December 7, 2023

A post from Hainan Xiandun stood out. The ad, which appeared on a Sichuan University computer science staff committee in 2018, boasted that Xiandun had “received a significant number of government secrecy-related deals.”

Based in Hainan’s capital, Haikou, the company paid monthly salaries of $ 1,200 to $ 3,000 – solid middle-class wages for Chinese technicians fresh out of college – with bonuses of up to $ 15,000. Xiandun’s ads included an email address used by other companies searching for cybersecurity experts and linguists, suggesting they were part of a network.

Chinese hacker groups “are increasingly sharing malware, exploits and coordinating their efforts,” write the operators of “Intrusion Truth” in an email. The operators have not disclosed their identity as they cite the sensitivity of their work.

Xiandun’s registered address was Hainan University Library. His phone number matched that of a computer science professor and veteran of the People’s Liberation Army who ran a website that offered payments to students with novel ideas for cracking passwords. The professor was not charged.

Other records and phone numbers led the blog authors to an email address and frequent flyer account belonging to Ding Xiaoyang, one of the company’s managers.

The indictment alleged that Mr. Ding was a state security officer who ran the Hainan Xiandun hackers. It contained details the blog couldn’t find, such as an award Mr. Ding received from the Ministry of State Security for young leaders in the organization.

Mr. Ding and others named in the indictment could not be reached.

Although currently understandable, China’s state security apparatus could learn to hide its footprints better, said Matthew Brazil, a former China specialist with the Department of Commerce’s Office of Export Enforcement who co-wrote a study on Chinese espionage.

“The capabilities of the Chinese services are uneven,” he said. “Your game is getting better and in five or ten years it will be a different story.”

Nicole Perlroth contributed the reporting.