In 2022, an anonymous seller using the handle “ChinaDan” posted an extraordinary offer on Breach Forums: roughly 23 terabytes of data allegedly stolen from the Shanghai National Police, available to anyone willing to pay 10 bitcoin. Reporters at the New York Times contacted individuals whose personal records appeared in sample files and confirmed their identities, lending real weight to the claim. Beijing has never publicly acknowledged the breach. Now, nearly three years later, the case has taken on new significance as U.S. federal prosecutors have laid bare a hacking ecosystem in which contractors tied to the People’s Republic of China blur the line between government espionage and personal profit, often demanding cryptocurrency as the price of silence.
The Shanghai database and the demand for bitcoin
The sheer scale of the alleged Shanghai trove made it one of the largest known data exposures linked to a government agency anywhere in the world. The seller claimed the dataset contained names, addresses, phone numbers, national ID numbers, and criminal case records covering a vast number of Chinese citizens. While the Times was able to verify sample records through direct outreach, no government body or independent forensic authority has confirmed the size or completeness of the full archive. The gap between “these sample records are real” and “this is a complete police database” remains significant.
What made the offer especially striking was its bluntness. The asking price of 10 bitcoin, worth roughly $200,000 at the time, signaled a straightforward commercial transaction rather than a politically motivated leak. No hacktivist manifesto accompanied the post. No whistleblower justification was offered. The data was simply for sale to the highest bidder, a model that cybersecurity researchers say has become increasingly common among actors operating in or around China’s state-linked hacking apparatus.
U.S. indictments expose a dual-purpose hacking machine
The profit motive visible in the Shanghai case is not an outlier. In March 2025, the U.S. Department of Justice charged Chinese nationals with ties to the PRC government and the threat group known as APT27 in a hacking campaign targeting U.S. companies, institutions, and municipalities. Court filings described intrusions designed to steal sensitive business information and personal data, followed by deliberate efforts to monetize that access. The defendants, prosecutors alleged, were not just spies. They were entrepreneurs.
A separate DOJ action the same month targeted 12 Chinese contract hackers and law enforcement officers connected to global intrusion campaigns. The charging documents named the private firm i-Soon, also known as Anxun Information Technology, as a key node in a contractor network allegedly used by PRC security services to outsource hacking operations. Prosecutors described an arrangement in which i-Soon employees carried out state-directed tasks while simultaneously pursuing freelance schemes for personal enrichment. Seized internal communications, referenced in court filings, showed employees discussing how to sell stolen data and exploit compromised systems beyond their official assignments.
The picture that emerges from these cases is not a monolithic cyber army under centralized command. It is closer to a marketplace: state agencies issue contracts, private firms compete for the work, and individual hackers pocket what they can on the side. That structure makes attribution difficult and accountability rare.
The Treasury breach and the reach of PRC-linked actors
The threat extends well beyond stolen police records. In December 2024, the U.S. Treasury Department disclosed to lawmakers that Chinese hackers had remotely accessed employee workstations and unclassified documents by exploiting a vulnerability in software provided by the vendor BeyondTrust, according to the Associated Press. Treasury called it a “major cybersecurity incident.” The breach demonstrated that even heavily fortified federal networks remain vulnerable to intrusion campaigns originating from PRC-linked actors.
The specific group behind the Treasury intrusion has not been definitively tied to the same networks involved in the Shanghai database sale or the APT27 campaigns. Attribution in cyber operations is notoriously difficult, often resting on overlapping infrastructure or malware signatures that can be copied or deliberately spoofed. Still, the incident reinforced a pattern that U.S. officials have been warning about with increasing urgency: PRC-affiliated hackers are probing government and private-sector targets across multiple countries, and their motivations range from strategic intelligence collection to outright theft.
What remains unknown
For all the detail in the DOJ indictments, major gaps persist. No one has publicly identified the person or group behind the Shanghai database post. No direct link between “ChinaDan” and any indicted defendant has appeared in court filings or credible reporting. The sellers could be insiders repurposing data originally collected for state use, independent criminals who found an unsecured server, or something else entirely. As of May 2026, there is no public record of whether anyone paid the 10-bitcoin asking price, how the data may have been redistributed, or whether it has been used for identity theft, targeted scams, or surveillance.
China’s silence compounds the uncertainty. No Chinese government agency has disclosed how many people were affected, what categories of information were compromised, or whether any internal investigation took place. Without that transparency, individuals whose records appeared in the dataset have no clear path to protection or recourse. China’s Personal Information Protection Law, enacted in 2021, theoretically gives citizens data rights, but enforcement against a breach allegedly involving the police themselves would be without precedent.
The financial motivations documented in U.S. indictments are also more nuanced than a simple extortion model. Some operations described in court filings appear primarily focused on intellectual property theft and strategic intelligence, with monetization emerging as an opportunistic side channel rather than the main objective. In other cases, the profit motive is front and center. Treating every PRC-attributed intrusion as part of a single coordinated campaign risks overstating the coherence of what may be a fragmented and opportunistic ecosystem.
How to weigh the evidence
Readers following this story should distinguish between three tiers of evidence. The strongest consists of U.S. federal court documents: sworn allegations backed by seizure warrants, named defendants, and described methods. The DOJ indictments are not anonymous forum posts; they are formal charges that carry legal consequences and reflect months or years of investigation.
The second tier is direct journalistic verification, such as the Times reporters who confirmed sample records by contacting real people. That work strongly suggests the sample data was genuine, but it does not validate the full dataset’s scope or origin.
The third tier includes official government disclosures like Treasury’s acknowledgment of its breach: confirmed and serious, but accompanied by limited technical detail due to ongoing investigations and national security concerns.
What ties these threads together is not a single mastermind or a unified campaign. It is a structural reality: China’s state-linked hacking ecosystem has grown large enough and decentralized enough that stolen data circulates among government agencies, contractors, and criminal actors with overlapping but distinct agendas. The Shanghai database sale, the i-Soon indictments, and the Treasury breach each illuminate a different corner of that ecosystem. Until more attribution findings become public, the responsible approach is to take the documented facts seriously while resisting the temptation to connect every dot into a single, tidy narrative.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
