State Secrets for Sale: China’s “Hack-for-Hire” Ecosystem Exposed in Massive VenusTech & Salt Typhoon Leaks

In a revelation from SpyCloud Labs, two confidential Chinese datasets—known as the VenusTech Data Leak and the Salt Typhoon Data Leak—surfaced for sale on DarkForums in late May. Though the leaks are smaller than high-profile breaches like TopSec and iSoon, their implications for China’s hack-for-hire ecosystem are profound.

“These two recent posts on DarkForums appear to contain nonpublic data sourced from tech companies within China’s robust hack-for-hire industry,” SpyCloud researchers wrote.

VenusTech, a publicly traded Chinese cybersecurity vendor known for working closely with government agencies, found itself at the center of the first leak. A DarkForums user named IronTooth posted a message offering access to stolen internal files:

“Selling sourced leaked documents dump of Chinese tech company. Includes papers, products sold to government, accesses, clients and more random shit…”

Among the leaked materials were spreadsheets documenting offensive cyber operations, including alleged targets across South Korea, Hong Kong, Taiwan, India, Croatia, and Thailand.

One spreadsheet entry even claimed:

“VenusTech has access to the Korean National Assembly’s email server and is contracted to deliver four updates of data per month… for 65,000 yuan (~$9,000 USD).”

This leak offers some of the most direct evidence yet of commercial offensive cyber services tied to Chinese government entities, and suggests an organized pricing model for digital espionage services.

The second leak centers around Salt Typhoon, a Chinese state-sponsored advanced persistent threat (APT) group previously linked to attacks on major U.S. telecommunications providers.

A new DarkForums user, “ChinaBob,” advertised leaked data including:

• Personal information (names, ID numbers, phone numbers) of Salt Typhoon employees
• Configuration files of 242 hacked routers, including login credentials
• Financial transactions revealing links between Salt Typhoon front companies and Chinese military units

One especially revealing document featured contracts between Beijing Huanyu Tiangiong and Tongfang Co., a high-tech defense contractor owned by the China National Nuclear Corporation.

“The first transaction in this sample lists PLA Unit 61419 as the buyer… affiliated with the ‘Tick’ threat activity group.”

This transaction data indicates a structured and monetized relationship between APT groups and Chinese military clients, with services sold for specific intelligence goals.

SpyCloud emphasizes that while these leaks are smaller in scope, they confirm a growing issue:

“China’s state-sanctioned data collection and intelligence apparatus is leaky… a vast ecosystem of corrupt insiders siphoning data and selling it on the black market.”

The incident also reflects a growing presence of Sinosphere cybercriminals in Western forums, with some actors cross-posting stolen data or repackaging leaks for re-sale across linguistic communities.

The VenusTech and Salt Typhoon leaks mark a continuation of China’s hybrid model of public-private cyber collaboration, where state interests blur into commercial threat services.

While U.S. authorities have previously sanctioned Sichuan Juxinhe Network Technology, the SpyCloud report identifies two additional front companies—Beijing Huanyu Tiangiong and Sichuan Zhixin Ruijie—possibly tied to Salt Typhoon operations.

Related Posts:

• SpyCloud reveals over 721 million passwords exposed on the internet in 2022
• FCC Takes Action to Strengthen Cybersecurity in Response to Salt Typhoon Cyberattack
• Massive XSS Threat: Millions of Websites Vulnerable via OAuth Flaw
• Volt Typhoon: Chinese State-Sponsored APT Targets U.S. Critical Infrastructure