK’s economy via a network of laundering nodes, front companies, and domain infrastructure.
This report maps the entire ecosystem: key actors, GitHub aliases, laundering flows, shell companies, fake domains, platform infiltration, wallet infrastructure, and global enablers. We also examine the national security implications of the scheme, as well as how lax corporate hiring standards allowed North Korean operatives not just to get paid, but to access critical infrastructure, intellectual property, and production code.
Key Actors and Their Roles
Central Command: Song Kum Hyok & the Andariel Subgroup
At the operational core of North Korea’s disguised IT labor campaign stands Song Kum Hyok, a senior officer within the Andariel subgroup, one of the Reconnaissance General Bureau’s (RGB) elite cyber units. The RGB, North Korea’s main foreign intelligence service, directs both offensive cyber operations and covert economic warfare efforts, and Song’s role straddles both.
Hyok has long been involved in digital identity manipulation, remote access infrastructure, and dark market employment pipelines. Intelligence archives suggest that before assuming his current role, he was linked to multiple Andariel operations involving ransomware staging servers and social engineering against South Korean financial firms.
In the IT worker scheme, Song Kum Hyok is the strategic coordinator of identity theft and resume forgery, enabling North Korean engineers to present themselves as legitimate U.S. based freelancers. North Korea’s decentralized cyber-labor offensive hinges on stolen and curated identities—complete with names like Joshua Palmer, Sandy Nguyen, and GitHub handles such as devmad119 and sujitb2114. These identities often include verified Know Your Customer (KYC) data: Social Security numbers, clean background checks, and even Green Card scans, sourced from data breaches or underground markets.
Operatives use these identity packages to craft professional-grade resumes and LinkedIn profiles, frequently enhanced with AI-generated content and real or fabricated employment histories. They apply to remote jobs on freelancing platforms such as Upwork, Ureed, or the now-defunct Nabbesh, exploiting weak or automated verification and HR onboarding systems in U.S. companies.
Once hired, they gain access to internal tools and sensitive systems: GitHub repositories, Slack channels, financial dashboards, CI/CD pipelines, and privileged cloud infrastructure. From this vantage point, they can siphon intellectual property, embed backdoors, and surveill company operations—all while appearing to be legitimate remote hires. This seamless path, from stolen identity to embedded insider—is the operational backbone of Pyongyang’s covert cyber-espionage labor force.
Once North Korean operatives are embedded in foreign companies, their wages, often paid in cryptocurrencies as well as financial transfers through banks are routed through a meticulously layered laundering process. The first stop is typically a GitHub-linked wallet address associated with the operative’s fake identity (e.g., aliases like “devmad119” or “Joshua Palmer”). From there, the funds may flow into front companies such as Hopana-Tech LLC which act as legitimate salary processors. To further obscure the money trail, salaries are split across multiple wallets using automated smart contracts, a tactic designed to fragment and anonymize the source of funds. Finally, the dispersed assets are aggregated and cashed out via over-the-counter (OTC) crypto brokers based in Russia, the UAE, and China, jurisdictions known for permissive financial enforcement. This end-to-end pipeline creates a resilient and stealthy mechanism for the DPRK to funnel hard currency back into its economy while bypassing international sanctions.
Hyok’s innovation lies in combining AI-generated job profiles with pre-cleared identity data and military operational discipline. Under his supervision, the scheme has moved from ad hoc fraud to a scalable, persistent economic attack model yielding millions of dollars annually for North Korea’s weapons programs while hiding in plain sight inside the legitimate global economy.
U.S. Frontman: Kejia Wang
From a quiet address in Edison, New Jersey, Kejia Wang, also known as Tony Wang, ran one of the most critical nodes in North Korea’s international cyber-laundering apparatus. His residence at 65 Idlewild Road wasn’t just a suburban home; it was the physical anchor for a web of front companies, remote device hubs, and disguised income laundering pipelines that allowed DPRK IT workers to embed themselves inside U.S. companies.
Wang operated under the radar, founding multiple businesses that appeared legitimate on paper but functioned primarily as pass-through entities for laundering salaries earned under false identities. These businesses included tech fronts, aviation firms, and even a massage parlor, each playing a role in the deception.
The most visible of these fronts was the Highland Park 215 Spa, located just a few miles from Wang’s listed residence. Officially a wellness spa, it appears to have functioned as a cash-out hub for crypto proceeds tied to North Korean developers. Its web presence was thin and reviews inconsistent, offering more red flags than relaxation.
Wang’s activities extended far beyond shell paperwork. He physically received laptops sent by U.S. companies hiring remote workers and connected them to internet-facing KVM switches. These switches allowed DPRK operatives, posing under names like “Joshua Palmer” or GitHub aliases like “devmad119”, to work as though they were based in the U.S. He also installed unauthorized software, managed credentials, and monitored access on behalf of the regime.
To keep the deception watertight, Wang opened corporate bank accounts, created digital presences for the fake companies, and maintained financial rails through platforms like Wise, Zelle, and Payoneer. His shell entities even issued IRS tax forms using stolen identity data, giving employers the impression that their freelance hires were tax-compliant U.S. residents.
Wang coordinated with a global network of co-conspirators, including Zhenxing Wang and Jing Bin Huang in China, Mengting Liu in Taiwan, and crypto brokers in the UAE and Russia. These connections formed the infrastructure that allowed funds from unsuspecting U.S. firms, including those in the defense sector, to end up in wallets controlled by the North Korean regime.
Court filings in DOJ case 25-cr-10274 paint a damning picture: Kejia Wang was not only aware that the workers were North Korean nationals, but also actively facilitated the laundering of more than $5 million in wages tied to fraud, of which at least $3 million resulted in direct corporate losses.
From his role as a logistics manager to a shell company architect, Wang helped build a shadow economy inside the legitimate global tech labor force, an economy designed to fund weapons development, evade sanctions, and penetrate sensitive digital infrastructure with ease.
Laptop Farms and Stolen Identities: Christina Chapman
Laptop farms function as remote access deception hubs, allowing foreign operatives to convincingly impersonate U.S.based employees. In this scheme, the perpetrators acquire and configure laptops sent by U.S. companies to individuals they believe are legitimate remote hires. These devices are logged into and maintained from U.S. soil, typically through physical setups in homes or small offices, so that all network traffic and telemetry appear domestic. The key to this illusion is identity theft. Recently, the DOJ indicted Christina Chapman, a facilitator in Arizona, who ran “Laptop Farms”. Once the hiring process was complete, victim companies would ship work laptops and grant access to sensitive systems, unaware that the real end users were North Korean nationals abroad. Chapman’s role was not only to receive and activate these laptops but to maintain them for continuous remote access, ensuring that DPRK operatives could stay invisible behind American identities.
Christina Chapman
12607 W Vista Paseo Dr, Litchfield Park, AZ 85340
DPRK Laptop Farm run by Chapman
Platform Penetration & Global Expansion
As enforcement tightened on global freelancing hubs such as Upwork, Fiverr, and Freelancer.com, North Korean IT operatives expanded their focus to less-regulated, regionally focused gig platforms, particularly in the Middle East and North Africa (MENA). While major global platforms like Upwork and Freelancer still see DPRK IT worker recruitment, intelligence gathered throughout 2024 and 2025 indicates a broader strategy to infiltrate various online platforms. These platforms became attractive to DPRK-aligned actors due to their comparatively lenient onboarding processes, minimal identity verification, and weak vetting practices, which allow the actors to bypass employment verification controls.
This expansion coincided with observed DPRK tactics documented by Microsoft Threat Intelligence and Google Cloud’s Mandiant division , which reported the use of KVM switch setups , stolen identity kits , and remote desktop software to simulate domestic employment in a given jurisdiction—even when the worker operated from DPRK or China. Newer tactics include the use of synthetic voices for video interviews , AI-generated profile images , and automated deployment of identity documents that pass lightweight vetting procedures common to less-regulated platforms.
Payment pipelines also evolved. Payments are often facilitated through virtual currency, as well as services like TransferWise and Payoneer, implying a preference for systems with limited oversight. In 2025, DPRK operatives received payment through disbursement services into crypto wallets or offshore accounts, routing earnings through UAE-based infrastructure. However, the provided research does not directly corroborate specific incidents such as a “Ureed-based hire posing as a Syrian frontend engineer working for a UAE fintech company” or mobile application code delivered via “Nabbesh” by a user claiming to be Palestinian with telemetry traced to Vladivostok, Russia. However, the use of telemetry to detect Russian-linked infrastructure associated with DPRK activity is confirmed.
This redirection to under-monitored platforms reflects the regime’s operational flexibility. Instead of abandoning freelance infiltration altogether, Pyongyang expanded its reach into low-friction digital labor markets with lower regulatory visibility. This expansion not only preserved a steady stream of foreign currency for the regime , but it also increased DPRK’s reach into sectors and geographies beyond traditional U.S.-centric targets. It is not simply opportunistic—it is part of a deliberate, adaptive campaign of economic espionage masked as remote software development.
Shell Company Infrastructure
The DPRK IT labor operation was propped up by a web of shell companies that each played a distinct, carefully engineered role in laundering salaries, spoofing employment legitimacy, and obfuscating the true identities of North Korean operatives. At the core of this infrastructure was Kejia Wang, a New Jersey-based facilitator who established multiple legal entities across the U.S. to mask the flow of illicit wages. Hopana-Tech LLC served as a primary payroll conduit, accepting salary payments from victim companies under the guise of a legitimate staffing agency. Tony WKJ LLC was used to receive and deploy laptops to DPRK operatives, while also functioning as a salary masking layer. Independent Lab LLC provided the technical underpinnings, including blockchain API relays and crypto wallet infrastructure to route funds out of the U.S. financial system. Highland Park 215 Spa LLC, ostensibly operating under the cover of a massage parlor in New Jersey, likely acted as a cash-out point for laundering physical funds.
Wang also operated Northstar Leadership Inc., which produced fabricated resumes and managed identity paperwork, essential for onboarding DPRK operatives to hiring platforms. Through Capella Aviation LLC, Wang and co-registrant Liwen Huang routed wire transfers through Hong Kong and mainland China, creating a cross-border financial bridge. On the Russian front, Gayk Asatryan used Asatryan LLC and Fortuna LLC to legally host 80 DPRK workers, legitimizing their presence under 10-year employment contracts signed with North Korean trading firms.
These entities were not isolated -they were interconnected through shared addresses such as 65 Idlewild Road, overlapping registration details, and reused bank accounts and crypto wallets. Together, they formed a sophisticated scaffolding that gave the illusion of legitimate employment and enterprise, while operating as the foundation for one of the most complex sanctions-evasion schemes tied to DPRK’s Reconnaissance General Bureau.
HIGHLAND PARK 215 SPA 215 Raritan Avenue, Highland Park, NJ
DPRK Currency Transfers Via Banking
Kejia Wang, operating from New Jersey, functioned as the financial cornerstone of the DPRK’s U.S.-based laundering scheme. Through front companies like Hopana Tech LLC, Tony WKJ LLC, and Independent Lab LLC, he established business and money transfer accounts used to receive salary payments from U.S. companies unwittingly employing North Korean IT workers under false identities.
At Hopana Tech, Wang opened a U.S. bank account that took in over $464,000 from victim firms between January 2022 and April 2024. These funds were rerouted to overseas co-conspirators such as Jing Bin Huang and a network of Chinese shell entities (e.g., Shenyang Xiwang, Deep Tech, Aolien) via Bank of China and Standard Chartered (HK).
Simultaneously, Tony WKJ LLC received more than $1.6 million through a U.S. money transfer service (MTS-2), which Wang distributed to accounts linked to Enchia Liu, Food Yard Trading (Dubai), and Shenyang Sun-Lotus Tech. He personally siphoned $218,000 into his own U.S. checking account and another $412,000 to his personal MTS account. Between 2022 and 2023, he also received $237,000 in salary deposits into that same personal account, then forwarded $208,000 across 43 transfers to co-conspirators Huang and Tong Yuze.
Wang further disguised laptop handling and device access fees as routine payments labeled “CA laptops” and “NY laptops,” totaling over $55,000 sent to two U.S.-based facilitators.
Lastly, using MTS-3, Wang falsely registered Tony WKJ as a “VC-backed software firm” and received $352,949 from victim companies. When flagged by MTS staff, Wang lied about a DPRK worker under the alias “Wandee C.,” claiming he was a subcontracted developer.
In total, these financial maneuvers moved millions through U.S. infrastructure to overseas nodes, enabling DPRK operatives to mask their identities and launder salaries under the guise of legitimate tech consulting.
Crypto Payment Flows & Wallet Infrastructure
The laundering of salaries earned by North Korean IT operatives followed a structured, multi-phase pipeline designed to minimize traceability and regulatory exposure. In Phase 1: Salary Receipt, payments from unsuspecting U.S. and international companies were sent either to front companies, such as Hopana-Tech LLC and Independent Lab LLC, or directly to wallet addresses listed on the operatives’ GitHub profiles. These companies believed they were paying legitimate U.S.-based contractors, unaware that the workers were remote operatives in North Korea using stolen or forged identities.
Phase 2: Obfuscation began as soon as payments arrived. Smart contracts were employed to automatically split the incoming funds across clusters of Ethereum or TRON wallets. This fragmentation technique, similar to those used in ransomware operations, obscured the origin of the funds and made tracking the complete financial trail more difficult. Each tranche was redirected through different wallets, reducing the ability of investigators to correlate input/output flows with a single identity or origin point.
In Phase 3: Conversion, the obfuscated crypto was aggregated and funneled through over-the-counter (OTC) brokers based in Russia, the United Arab Emirates, and Hong Kong. These brokers specialize in converting large sums of stablecoins into fiat or alternative cryptocurrencies while avoiding compliance triggers. Eventually, the cleaned funds were consolidated into wallets under DPRK control, some of which have since been blocklisted by platforms like Tether for links to illicit activity and sanctions violations. This seamless pipeline allowed the DPRK to convert stolen or fraudulently earned wages into usable capital for the regime’s strategic programs, including its weapons development efforts.
DPRK IT Worker Cluster Wallet & Identity Mapping
Eight fake identities represent a sophisticated and evolving strategy by the DPRK’s IT worker apparatus to not only infiltrate the U.S. based companies but to systematically exfiltrate salary payments into laundering pipelines that support North Korea’s sanctioned economy. Each alias, crafted with care and strategic foresight, was tied to a complex infrastructure of forged documents, crypto wallets, and online developer personas, all designed to evade detection by employers, banks, and regulators.
These aliases were not random. Many were modeled on plausible names common in the U.S., Canada, or Southeast Asia, making them more likely to pass identity verification or “soft KYC” checks on freelancing platforms and internal HR systems. They were often accompanied by polished Linkedin profiles, active GitHub repositories, and consistent communication habits, all of which contributed to the illusion of a legitimate remote developer.
Behind the scenes, each identity was directly linked to salary laundering flows. For instance, Andy Bell, Benjamin Nguyen, and Sandy Nguyen used ETH-based wallet addresses, including vanity ENS domains like bbshark[.]eth and gsofter[.]eth, to receive payments from U.S. firms under the guise of contract work. These addresses were often listed on their GitHub accounts as “payment preferred to…” links, allowing unsuspecting employers or payroll processors to initiate transfers.
In many cases, funds were first routed to these GitHub-linked wallets, then automatically or manually split using smart contracts across secondary addresses. From there, the payments were funneled to consolidation wallets controlled by DPRK facilitators or OTC brokers in Russia, China, or the UAE. For example, funds from wallets tied to Josh Thomas and Muhammad Abdullah were traced via ZachXBT and TRM Labs to known laundering hubs tied to sanctioned North Korean operators. (*ZachXBT is a self-taught, pseudonymous blockchain investigator who has gained global recognition for tracking fraudulent crypto transactions, hacks, rug pulls, and state-linked laundering schemes.)
The fake geographic locations assigned to these aliases were deliberately chosen to align with employment demand and reduce suspicion, such as Texas, California, Toronto, and Michigan, regions known for tech industry presence. These locations also matched VPN exit nodes and remote access IP ranges used to simulate U.S.-based developer activity during work hours.
In total, these eight identities were tied to at least 12 different U.S. and international projects. They helped siphon hundreds of thousands in salaries, while embedding DPRK-linked code contributors into the core of web3 startups, fintech platforms, and even infrastructure projects. Their exposure now offers critical insight into the DPRK’s strategy: weaponizing remote work, exploiting global labor gaps, and turning open-source ecosystems into vectors of economic subversion.
ZachXBT on X
Wallet tweet
Further wallet details
Associated Consolidation Wallets
ZachXBT reports that all above identities and payment addresses lead to two known consolidation wallets:
These wallets serve as hubs in laundering pathways, taking in payments from U.S. firms and redistributing to DPRK-controlled endpoints via OTC brokers and blacklisted channels. These are frequently referenced in TRM Labs and Treasury forfeiture filings.
Global Network of Enablers
The DPRK’s IT worker laundering network was supported by a multinational cast of facilitators operating across five regions, each providing critical functions that enabled the scheme to scale globally. In the United States, Kejia Wang and Zhenxing “Danny” Wang served as the domestic linchpins, establishing shell companies like Hopana-Tech LLC and Independent Lab LLC, receiving company-issued laptops, and enabling remote access for DPRK operatives via KVM switches. In China, actors such as Jing Bin Huang, Tong Yuze, and Zhenbang Zhou were responsible for setting up domain infrastructure, fabricating identity records, and acting as intermediaries in the salary flow chain. Operating from the United Arab Emirates, Yongzhe Xu and Ziyou Yuan handled the setup of financial accounts and cryptocurrency wallets that served as routing points for laundered funds. Meanwhile, in Taiwan, Mengting Liu and Enchia Liu were tasked with salary account management and crypto-to-cash withdrawal, helping to finalize the money laundering cycle. In Russia, Gayk Asatryan took on a more formal role, entering into 10-year labor agreements with DPRK trading entities and providing legal cover through his companies Asatryan LLC and Fortuna LLC for the long-term hosting of North Korean IT workers. Together, these individuals formed the logistical and financial scaffolding behind one of the DPRK’s most successful sanctions evasion operations to date.
While the physical infrastructure of DPRK’s cyber-labor operation is anchored in shell companies and banking channels, its digital front is built on a deceptively simple architecture: domain registrations and simple, one-layer-deep web sites. Four key domains, hopanatech[.]com, tonywangtech.com, wkjllc[.]com, and inditechlab[.]com, emerged as critical components of the laundering and deception ecosystem.
All four were registered through NameCheap, a domain registrar frequently exploited by threat actors for its lenient Know-Your-Customer (KYC) policies. These domains aligned closely with the shell companies documented in the July 2025 indictment of Kejia Wang (aka Tony Wang).
hopanatech[.]com: Used as a façade for the employer-of-record shell “Hopana Tech LLC.” This site served as a point of contact and “employment verification” front, meant to convince firms that IT workers were U.S.-based.
tonywangtech[.]com and wkjllc.com: Variations on the Tony WKJ LLC shell, these domains were used to generate email aliases and submit resumes under false identities. They helped DPRK contractors pass due diligence by appearing affiliated with a legitimate tech firm.
inditechlab[.]com: Tied to Independent Lab LLC, a shell involved in crypto infrastructure. The domain may have also hosted webhooks and API interfaces used in TRON-based laundering flows.
Despite their differing branding, these domains shared clear indicators of clustering:
Similar registrar info and name servers
Absence of advanced metadata like Google Analytics or embedded tracking (indicating high OPSEC awareness)
WHOIS privacy enabled
Associated email accounts and DNS infrastructure linked to Wang or his co-conspirators
These domains were not just placeholders. They were operationally active, used in job applications, HR communications, resume verification, and even crypto billing. In short, they functioned as front-facing digital camouflage for a covert state-aligned economic espionage program.
DomainTools searches of four domains created by Tony and Zehnxing Wang for LLC’s
By the first half of 2025, North Korea’s covert IT labor scheme had evolved into a robust revenue-generating apparatus capable of siphoning millions from the global economy with alarming precision. An estimated $17 million in salary payments was funneled through shell companies and direct crypto wallets tied to DPRK operatives posing as freelance developers. It is also cited that the total for the scheme globally netted between $250 to $600 million altogether. These payments came from hundreds of U.S. companies, including fintech startups, SaaS vendors, blockchain firms, and even defense contractors, who unknowingly onboarded North Korean nationals through falsified resumes and forged identity documents. In June 2025, U.S. authorities seized $7.7 million in cryptocurrency assets connected to the scheme, targeting wallets tied to aliases like “devmad119” and “Joshua Palmer.” Yet this represents just a fraction of the broader threat: over $1.6 billion in global cryptocurrency losses were attributed to DPRK-linked actors in the same time period, with 70% directly traced to operations blending employment fraud, social engineering, and codebase compromise. Far beyond financial theft, this scheme granted North Korean operatives persistent system access, enabling the injection of malicious logic, exfiltration of proprietary code, and creation of long-term backdoors across critical sectors.
Insider Threats: Espionage by Employment
North Korean IT operatives, posing as legitimate remote developers, evolved from mere economic infiltrators to full-fledged insider threats. Once embedded within U.S. and foreign tech firms, these operatives obtained privileged access to critical assets, including GitHub repositories, CI/CD pipelines (like Jenkins and GitLab), and cloud configuration files across AWS, Azure, and GCP. With this level of access, they would be able to insert stealthy “sleeper” functions, delayed or dormant code designed to activate later, as well as data exfiltration logic disguised within standard requests, such as base64-encoded POST or GET calls.
To date, no official disclosures from the government or private sector have confirmed that such actions have occurred. However, given that these nation-state adversaries were embedded as insider threats, it is reasonable to assess that once they gained access to sensitive networks and digital assets, they likely exploited opportunities that extended beyond financial fraud. The potential for strategic espionage, leveraging their privileged access for intelligence collection or cyber sabotage, must be considered a probable scenario.
Threat Assessment
The infiltration of DPRK IT workers into Western firms represents one of the most sophisticated and insidious insider threat campaigns in recent memory. Unlike external cyberattacks that can be blocked at the perimeter, these operatives gained trusted persistent access inside corporate networks by posing as vetted remote employees. Once hired, often via stolen, background-verified U.S. identities, they were embedded into critical roles such as backend development, cloud configuration, CI/CD pipeline maintenance, and DevOps infrastructure. This level of access granted them entry into source code repositories, production environments, encryption logic, and proprietary APIs, allowing for potential IP theft, backdoor insertion, credential harvesting, and pre-positioning for future attacks.
This threat was magnified by a widespread failure among companies to implement robust asset management, access logging, and behavioral anomaly detection. In many cases, organizations lacked visibility into who exactly was accessing which systems, when, and from where. The use of remote KVM switches, proxy VPNs, and U.S.-based cloud endpoints enabled DPRK operatives to blend in with legitimate employee traffic, bypassing geo-fencing or basic endpoint monitoring. Some firms failed to enforce multi-factor authentication, revoke GitHub deploy keys upon contractor termination, or monitor suspicious API activity from “internal” users. Additionally, lax onboarding processes and over-reliance on third-party background check platforms meant many identities went unverified or unchecked.
To counter these threats, companies must enforce zero-trust security models, where access is continuously evaluated based on device health, location, and behavioral norms. Automated asset inventories, real-time session monitoring, and privileged access management (PAM) should be standard practice. Every contractor should have narrowly scoped, time-limited access tied to individual credentials, with full audit trails and immediate revocation mechanisms. Organizations must also reevaluate how they vet remote talent, introducing biometric verification, live interviews, and cross-checks with employment databases to prevent identity fraud. Failure to do so risks granting hostile nation-state actors like the DPRK the keys to their most valuable digital assets, without ever breaching a firewall.
Conclusion
The breaking up of the DPRK IT workers exploit is a wake up call for corporations around the world. The aphorism of “The insider threat is the biggest threat” in the infosec space rings true here with a clarion call. So far, the information that has come out (and continues to be researched) seems to indicate that the U.S. was not the only target of the DPRK activities. That said, it is important that corporations and organizations understand the aphorism above, and do all they can to ensure such insider attacks are much harder to carry out.
It is also important that, within the new paradigm of AI, interviews, vetting, and generally, everything carried out during the interview and vetting process, be backstopped to ensure authentic individuals are being hired, and not assets of a foreign power, or for that matter, other criminal actors. This new landscape will only get more complex, and as we move forward into this brave new world, expect there to be other exploits like these that could render your operations into extreme response circumstances.
Sign Up For DomainTools Investigations’ Newsletter for the Latest Research
Want more from DomainTools Investigations? Be sure to sign up for our monthly newsletter to get the latest research from the team – available on LinkedIn or email.
This report details an ongoing campaign by an actor operating primarily during Chinese time zone working hours, targeting Chinese-speaking individuals and entities within and outside China. Since approximately June 2023, the actor has created more than 2,800 domains for malware delivery. The actor's methods and malware, largely unchanged since June 2023, primarily deliver Windows-specific malware through fake application download sites and fake update prompts in various spoofed login pages, marketing apps, business sales apps, and cryptocurrency related apps.
This report details an ongoing campaign by an actor operating primarily during Chinese time zone working hours, targeting Chinese-speaking individuals and entities within and outside China. Since approximately June 2023, the actor has created more than 2,800 domains for malware delivery. The actor's methods and malware, largely unchanged since June 2023, primarily deliver Windows-specific malware through fake application download sites and fake update prompts in various spoofed login pages, marketing apps, business sales apps, and cryptocurrency related apps.
Following previous reports, the actor made notable operational changes including the addition of
Anti-automation and browser emulation code
Reduction in site tracker services
Increased server distribution for sparser domain resolutions per IP address
More discreet registration details
As of June 2025, 266 of the over 850 identified domains since December 2024 were actively distributing malware.
For comprehensive details, refer to the two prior reports linked below:
The `googeyxvot[.]top` domain uses anti-automation and browser emulation checks, and any input on its fake login page triggers a deceptive browser incompatibility error, prompting a malicious update download. Multiple JavaScript files are employed to obfuscate the download URL.
A malicious .zip file from `googeyxvot[.]top` delivers an .msi installer. This installer contains multiple .jpg named files and two executables, `svchost.13.exe` and `flashcenter_pl_xr_rb_165892.19.exe`. `svchost.13.exe` acts as a downloader, fetching a file from `https://ffsup-s42.oduuu[.]com/uploads%2F4398%2F2025%2F06%2F617.txt`. The downloaded file uses a shellcode decoder loop, decrypts its content with XOR key "0x25", and executes an embedded PE file.
googeyxvot[.]top/assets/download/buile/flashcenter_pl_xr_rb_165892.19.zip 7705ac81e004546b7dacf47531b830e31d3113e217adeef1f8dd6ea6f4b8e59b flashcenter_pl_xr_rb_165892.19.zip a48043b50cded60a1f2fa6b389e1983ce70d964d0669d47d86035aa045f4f556 flashcenter_pl_xr_rb_165892.19.msi The .msi file contains several jpg named files and two executables:svchost.13.exeSha256 zf1b6d793331ebd0d64978168118a4443c6f0ada673e954df02053362ee47917b flashcenter_pl_xr_rb_165892.19.exeSha256 1c957470b21bf90073c593b020140c8c798ad8bdb2ce5f5d344e9e9c53242556 Scvhost.13.exe acts as a downloader, retrieving a file from URL https[:]//ffsup-s42.oduuu[.]com/uploads%2F4398%2F2025%2F06%2F617.txt uploads%2F4398%2F2025%2F06%2F617.txtSha256 e9ba441b81f2399e1db4b86e1fe301aaf2f11d3cf085735a55505873c71cbc6f The downloaded file contains a shellcode decoder loop and decrypts the rest of the file with xor key “0x25” and executes an embedded PE file.Sha256 28e6c4d71b700ac93c8278ef7968e3d8f9454eff2e8df5baf2fff6acbfdf6c39
Fake Alipay Checkout
The domain displays a fake popup stating it cannot operate currently due to the use of abnormal operation mode. The buttons Get Help Now and Cancel are displayed, which prompt a download of a malicious file.
yeepays[.]xyz
An imported JavaScript file defines the download path
“yeepays[.]xyz/assets/js/external_load.js”
The filename is defined in another imported JavaScript file
“yeepays[.]xyz/assets/download/filename.js”
The download URL for the malicious file then becomes:
Clicking most of the interactive buttons redirects to a fake sign-in page for a fake crypto exchange named “CoinBaw”, which likely attempts to spoof as CoinBase.
Registration Details
Mapping over 2,800 of the actor’s registered domains since June 2024, we observed similar trends in timing.
Domain Registrations Create Date
Domain Resolutions First Seen
Comparing the registration creation times for domains and their respective first seen resolutions from DNS lookups we can approximate possible human working times from infrastructure acquisition and operationalization commonalities. Though both of which can be largely automated and consequently the timing of either event can be largely unreliable, they may offer some valuable insights particularly with regard to potential prevalence in targeted regions.
We observed a common distribution of both domain acquisition and potential operationalization across times. Operationalization in this context is essentially the distinction between the registration of the domains and associated infrastructure and then making use of it in some operational way. In this case, to deliver malware via spoofed application download pages. The majority of both are seen to occur during normal Chinese working hours. Notably, the volume of first seen resolutions of those domains also appear during normal Chinese working hours.
Changes In Operations
The actor has implemented several changes in their operational tactics. This includes the addition of rudimentary anti-automation and browser emulation code, designed to hinder site scanners from effectively retrieving website content. Furthermore, there has been a reduction in the use of site tracker services such as Baidu, Gtag, and Facebook. The actor has also increased the number of servers used to spread domain resolution more widely, and adopted more discreet registration details to obscure uniquely identifiable information.
Conclusion
The "SilverFox" actor continues to demonstrate a high degree of persistence and scale in their malware delivery operations, primarily targeting Chinese-speaking individuals and entities globally with Windows-specific malware. Their campaign, ongoing since at least June 2023, leverages over 2,800 created domains, with 266 remaining active since December 2024, highlighting their sustained infrastructure and reliability improvements. The consistent operational timing across all hours with high influxes during Chinese working hours in addition to other factors suggests a combination of automated and likely human-driven approach to their activities.
While the actor's ultimate motivations remain somewhat uncertain, their tactics strongly suggest financially motivated and opportunistic objectives. We suspect their primary goals include credential and financial theft, and potentially access brokering. Furthermore, the observed targeting of individuals engaged in sales and marketing, particularly those outside China but involved in business prospects within the region and possessing Chinese language skills, points to a potential secondary motivation to exploit specific professional networks for further gains.
Modern browsers like Chrome and Edge provide a critical, multi-layered defense against malware from fake download sites. They use integrated security systems—Google Safe Browsing and Microsoft Defender SmartScreen—to proactively block malicious websites before they can be accessed. At the point of download, these browsers analyze files for risk by checking their reputation and digital signatures, and provide clear, direct warnings to prevent users from accidentally running dangerous software.
While current detection rates of SilverFox payloads show limitations, it's crucial to recognize that browser security is a constantly evolving battleground. Browser developers are continually refining their defenses, integrating more advanced AI and machine learning models to identify and block novel threats in real-time. This ongoing technological advancement, however, highlights a fundamental truth: the most sophisticated digital warnings are ultimately supplementary to an aware user.
To counter the persistent threat posed by SilverFox, organizations and individuals should prioritize the following security measures:
Elevate User Awareness: Conduct phishing simulations and training, and emphasize secure software acquisition from official sources.
Strengthen Email and Web Gateway Security: Implement ATP, integrate threat intelligence feeds for URL filtering and domain reputation, and employ DNS filtering.
Enhance Endpoint Security and Response: Deploy NGAV/EDR across Windows endpoints and ensure automated patch management.
Implement Network Monitoring and Segmentation: Analyze network traffic for indicators of compromise and segment networks to limit lateral movement.
Prioritize Identity and Access Management: Enforce Multi-Factor Authentication (MFA) for all user accounts.
Where Everybody Knows Your Name: Observing Malice-Complicit Nameservers
🎵 Sometimes you wanna go Where everybody knows your name And they're always glad you came 🎵 ~Theme from Cheers
Everyone should have a place to go where they’re comfortable, can pull up a comfy infrastructure barstool, and just kick back and enjoy life.
Everyone except malicious actors.
At DomainTools Investigations we take a special interest in the comfort and caretaking of bad actors, wherever it may occur. Whether it’s a den of aspiring hackers stretching their wings, domain registrar business decisions welcoming in Russian disinformation peddlers, or even mapping out ransomware actor musical chairs, you could say we pay keen attention to the care and feeding of predatory ecosystems.
So it’s no surprise that we’re looking at DNS all the time, day, night and otherwise. Even during leap seconds.
Nameservers and Detecting Threats
They say “to reach people, meet them where they’re at” and in our corporate mission to reach more and more bad actors we’ve taken this to heart. By intensely monitoring nameservers where criminals feel comfortable, we’re able to understand the ebb and flow of whole campaigns as well as opportunistic one-offs as domains circulate between registrars, hosts, and transient infrastructure.
DDoS-Guard enablement of criminal activity, terrorism, and espionage is not exactly a secret.
Analyzing only a month’s worth of nameserver activity for DDoS-Guard provides an important glimpse into their current corner of the internet. Activity from 2025-05-13 through 2025-06-11 shows thousands of activities, from transfers in and out of the service (illuminating other sources and destinations) to domain creation and deletion. Analyzing this also allows better understanding of where DDoS-Guard sits in the nexus of services used for malicious interests, pointing at large spaces for possible future research.
In isolating domains transferred in and out of DDoS-Guard Nameservers 269 domains were observed being transferred in from other services, 408 domains transferred out from DDoS-Guard to other services, 677 new domains created, and 199 domains deleted.
For the purposes of this post, we can sort observed domains into three separate buckets, in order of proportion seen: temporary gambling/betting domains, cryptocurrency-targeting domains, and indeterminate/other. The temporary domains were obvious thanks to repetitive, incremented numbers across many alike names as well as their short lifespans on the service: most were new, in non-English languages like Indonesian and Turkish, and deleted within two weeks of creation. A smaller subset was transferred out, mostly to my-ndns[.]com and cloudflare.
Registrar[.]eu appears in the “transfer out” section as an outlier due to a single cluster of 72 domains either targeting or spamming for Russian gambling website Pokerdom. All examples include landing pages in Russian simulating Pokerdom terms of service or login paths, and all used the TLD top. Historical data shows this cluster was spun up on DDoS-Guard one year previous and transferred out to Registrar[.]eu instead of being renewed.
Observing nameservers, as noted, also allowed us to see where DDoS-Guard lies in relation to bad actors constantly shopping their domains from service to service to try and avoid detection or blocklisting. Several notable examples came up in research.
Bioservamerica[.]com sounds like a perfectly reasonable domain from afar. However, seeing it become newly active after three years of dormancy and then bouncing between DDoS-Guard and Cloudflare caused us to take a closer look. In fact, bioservamerica[.]com is the domain for an Indonesian gambling website utilizing the age of the domain to evade some risk metrics.
Bioservamerica[.]com screenshot as of 2016-06-09, showing the website of a contracted biotechnology manufacturing company.
Bioservamerica[.]com screen shot as of 2025-06-13 showing the front page of togel138, an Indonesian betting, slot, and lottery site.
An investigative rabbit hole deepened the more we dug. Bioservamerica[.]com redirected to capecodrestaurantweek[.]com; sharing that redirect was restaurantweekcapecod[.]com. A pivot on the registrant for the latter led to a dozen chef- or restaurant-themed websites that appear to serve as redirects for a massive network either supporting black-market gambling sites or attempting to phish those users. Passive DNS revealed suspiciously rapid and ongoing DNS changes suggestive of fast flux or a similar technique for capecodrestaurantweek[.]com. All told, this network appeared to be acquiring aged domains and utilizing sophisticated obfuscation and redirection techniques and is due for further research.
Another elementary finding while observing DDoS-Guard nameservers involves a campaign targeting holders of Vanilla gift cards, a Visa product. DDos-Guard users are fans of “com” domains - beginning with apex domains containing “com” to utilize targeted subdomains and deceive targets about the actual site. In practice, the domain comtrackmycom[.]com utilizes subdomains like “www.vanillagift,” so the user sees www.vanillagift[.]comtrackmycom[.]com. In many situations, our perception blocks out everything after the first “com” so that the URL seems legitimate. This domain spun up on DDoS-Guard on 2025-06-02 and, while blocklisted, still appears to be active.
Digital Assets
A popular target for DDoS-Guard users is players of the popular first-person shooter game CounterStrike: GO. CounterStrike has a long history of strangeness around its weapon skin system, which allows users to apply custom decorative designs to their in-game weapons rated by the rarity in which they emerge from game loot boxes (“cases”). Game company Valve halted the entire system in 2019 for a redesign after discovering nearly all transactions were involved in money laundering. DDoS-Guard nameservers reveal a number of candidates for investigation:
Csmoney[.]to, created on DDoS-Guard on 2025-05-28 is likely impersonating the trading marketplace cs[.]money for phishing purposes.
The domain hellcase[.]com appears to be a legitimate site surrounding case-opening and exclusive skins. However, on DDoS-Guard we see at least one actor deeply comfortable with the service, spinning up over a dozen new domains targeting CS:GO and Hellcase users, as well as transferring domains in and out. Despite being less than a month old at the time of writing, the below domains all show as having already been added to third-party blocklists:
Highlighting the traffic flows in and out of DDoS-Guard nameservers, we can observe hlcases-events[.]com transferred out to Cloudflare, and cs2-hellcas[.]com transferred in from 1reg[.]buzz. The actor(s) targeting CS:GO and Hellcase users seemed mostly comfortable with DDoS-Guard during the month of observation, but this kind of activity raises a question for further research about fingerprinting risk by measuring nameserver transitions.
Cryptocurrency
Video game weapon skins aren’t the only digital asset being targeted from Russia. DDoS-Guard nameserver activity provided a wealth of information on scams and phishing targeting cryptocurrency users. In one month, domains were observed aimed at the following protocols and platforms: Atomic, Bluefish, Brex, Coinbase, Cortex, DefiSaver, Dragonswap, Felix, Hybridge, Hyperion, Hyperlend, Hyperswap, Ledger, Mercury, MetaMask, Nexus, Odos, SoSoValue, Trezor, Tron, UsualMoney, and YieldNest.
Pivots on those domains provided insight into additional apex-level domains or subdomains targeting DEXscreenr, MyEtherWallet, Phantom, Phala, Rabby, Rainbow, Rarible, Safepal, Sui, Trust, Uniswap, and more.
That’s quite the list for one month’s worth of watching, it feels like.
Patterns emerged in several cases of domains created on DDoS-Guard and either deleted within days or transferred out to another set of nameservers within a week.
Let’s discuss some example findings.
YieldNest[.]finance is a restaking token aiming to increase earnings through advancing liquidity in the Ethereum ecosystem. Yet someone’s also looking to restake a claim:
Domain
Date Created
Date Deleted
Registrar
yicldnest[.]finance
2025-05-30
2025-06-06
OwnRegistrar
yielclnest[.]finance
2025-06-03
2025-06-06
OwnRegistrar
yieldnesf[.]finance
2025-05-27
2025-06-01
OwnRegistrar
yieldrest[.]financial
2025-06-04
2025-06-06
OwnRegistrar
yjeldnest[.]finance
2025-06-03
2025-06-06
OwnRegistrar
Despite all of these domains being up for less than a week, they all showed a connection to infrastructure, passive DNS indicated resolutions in the wild, and they all substantially diverged from YieldNest’s primary domain profile. IP address, MX record, and tracker pivots on these five domains surfaced several more targeting YieldNest, as well as domains targeting Coinbase, the Oasis protocol, payment processor Coinwall, PLANET token, and more. While PDR and Reg[.]ru were observed, behavior indicated an overwhelming preference for DDoS-Guard, as well as a strong preference for the use of Cloudflare and Namecheap. Many of these domains show abnormal daily changes to either MX or NS records during their period of activity.
While more research is necessary over a longer term to validate it, monitoring problematic nameservers shows promise as a traffic supernode to establish behavior patterns that can support more complex and targeted observation and detection of malicious actors.
Another great example is several domains targeting the Ledger wallet and app. En-ledger[.]to was created on DDoS-Guard services on 2025-05-27 and provided an excellent IP address pivot to 70+ domains almost exclusively targeting cryptocurrency wallets like Atomic, MetaMask, MyEtherWallet, Trezor, and Trust (among others). Most are currently blocklisted with an astronomically high average third-party risk score.
Common infrastructure characteristics across the cluster:
Domain infra datapoint
Common/outliers of datapoint in cluster
Most popular (in order)
NS domain
1/4
DDoS-Guard
Server type
5/1
Nginx, sffe, DDoS-Guard, Cloudflare
SSL Issuer Common Name
5/3
R10, R11
Another popular target in this brief glimpse into DDoS-Guard was cross-chain swap Hybridge. Cross-chain bridges and swaps allow users to exchange tokens from one chain with tokens from a different chain, and in practice they hold a sizable amount of cryptocurrency in hot storage for this purpose, making them a juicy prize.
App-hybridge[.]finance was created on DDoS-Guard on 2025-05-09, transferred to registrar[.]eu nameservers on 2025-05-30, and back to DDoS-Guard on 2025-05-31. A screenshot from urlscan[.]io of the landing page on 2025-05-26 shows an emulated login page.
It should be noted that no results either in the documentation of Hybridge nor on their social media indicate a domain of anything other than hybridge[.]xyz, so both hybridge[.]finance and app-hybridge[.]finance appear to be malicious; both connected to DDoS-Guard, with hybridge[.]finance transferring out to regery[.]net on 2025-05-27 and app-hybridge[.]finance transferring out and back in as noted above.
Conclusion
Above we’ve discussed the results of observing nameservers for Russian bulletproof host DDoS-Guard for a single month, 2025-05-13 through 2025-06-11. Results showed a vast array of threats, but the most active targeted the cryptocurrency sphere in very specific ways, especially through emulating wallets, exchanges, and cross-chain swaps.
There is more work to do and more bad actors, like DDoS-Guard, that provide a haven for criminal activity. Utilizing DNS and domain intelligence, as well as nameserver surveillance over an extended period of time, gives us a feel for the traffic flows of domain services, watching likely or proven malicious domains spin up, get deleted, and transfer in and out.
Digital assets, cryptocurrency, and other decentralized finance services should ensure that they monitor not just new or newly active domains and subdomains but also identify those service providers that give comfort to scammers, phishers, and others. This allows those services a much more clear day-to-day understanding of the prolific and varied threat environment they face, informing both the ways they protect their infrastructure and how they can educate users to protect themselves.
Cryptocurrency and decentralized finance users can protect themselves by staying informed of the threats the sector faces and staying current on the news, as well as engaging with protective DNS solutions and other blocklists that not only use third-party data but allow the user to input domains, services, and other characteristics into their blocklist. The simple act of blocking any domain with ddos-guard[.]net nameservers may serve to cut dozens or hundreds of direct threats per month.
More research along these lines is forthcoming from DomainTools Investigations.
Sign Up For DomainTools Investigations’ Newsletter for the Latest Research
Want more from DomainTools Investigations? Be sure to sign up for our monthly newsletter to get the latest research from the team – available on LinkedIn or email.
Intelligence Group 13, embedded within the Shahid Kaveh Cyber Group, represents one of the most operationally aggressive and ideologically fortified units within the Islamic Revolutionary Guard Corps (IRGC) cyber arsenal. Positioned at the confluence of tactical cyber-espionage, industrial sabotage, and psychological warfare, the group is uniquely equipped to respond to geopolitical escalations,particularly in light of the recent U.S. airstrikes targeting Iranian nuclear facilities, which have significantly heightened the risk of asymmetric retaliation.
A Profile of Iran’s Covert Cyber Strike Unit and Its Psychological Warfare Extension
Executive Summary
Intelligence Group 13, embedded within the Shahid Kaveh Cyber Group, represents one of the most operationally aggressive and ideologically fortified units within the Islamic Revolutionary Guard Corps (IRGC) cyber arsenal. Positioned at the confluence of tactical cyber-espionage, industrial sabotage, and psychological warfare, the group is uniquely equipped to respond to geopolitical escalations,particularly in light of the recent U.S. airstrikes targeting Iranian nuclear facilities, which have significantly heightened the risk of asymmetric retaliation.
As Iran faces intensified pressure and public calls for reprisal, it is assessed that it is increasingly likely that IRGC cyber divisions will be leveraged for retaliatory digital operations. Intelligence Group 13, already known for its history of intrusions into critical infrastructure, including U.S. water systems and Israeli control networks, now finds itself in a strategic posture to deliver retributive action through cyberspace. Whether through direct disruption, pre-positioned malware activation, or narrative defacement and psychological intimidation, the group's capabilities make it a prime tool for hybrid response, combining deniable technical aggression with symbolic messaging designed to project defiance and psychological impact.
Functioning under the umbrella of the IRGC’s broader cyber command, which includes the Electronic Warfare and Cyber Defense Organization (EWCD), the Intelligence Organization (IO), and Quds Force forces like Unit 300, Intelligence Group 13 is not an isolated cell but part of a highly coordinated ecosystem. Its online presence is reinforced by propaganda fronts such as CyberAveng3rs, a media arm that issues threats, amplifies operational claims, and disseminates defacement content through platforms like Telegram and Instagram. Together, these assets form a multi-domain influence architecture that allows Iran to execute cyber retaliation while shaping the narrative battlefield.
This report maps the hierarchy of Intelligence Group 13 within the IRGC, profiles its leadership, outlines its tradecraft and ideological underpinnings, and assesses the increased likelihood of its deployment in near-term retaliatory cyber operations.
Intelligence Team (Group) 13 تیم اطلاعاتی ۱۳
The group, (pronounced: Team-e Ettela'ati-ye Sizdah), takes its name from Mohammad Kaveh, an IRGC commander who was martyred during the Iran-Iraq War in 1986 at the age of 25. He led elite IRGC operations in Kurdistan and Western Iran and was viewed as a revolutionary model for sacrifice, bravery, and obedience. In keeping with the IRGC’s broader ideological tradition, the title “Shahid” (شهید), meaning martyr, is commonly affixed to the names of operational units, serving both as an homage to fallen commanders and a deliberate invocation of religious-nationalist symbolism. This naming convention reinforces the ideological continuity between the IRGC’s early revolutionary battles and its modern digital warfare initiatives. By invoking martyrdom, such units portray their operations not merely as tactical missions but as sacred continuations of a historical and spiritual struggle. The Shahid Kaveh Group draws directly from this legacy to infuse its cyber operations with ideological legitimacy and emotional resonance. The archived site kaveh313[.]lxb[.]ir hosted tributes, biographical stories, and hagiographic imagery that inform the spiritual framework for the group’s name and mission, blending religious devotion, revolutionary ethos, and digital militarism into a unified operational identity.
http://kaveh313[.]lxb[.]ir/
IRGC Cyber Command Hierarchy
The Islamic Revolutionary Guard Corps (IRGC) oversees a complex and multi-tiered cyber command architecture designed to fulfill distinct yet interconnected missions across domestic security, intelligence collection, and global offensive operations. This structure is deliberately compartmentalized, allowing the IRGC to conduct covert campaigns while maintaining plausible deniability through the use of proxy units, contractors, and front companies. At the core of this system is the Shahid Kaveh Group, an elite offensive cyber unit that operates with both ideological fervor and technical precision. Intelligence Group 13, its most active tactical team, is fully embedded within this command, drawing operational directives from a triad of IRGC oversight bodies:
The Electronic Warfare and Cyber Defense Organization (EWCD), which coordinates cyber defense and internal sabotage capabilities,
The Intelligence Organization (IO), responsible for domestic surveillance and strategic targeting intelligence, and
The Quds Force (QF), which projects IRGC influence and cyber aggression abroad, particularly through specialized units like Unit 300 and Unit 600.
Together, these divisions provide the Shahid Kaveh Group,and by extension Intelligence Group 13, with the operational cover, intelligence feeds, and strategic alignment necessary to wage hybrid cyber warfare across physical and psychological domains.
Command Structure – Known Figures
The leadership behind Intelligence Group 13 reflects a blend of strategic IRGC command, operational direction, and industrial integration. At the top sits Hamidreza Lashgarian, a senior IRGC cyber official with confirmed affiliations to both the Electronic Warfare and Cyber Defense Organization (EWCD) and Quds Force Unit 300. Lashgarian is widely regarded as the supervisory figure behind the Shahid Kaveh Group, providing overarching guidance on both ideological framing and operational tempo. Beneath him, Reza Salarvand serves as the direct commander of Intelligence Group 13, identified in dissident leaks as the group’s tactical leader and field-level coordinator. Salarvand’s role includes managing target selection, overseeing cyber intrusion campaigns, and aligning Team 13’s actions with IRGC strategic objectives. Supporting these military units is Mohammad Bagher Shirinkar, a key figure embedded in EWCD-linked contractor firms. Shirinkar plays a critical role in bridging the IRGC’s internal operations with its broader technical ecosystem, facilitating tool development, subcontractor oversight, and deniable operational capabilities through civilian-facing fronts.
IRGC High-Level Hierarchy
Placement of Intelligence Group 13 Within IRGC Cyber Org
Intelligence Group 13 functions as the operational spearhead of the Shahid Kaveh Group, a hybrid entity positioned at the intersection of the IRGC’s cyber warfare and Quds Force portfolios. This structural alignment gives Team 13 a unique dual mandate: to execute precision cyber intrusions with military-grade sophistication while simultaneously engaging in psychological and ideological warfare. As a tactical APT (Advanced Persistent Threat) cell, the unit specializes in cyber reconnaissance, disruptive sabotage of critical infrastructure, and the deployment of malware designed to pre-position effects across adversarial networks. Its proximity to both IRGC Electronic Warfare and Cyber Defense (EWCD) and external-facing Quds Force units enables Intelligence Group 13 to operate with both deep access and strategic reach, making it a central instrument of Iran’s asymmetric cyber doctrine.
Internal Chain of Command
Technical Mission and Tactics
The strategic mandate of Intelligence Group 13 centers on disrupting critical infrastructure and shaping adversarial perceptions through covert digital operations. The unit has demonstrated a specific focus on targeting industrial control systems (ICS), including Unitronics PLCs, Israeli electrical grids, U.S. water treatment facilities, and fuel distribution systems, all selected for their high-impact potential and symbolic value. Their campaigns often involve pre-positioning malware, embedding implants within target environments well in advance of activation to enable dormant or timed sabotage. Complementing these efforts is an aggressive intelligence collection posture, relying on phishing, credential theft, and OSINT harvesting to support intrusion planning and post-access operations. Crucially, Team 13 integrates psychological warfare into its strategy, disseminating screenshots, leaks, and taunting messages through propaganda arms like CyberAveng3rs to generate fear, confusion, and reputational damage in tandem with technical effects.
Disinformation & Propaganda: The Role of CyberAveng3rs Patriotic Hacker Wing
CyberAveng3rs serves as the psychological warfare and influence operations extension of Intelligence Group 13, functioning not as an independent actor but as a deliberately constructed propaganda arm embedded within Iran’s cyber doctrine. Rather than remaining in the shadows like traditional APTs, Team 13 leverages CyberAveng3rs to publicize and amplify the psychological impact of its technical operations,turning covert intrusions into open spectacles of defiance. Through Telegram channels, Instagram accounts,and diaspora-linked echo networks, CyberAveng3rs publishes defacement screenshots, malware control panel captures, and operational taunts directed at Western and Israeli infrastructure targets. These narratives are often laced with religious-nationalist motifs, martyr quotes, and anti-Zionist rhetoric, reinforcing the IRGC’s ideological messaging. CyberAveng3rs is not merely reactive; it issues pre-attack warnings, brags post-operation, and threatens future campaigns, making it a key instrument for intimidation, distraction, and symbolic escalation. By fusing information operations with hacking campaigns, it enhances the IRGC’s ability to wage cognitive warfare alongside technical compromise.
Claimed the Aliquippa water system attack (PA, USA)
Leaked Unitronics control panel screenshots
Issued threats of “Operation IV” aimed at Israeli cybersecurity units
Branded style includes martyr quotes, Islamic slogans, and ICS interfaces
Contractor and Front Company Ecosystem
The IRGC’s cyber operations rely heavily on a dense and evolving ecosystem of affiliated companies, some covertly managed through military intermediaries, others openly registered as “cyber defense,” “AI research,” or “IT solutions” firms. This web serves multiple strategic purposes. First, it allows the IRGC to outsource technical labor and scale operations without overexposing its formal personnel. Second, it provides plausible deniability, as these front firms can operate under civilian-facing banners while conducting state-directed offensive cyber activities. Third, it enables a rotating model of corporate obfuscation, where companies like Emen Net Pasargad are dissolved or sanctioned only to reappear under new names like Ayandeh Sazan Sepehr Aria, often with overlapping staff and clients. These firms are frequently staffed by IRGC veterans or relatives of high-ranking cyber officials, further blurring the lines between state, contractor, and covert operator.
This model closely parallels revelations from the i-SOON (安洵) data leak, which exposed how China’s Ministry of Public Security (MPS) and provincial security bureaus have long contracted out cyber operations to nominally private firms. Like the IRGC’s cyber complex, Chinese firms such as i-SOON and Chengdu 404 maintain the veneer of legitimate enterprise while developing spyware, managing fake persona farms, and carrying out state-sponsored intrusions. In both Iran and China, this hybrid public-private structure allows state entities to mask state cyber activity behind corporate fronts, maintain flexibility, and engage in offensive campaigns without bearing the full diplomatic cost.
Moreover, just as Iran’s firms like Cyberban Institute and Kavosh Center double as ideological and technical platforms, Chinese contractors often support both domestic surveillance and global espionage, engaging in infrastructure targeting, data exfiltration, and information control under the guise of national innovation. This convergence of state-backed ideology, cyber warfare, and privatized labor reveals a shared authoritarian blueprint: One in which cyber capabilities are cultivated through semi-privatized ecosystems designed to insulate command structures while enabling scalable, deniable aggression in the global digital theater.
The IRGC’s cyber capabilities rely not solely on military or intelligence personnel but on an expansive and deliberately obscured ecosystem of contracting companies, technical institutes, and shell entities that function as both operational extensions and recruitment/talent pipelines. These firms play a crucial role in sustaining the IRGC’s cyber warfare doctrine, developing malware, testing exploits, maintaining infrastructure, and providing a legal or commercial façade for offensive operations.
What makes these companies particularly effective, and elusive, is the way they straddle the boundary between legitimacy and subversion. Many of them present as cybersecurity vendors, AI startups, or educational technology labs, marketing themselves to civilian, academic, and even international clients. Behind the scenes, however, they serve as contractors for the IRGC’s Electronic Warfare and Cyber Defense Organization (EWCD), Intelligence Organization (IO), and Quds Force, executing tasks that range from infrastructure reconnaissance and SIGINT analysis to psychological warfare and influence ops.
This system is both resilient and adaptive. Companies are frequently rebranded, dissolved, or split into subsidiaries following public exposure or sanctions. For instance, Net Peygard Samavat, once exposed for its involvement in Iranian state cyber operations, later became Emen Net Pasargad, which itself was reconstituted as Ayandeh Sazan Sepehr Aria. Despite their changing names and corporate registrations, these entities retain the same personnel, mission scope, and government sponsors, effectively outlasting sanction regimes and Western takedown efforts.
Moreover, the personnel who operate these firms often rotate between IRGC intelligence positions, academic research roles, and private-sector leadership, creating a feedback loop where state doctrine, technical innovation, and civilian infrastructure become interwoven. This also creates a recruitment channel: Young developers and engineers are often brought into these companies under the banner of patriotic service or career opportunity, then quietly integrated into national-level cyber missions.
In effect, these firms function as force multipliers for Iran’s cyber program. They provide scalability, deniability, and a legal buffer between the Iranian state and its digital aggression. As international scrutiny tightens, the IRGC is likely to continue leaning on these corporate proxies to advance technical capability while avoiding direct attribution,mirroring similar models seen in China (e.g., i-SOON) and Russia (e.g., contractors like NTC Vulkan).
Below is a detailed examination of these key companies and their connections.
Core Contractor Entities and Their Functions
Emen Net Pasargad (ایمننت پاسارگاد) – Once a flagship contractor for disinformation and foreign interference (e.g., impersonating the Proud Boys during the 2020 U.S. election). Dissolved in 2023. Sanctions Source
Ayandeh Sazan Sepehr Aria (آریا سپهر سازان آینده) – A successor to Emen Net, continuing operations in information operations and malware development. Founded by Mohammad Bagher Shirinkar.Recorded Future
Mahak Rayan Afraz (محک رایان افراز) – Specialized in AI and surveillance tooling, including:
DSPRI (موسسه سنجش داده پیشرفته) – Linked to IRGC Quds Force Unit 300, DSPRI handles signal interception and encrypted traffic decryption, including battlefield deployments in Syria, Lebanon, and Iraq. Recorded Future, p. 14
Sabrin Kish (شرکت صابرین کیش) – Developed sniffers and ICS tools sold to IRGC clients; also engaged in foreign contracts (e.g., deal with Iraq’s NSA head Faleh al-Fayyadh). Maintains financial and corporate overlap with IRGC Cooperative Foundation. Wikipedia
Soroush Saman Co. (شرکت توسعه الکترونیکی و مخابراتی سروش سامان) – Supplied surveillance and tracking systems to Hezbollah, and built AI-based phone surveillance for Unit 300. [IntelliTimes coverage via Lab Dookhtegan]
Afkar Systems (افکار سیستم) – Tied to Nemesis Kitten APT, allegedly led by Ahmad Khatibi Aghda. Operated through Center 2060 and Cyber Base 2000, both under EWCD’s umbrella. CISA Advisory
Parnian Telecommunication (شرکت الکترونیکی و مخابراتی پرنیان) – Facilitates cyber workforce recruitment for IRGC and MRA-linked projects. Job ads call for infosec and penetration testing expertise. Recorded Future, p. 19
Kavosh Center (مرکز کاوش) – Offensive R&D hub tied to the Shahid Kaveh Group. Led by IRGC affiliate “Shayan” (Malek Mohammadi Nejad). Possibly involved in TTP development and APT tool testing.Recorded Future
Cyberban Institute (موسسه سایبربان) – Run by Mehdi Lashgarian, nephew of IRGC cyber leader Hamidreza Lashgarian. This front publishes ideological content, disinfo narratives, and tech analysis favorable to IRGC doctrine.Recorded Future, p. 22
Observations on Structure and Strategy
The structure and behavior of IRGC-affiliated cyber firms reveal a deliberate and adaptive operational model. Many of these companies engage in strategic rebranding, dissolving or renaming themselves after being sanctioned or exposed, Net Peygard reemerged as Emen Net, which later became Ayandeh Sazan, while Dehkadeh Telecom transitioned into Mahak Rayan Afraz, with a new identity likely forthcoming. These transitions help avoid regulatory scrutiny while maintaining operational continuity. Furthermore, interlocking leadership is a hallmark of the ecosystem: Figures such as Mohammad Bagher Shirinkar, Hamidreza Lashgarian, and Esmail Rahimi appear across multiple entities, indicating a centralized and tightly coordinated management structure. The ecosystem also supports technology transfer abroad, with tools and capabilities exported to IRGC-aligned actors in Iraq, Syria, and Lebanon, particularly via Quds Force Unit 300. Notably, these firms are often the technical and logistical backends for known APT groups. For example, Afkar Systems underpins Nemesis Kitten, Mahak Rayan Afraz has links to Tortoiseshell (TA456), and clusters tied to the Shahid Kaveh Group appear to support Pioneer Kitten operations.
Operational Forecast and Strategic Implications
Intelligence Group 13 functions as the operational core of the IRGC’s cyber disruption strategy, a convergence point where technical sabotage, psychological warfare, and revolutionary ideology are seamlessly integrated. Operating under the umbrella of the Shahid Kaveh Group, Team 13 is not an independent or freelance actor but a disciplined tactical cell embedded in a broader, multi-layered command system overseen by IRGC EWCD, IO, and Quds Force divisions. Its mission is augmented through propaganda arms such as CyberAveng3rs, which act not only as amplifiers of defacement and intrusion campaigns but also as strategic influence assets projecting IRGC narratives into public and geopolitical consciousness.
The group’s tradecraft spans traditional APT techniques, such as credential harvesting, critical infrastructure penetration (e.g., Unitronics PLCs, fuel pump logic, and water treatment systems), and covert malware deployment (e.g., IOControl, Project Binder). Yet what sets Team 13 apart is its parallel investment in symbolic messaging, issuing threats via Telegram, leaking screenshots via Instagram handles like @mr.sul.ir, and invoking martyrdom and Islamic resistance to create a psychological echo chamber around each technical act.
This entire operation is scaffolded by a front company and contractor ecosystem designed to provide deniability, talent, infrastructure, and logistical support. These include Afkar Systems (linked to Nemesis Kitten), Mahak Rayan Afraz (associated with TA456), and Kavosh Center (supporting Pioneer Kitten), among others. These firms are part of a strategy of institutional layering and rebranding, allowing the IRGC to rotate through corporate identities while sustaining long-term capabilities. Rebranding paths such as Net Peygard → Emen Net → Ayandeh Sazan show how the IRGC evades sanctions without losing operational momentum.
Key Takeaways:
Intelligence Group 13 is a deeply embedded extension of the IRGC’s strategic cyber doctrine,not an isolated threat actor.
Psychological operations are prioritized on par with malware deployment, reflecting a dual mission of technical and perceptual warfare.
The martyrdom framework (e.g., naming conventions like “Shahid Kaveh”) plays a pivotal role in unifying cyber actions with ideological legitimacy.
The use of contractor ecosystems and front companies provides flexibility, plausible deniability, and continuity across sanctions and takedowns.
Risk Assessment:
Future campaigns by Intelligence Group 13 and its affiliates are likely to blend cyber-kinetic threats with narrative manipulation, targeting not just critical infrastructure but public perception and institutional trust. This includes:
Threatening or disrupting civilian infrastructure in the U.S., Israel, and Gulf States
Deploying psychological campaigns through channels like CyberAveng3rs, timed with physical intrusions
Leveraging rebranded contractors to deliver tooling and intelligence capabilities both domestically and to proxy forces abroad (e.g., Hezbollah, PMF in Iraq)
Defending against this threat requires not only technical hardening but cognitive resilience, recognizing that the IRGC’s cyber ambitions are as much about controlling the story as they are about breaching the network.
Sign Up For DomainTools Investigations’ Newsletter for the Latest Research
Want more from DomainTools Investigations? Be sure to sign up for our monthly newsletter to get the latest research from the team – available on LinkedIn or email.
