Shanghai IT firm suspected of internal document leak, involved in surveillance of public institutions, universities and telcos in H.K., Taiwan and U.K.


22nd February 2024 – (Shanghai) Shanghai’s I-Soon Information Co., is currently under intense scrutiny following an unexpected release of internal documents online. These documents allegedly illustrate that the company has been providing intelligence gathering services to various central government agencies in China, including departments in mainland China’s state security sector, and have targeted entities in Hong Kong, Taiwan, and the United Kingdom amongst others.

The leaked cache, which surfaced over the weekend on the software development platform GitHub, comprises an extensive array of the company’s confidential data. Included within this trove are sales presentations, contracts, quotations, surveillance targets, sales leads, payroll sheets for employees, and even private conversations from the messaging app WeChat. The documents intimate that I-Soon has offered spyware and tools to Chinese security, public safety, and military institutions, enabling them to extract sensitive information from targeted subjects. Such information includes hard drive contents, satellite positions, contact lists, media files, emails, and phone numbers.

According to the documents, I-Soon’s developed espionage software has previously infiltrated or assaulted various institutions, including the Indian Defence Ministry, NATO, and the UK’s National Crime Agency, to purloin sensitive legal information. In Hong Kong, the Examination Authority, Food and Environmental Hygiene Department, the Chinese University, and the Confederation of Trade Unions have been among those targeted.

American media, citing two employees from I-Soon, report that the company, in conjunction with Chinese Public Security, is investigating the breach. Despite the ongoing inquiry, a company meeting on Wednesday suggested that the leak would not significantly disrupt operations, and business would continue as usual.

The revelation of these documents has caused a stir given their detailed exposition of the Chinese authorities’ methods for surveilling dissidents abroad, hacking into networks in various regions, and managing pro-Beijing narratives on social media. The tools provided by I-Soon have been reportedly used by Chinese state operatives to uncover the identities of social media users on platforms outside China, breach email security, and mask the online undertakings of overseas agents. Additionally, the leak includes descriptions of devices masquerading as everyday items that can compromise Wi-Fi networks.

The dump’s origin remains unidentified, and China’s Foreign Ministry has yet to respond to requests for comment.

The leaked documents have been labelled by cyber security experts as one of the most significant breaches linked to a company suspected of providing cyber espionage and intrusion services to the Chinese security apparatus. The materials suggest that I-Soon’s client base spans across governmental, telecommunication, and online gambling sectors within and beyond China.

Prior to the leak, I-Soon’s website listed an impressive array of clientele, including the Ministry of Public Security and several provincial and municipal public security departments. The site also boasted advanced persistent threat (APT) capabilities, a term in the cybersecurity industry used to describe the most sophisticated hacking groups.

I-Soon, established in Shanghai in 2010, has multiple subsidiaries spread across China, with the Chengdu branch focusing on hacking, research, and development. Despite the website going offline and the company’s refusal to comment, day-to-day operations at the Chengdu subsidiary seemed unaffected, with employees maintaining their regular routines.