Cyber Analysis Group - CyberAGroup - OSINT Darkweb Investigations  - Insider Threat - Crypto - Online threat & exposure - SOCMINT - Canadian

‹ Back

CyberAGroup's recent analysis of sample data from PRC contractor Knownsec has revealed new details about China’s hostile state-sponsored cyber operations and has rekindled some of my previous interests from my former life. This has prompted me to explore what now appears to be an new phenomena: the public leaking of data from within China’s offensive cyber programs.

Although the Knownsec leak was the most recent, it is just one of several unprecedented breaches involving contractors working for the Chinese state.

In May 2025, data was sold on the Dark web by a user "ChinaBob", who advertised "first-hand data from hacking companies working for the central government." These firms operated as contractors for Salt Typhoon (APT27/Emissary Panda/UNC5221), a threat actor linked to Chinese state intelligence. The breach included documents from VenusTech, a major IT security vendor serving government clients, state-owned enterprises, and military entities. Salt Typhoon is regarded as one of the most damaging and far-reaching espionage campaigns ever publicly confirmed and specifically targeted the Canadian telecommunications sector and other high value Canadian targets.

In February 2024, a massive trove of internal documents from the Chinese cybersecurity firm i-Soon, also known as Anxun Information Technology, was leaked and anonymously uploaded to GitHub, making the sensitive files publicly accessible for a brief period. The leaked materials provided deep insight into i-Soon’s involvement in cyber espionage for Chinese state agencies. Notably, the i-Soon leak included internal communications where employees expressed dissatisfaction with pay and working conditions, prompting speculation that the source could have been a disgruntled insider.

As often happens online, aspects of the Knownsec and i-Soon incidents are now being conflated. Many articles discussing the Knownsec leak are mistakenly repeating information from the i-Soon breach. For accurate details on the latest leak, see CyberAGroup’s Knownsec report.

While it has long been understood that the PRC leverages a multifaceted network of state, criminal, private sector and academic partners to expand its offensive cyber operations, the recent wave of leaks has fundamentally changed the intelligence landscape. Defenders now benefit from actionable insights, while the leaks simultaneously expose systemic vulnerabilities in China’s privatized hacking infrastructure.