Two major Chinese datasets appeared for sale on DarkForums, a well-known English-language data breach marketplace that has gained popularity after BreachForums shut down in April, in late May.
The datasets, now known as the VenusTech Data Leak and the Salt Typhoon Data Leak, originated from newly created accounts seemingly set up solely for these sales.
Both posts claimed access to sensitive content from major players in China’s hack-for-hire ecosystem, offering a revealing glimpse into the state-sponsored cyber operations that underpin a substantial segment of the country’s cybersecurity industry.
VenusTech Data Leak Details
VenusTech, a leading Chinese IT security vendor traded on the Shenzhen Stock Exchange, is already recognized for its government ties and previous connections to the hack-for-hire sector.
The leak, posted by the user “IronTooth,” comprised 16 images, largely screenshots of confidential spreadsheets, contracts, and internal documents.
Notably, several spreadsheets outlined details suggesting VenusTech’s involvement in offensive cyber services for the Chinese government, including listings of presumed intelligence targets and contract terms for the exfiltration and delivery of sensitive information.
One spreadsheet referenced a supposed contract to supply monthly updates from the Korean National Assembly’s email server, at a price of 65,000 yuan.
Other documents appeared to identify Chinese government agencies as VenusTech clients, offering further evidence of the company’s operational scope in state-affiliated cyber activity, with targets stretching across Hong Kong, India, Taiwan, South Korea, Croatia, and Thailand.
Salt Typhoon Data Leak Exposes
The Salt Typhoon leak, posted by “ChinaBob,” focused on a Chinese advanced persistent threat (APT) group linked to the Ministry of State Security (MSS).
Salt Typhoon had previously been associated with high-profile intrusions against US telecommunications infrastructure.
The leaked dataset included employee personal information, financial data, router configurations from compromised networks, as well as internal communications.
Verification efforts indicated that the provided employee identifiers matched known breached datasets, lending credibility to the leak.
The leak also included detailed information on 242 allegedly hacked routers and demonstrated overlap between identified usernames and known Chinese ISPs.
Financial transaction records within the leak mapped the relationships between threat actors and established Chinese cybersecurity vendors, such as Qi’anxin and VenusTech, as well as direct service provision to government and military entities, including the People’s Liberation Army.
Notably, two companies newly identified as part of Salt Typhoon’s structure Beijing Huanyu Tiangiong Information Technology Company and Sichuan Zhixin Ruijie Network Technology Company were highlighted alongside an already-sanctioned entity, Sichuan Juxinhe Network Technology.
Public business records linked individuals from the employee list directly to these companies, solidifying the evidence base for their involvement in state-sponsored cyber operations.
Although neither dataset matches the scale of previous leaks such as those from iSoon or TopSec, the detailed samples illuminate key operational aspects and organizational structures within China’s offensive cybersecurity contractor industry.
The incidents underscore a persistent fragility in China’s state-directed data protection, with endemic insider threats leading to an ongoing leakage of sensitive information.
The appearance of such data on English-language forums also exemplifies the increased presence of Chinese cybercriminal actors in Western digital spaces, driven by both profit motives and the growing sophistication of cross-border cybercrime.
Collectively, these leaks not only reveal specific operational details of Chinese hack-for-hire groups but also point to evolving dynamics in the global cyber threat landscape, as state-sponsored and criminal actors increasingly intermingle across international cybercrime communities.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
