China is widely considered one of the most prolific sources of state-sponsored cyberattacks globally.

Numerous Advanced Persistent Threat (APT) groups are believed to operate under the direction or influence of the Chinese government, primarily for cyber espionage, intellectual property theft, and strategic disruption.

Here are some of the most well-known China-linked hacking groups and the accusations against them:

1. APT41 (Aliases: Barium, Winnti, Wicked Panda, Wicked Spider, Blackfly, Grayfly, Double Dragon, Suckfly, Silk Typhoon)

• Accusations: APT41 is unique in that it's accused of conducting both state-sponsored espionage and financially motivated cybercrime, potentially operating outside direct state control for the latter.

  • Espionage: Stealing intellectual property, trade secrets, and sensitive information from a wide range of industries including high-tech, media, healthcare, manufacturing, defense, logistics, hospitality, finance, education, telecommunications, and government sectors. They have targeted organizations in the US, Taiwan, India, Thailand, China, Hong Kong, Mongolia, Indonesia, Vietnam, Bangladesh, Ireland, Brunei, and the UK.

  • Financial Gain: Engaging in schemes like ransomware and "crypto-jacking" (unauthorized use of victim computers to mine cryptocurrency). They have also been accused of hacking video game companies to generate and sell in-game digital items for profit.

  • Exploitation of Vulnerabilities: Known for aggressively exploiting newly disclosed vulnerabilities (like ProxyLogon) and using tools such as Cobalt Strike.

• Legal Action: In September 2020, the U.S. Department of Justice indicted five Chinese nationals and two Malaysian nationals connected to APT41 for various computer-related crimes against over 100 companies globally.

2. APT10 (Aliases: Menupass Team, Stone Panda, Red Apollo, Cicada, CVNX, HOGFISH, Cloud Hopper)

• Accusations: Primarily known for extensive cyber espionage campaigns targeting managed service providers (MSPs). By compromising MSPs, APT10 gained access to the networks of their clients, allowing them to steal vast amounts of intellectual property and confidential business and technological information from numerous global companies and government agencies.

  • Targeted Industries: Aviation, space and satellite technology, manufacturing, pharmaceutical, oil and gas, telecommunications, consumer electronics, and computer processor technology.

  • Government Targets: They also compromised data from U.S. government agencies, including the Department of the Navy, reportedly stealing personally identifiable information of over 100,000 Navy personnel.

• Legal Action: In December 2018, the U.S. Department of Justice indicted two Chinese nationals, Zhu Hua and Zhang Shilong, alleged members of the APT10 group, for their involvement in these global intrusion campaigns.

3. Hafnium (Aliases: Silk Typhoon, UNC5221)

• Accusations: Hafnium gained significant notoriety for its widespread exploitation of zero-day vulnerabilities in Microsoft Exchange Server in early 2021.

  • Global Compromise: This campaign impacted tens of thousands of organizations worldwide, including government agencies, businesses, and universities.

  • Espionage and Data Theft: They are accused of using these vulnerabilities to steal sensitive information, access email accounts, and establish persistent access to compromised networks.

  • COVID-19 Research: Hafnium is also accused of targeting U.S.-based universities, immunologists, and virologists conducting research into COVID-19 vaccines, treatment, and testing, at the direction of the Chinese government.

• Legal Action: In July 2025 (current year), the U.S. Department of Justice unsealed an indictment against Xu Zewei and Zhang Yu, Chinese nationals allegedly connected to Hafnium, for conducting cyber intrusions related to COVID-19 research theft and the Microsoft Exchange Server exploitation. Xu Zewei was arrested in Milan, Italy.

Other Notable China-Linked Groups and Their Accusations:

• APT1 (Comment Crew / PLA Unit 61398): One of the earliest and most infamous Chinese APT groups, exposed in a 2013 Mandiant report. Accused of extensive cyber espionage against over 100 organizations, primarily in the U.S., focusing on intellectual property theft across diverse sectors.

• APT27 (Emissary Panda, Iron Tiger): Known for targeting governments, aerospace, manufacturing, and defense sectors, often exploiting remote access vulnerabilities.

• Volt Typhoon (also known as "Volcano"): This group has been particularly highlighted by Western intelligence agencies for its focus on pre-positioning in critical infrastructure networks (e.g., communications, energy, water) in the U.S. and potentially other countries. The concern is that this pre-positioning could enable disruptive or destructive cyberattacks in the event of a geopolitical crisis, particularly concerning Taiwan. They are accused of maintaining long-term, covert access to networks, often blending in with legitimate network traffic ("living off the land").

• UNC3886: Recently identified as a sophisticated China-linked cyber espionage group, particularly highlighted by Singapore in July 2025. They are accused of targeting critical infrastructure by hacking routers and security devices, often using zero-day exploits. Their primary focus appears to be defense, technology, and telecommunications sectors in the US and Asia, aiming for long-term persistence and evasion of detection.

• Salt Typhoon: Named by Microsoft, this group has been active since at least 2020 and is accused of breaching U.S. internet service provider networks and wiretap systems, including Lumen Technologies, Verizon, and AT&T.

It's important to note that attributing cyberattacks is complex, and many of these group names are assigned by cybersecurity researchers based on observed tactics, techniques, and procedures (TTPs), as well as overlaps in infrastructure. The Chinese government consistently denies any involvement in state-sponsored hacking.