Chinese Cyber Mercenaries Sentenced in Singapore: $3 Million Cryptocurrency Operation Uncovered with PlugX Malware and Government Data

Breached Company

14 Nov 2025 — 24 min read

SINGAPORE — In a significant cybercrime prosecution, three Chinese nationals have been sentenced to more than 28 months in prison after Singapore police uncovered a sophisticated hacking-for-hire operation based in a luxury Mount Sinai bungalow. The September 9, 2024 raids revealed remote access trojans (RATs) linked to state-sponsored malware, including PlugX and Shadow Brokers tools, along with confidential data from multiple foreign governments.

The case exposes the shadowy world of cyber mercenaries—skilled hackers hired by criminal enterprises to conduct targeted intrusions for profit. Unlike traditional state-sponsored cyber espionage, this operation demonstrates how independent actors weaponize nation-state-grade malware for commercial gain, blurring the lines between cybercrime and cyber warfare.

Yan Peijian (39), Huang Qin Zheng (36), and Liu Yuqi (33) were paid US$3 million in cryptocurrency to hack gambling websites, infiltrate a Chinese SMS service provider, and conduct cyber reconnaissance that inadvertently captured sensitive government communications from Australia, Argentina, Vietnam, and Kazakhstan.

On November 5, 2025, Singapore's courts handed down sentences of 28 months and one week for Yan and Huang, and 28 months and four weeks for Liu—a clear signal that Singapore will not tolerate being used as a base for international cybercrime operations.

Context: China's Expanding Cyber Threat Landscape

While this Singapore case involves criminal cyber mercenaries rather than direct state-sponsored operations, it exists within the broader ecosystem of Chinese cyber threats that have dominated the global cybersecurity landscape.

Unlike the state-sponsored campaigns Breached has extensively documented—including Volt Typhoon's targeting of U.S. critical infrastructure, Salt Typhoon's infiltration of telecommunications networks, and Silk Typhoon's IT supply chain attacks—this operation was financially motivated, hired by a criminal enterprise.

However, the discovery of PlugX malware (signature tool of Chinese APT groups like Mustang Panda, APT41, and APT22) and Shadow Brokers exploits demonstrates the dangerous proliferation of state-grade cyber weapons into criminal hands. This blurring of lines between state-sponsored espionage and profit-driven cybercrime represents a critical evolution in the threat landscape.

As Breached documented in The Silent Revolution: How China's Ministry of State Security Became the World's Most Formidable Cyber Power, China's cyber operations span a spectrum from direct intelligence agency control to loosely affiliated criminal actors—this Singapore case falls into the latter category, but uses tools from the former.

For comprehensive analysis of China's state-sponsored cyber campaigns, see: China's Cyber Campaigns: A Deep Dive into Salt & Volt Typhoon and Other Threat Actors.

The Operation: How Singapore Became a Hub for Chinese Cyber Mercenaries

The Recruitment and Deception

The story begins in 2022, during China's economic downturn amid COVID-19 restrictions. Three men with technical skills but limited job prospects—Yan Peijian (an IT professional who previously ran a web design business), Liu Yuqi (self-taught web designer), and Huang Qin Zheng—knew each other and shared connections with a 38-year-old Ni-Vanuatu citizen named Xu Liangbiao.

Xu made them an offer: come to Singapore to work for him. What seemed like legitimate overseas employment would become a sophisticated criminal operation.

The fraudulent entry scheme:

Xu arranged for false work permit applications through companies the trio had never heard of
Yan was listed as a sales representative
Huang and Liu were registered as construction workers
The men entered Singapore believing their documentation was legitimate, trusting Xu to handle administrative requirements

Upon arrival in September 2022, they were taken to the premises of their supposed employers and briefed on cover stories they could use if questioned about their employment. They never actually worked at these companies.

The Waiting Period: Nine Months of Inactivity

Between September 2022 and May 2023, the trio lived in Singapore accommodation at Xu's expense, doing no actual work. They returned to China for Chinese New Year 2023, then came back to Singapore in May 2023.

Only then did Xu reveal the real purpose of their presence in Singapore: hacking for hire.

The Mount Sinai Bungalow: A Criminal Headquarters

Xu tasked his subordinate Chen Yiren with setting up operational infrastructure:

Logistics of the operation:

Rented a bungalow in the upscale Mount Sinai area
Rental payments of S$33,000 in cash (approximately US$24,000)
Moonlighting foreign workers hired as cooks and cleaners to maintain the household
Day-to-day expense money: Xu provided approximately S$52,000 to Yan (seized during arrest)
Monthly salary payments of about S$2,000 per person from early 2024 to maintain the false employment front

The bungalow became the operational hub for what prosecutors would describe as an organized crime group conducting cyber espionage from Singapore soil.

The Targets: Gambling Sites, SMS Hijacking, and Accidental Government Espionage

Primary Objective: Gambling Website Exploitation

Xu's initial interest was obtaining unfair advantages on gambling websites and operating his own gambling sites. His strategy required:

Personal data from existing users of gambling sites to advertise his own platforms
System vulnerabilities that could be exploited for financial gain
User databases containing names, emails, phone numbers, IP addresses, and credentials

Secondary Objective: Two-Factor Authentication Hijacking

Xu later developed an interest in hijacking two-factor authentication systems by gaining illicit access to SMS service companies. His target: Yi Mei, a Chinese SMS service provider serving two major gambling site operators.

By compromising Yi Mei's systems, Xu could potentially:

Intercept authentication codes sent to users
Bypass security measures on gambling and financial platforms
Gain unauthorized access to user accounts
Steal funds or manipulate gambling outcomes

The Operational Methodology

Xu tasked the trio with a sophisticated cyber reconnaissance and exploitation campaign:

Phase 1: Reconnaissance

Gather information on domain and sub-domain names associated with target organizations
Use open-source tools to scan for vulnerabilities
Categorize vulnerabilities by severity, ease of exploitation, and usefulness

Phase 2: Exploitation

Deploy exploits for direct data extraction
Install remote access trojans (RATs) for persistent access
Download compromised data including user information and credentials

Phase 3: Advanced Tactics

Source zero-day vulnerabilities from other hackers
Obtain malware from underground forums
Consult with independent hacker Sun Jiao (also operating in Singapore)
Commission custom web-based software for centralized operations management

Division of Labor: Specialized Hacking Roles

The trio divided responsibilities based on technical expertise:

Yan Peijian: Linux-based systems
Huang Qin Zheng: Web systems and applications
Liu Yuqi: Windows systems

This specialization allowed them to efficiently target a wide range of platforms and operating systems.

Unintended Consequences: Foreign Government Data

While the hackers claimed they attempted to avoid targeting government websites, the evidence told a different story:

Government data discovered:

On Yan's laptop:

Messages discussing vulnerable domains including:
- Five Australian government domains
- Argentine government domains
- Vietnamese government domains

On Liu's laptop:

Confidential email correspondence between officers of Kazakhstan's Ministry of Foreign Affairs and Ministry of Industry and Infrastructure Development

On Huang's computer:

Document containing names, addresses, phone numbers, and billing information from a Philippine regional power company

The trio's explanation: they tried to refrain from targeting government sites "to avoid attracting undue attention," but clearly their reconnaissance activities swept up government infrastructure in the process.

Geographical targeting principles:

Avoided Singaporean websites because they felt it "not right" to target their host country
Had no objections to targeting overseas websites or illegal gambling sites
Attempted to avoid government sites but captured government data nonetheless

This demonstrates the inherent difficulty in conducting targeted cyber operations—reconnaissance activities inevitably encounter collateral systems and data.

The Malware Arsenal: PlugX, Shadow Brokers, and State-Grade Tools

What Police Discovered

The September 9, 2024 raids on the Mount Sinai bungalow and other locations revealed a sophisticated malware toolkit that would typically be associated with state-sponsored advanced persistent threat (APT) groups rather than freelance cybercriminals.

Seized evidence included:

Malware-related files:

Source codes for remote access trojans (RATs)
Open-source RATs: Metasploit, Spark, and Silver
IP addresses with credentials linked to servers containing PlugX malware
Various hacking tools and exploitation frameworks

Hardware:

Multiple laptops containing operational data
Phones with encrypted communications
Storage devices with stolen data

Financial evidence:

Cash seized from Yan: Approximately S$52,000
Evidence of cryptocurrency transactions totaling US$3 million

PlugX: The Signature of Chinese APT Groups

The discovery of PlugX malware on the hackers' devices is perhaps the most significant technical finding, as it connects this criminal operation to the broader ecosystem of Chinese state-sponsored cyber espionage.

What is PlugX?

PlugX is a sophisticated remote access trojan (RAT) that has been in use since 2008 and is primarily associated with Chinese advanced persistent threat (APT) groups. It's not malware that amateur hackers typically encounter or use—it's a professional-grade espionage tool.

PlugX capabilities:

Remote system control: Execute arbitrary commands on compromised systems
Data exfiltration: Upload and download files
Surveillance: Capture screenshots and keystrokes
Persistence: Maintain long-term access to compromised networks
Reconnaissance: Retrieve system information and enumerate network resources
Process management: Manage system processes and services

Chinese APT Groups Using PlugX

PlugX is the signature malware of numerous Chinese state-sponsored hacking groups:

Primary users:

Mustang Panda (also known as BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, RedDelta, Red Lich, Stately Taurus)
APT22 (also known as Stone Panda)
APT26 (also known as Turla)
APT41 (also known as Barium, Winnti)
Naikon APT (also known as Lotus Panda)

Recent PlugX Campaigns (2024-2025)

The presence of PlugX on the Singapore hackers' devices connects them to an active global campaign:

October 2025: Asian telecom and ASEAN networks targeted with PlugX variants

September 2025: UNC6384 (linked to Mustang Panda) exploited CVE-2025-9491 targeting European diplomats, delivering PlugX RAT via spear-phishing

July 2023-December 2024: RedDelta threat actor targeted Mongolia, Taiwan, Myanmar, Vietnam, and Cambodia with customized PlugX

February 2025: Unusual attack deploying PlugX alongside RA World ransomware targeting Southeast Asian governments

How Did Criminal Hackers Obtain PlugX?

The trio's possession of PlugX raises critical questions:

Possible acquisition methods:

Underground forums: State-sponsored malware occasionally leaks to cybercrime forums
Hacker-to-hacker sharing: Connection with other hackers (like Sun Jiao) who had access
State-sponsored connections: Possible indirect links to Chinese intelligence services
Leaked tools: Previous breaches of Chinese APT infrastructure

The prosecutors noted that "while PlugX, which is associated with state-sponsored hacker groups, was found on their devices, the trio disclaimed knowledge of or association with such groups."

This disclaimer is significant—the men were not charged with espionage or state-sponsored activity, but the presence of state-grade tools in a criminal operation highlights the porous boundaries between nation-state cyber capabilities and cybercrime.

Shadow Brokers: NSA Tools in Criminal Hands

Perhaps even more alarming than PlugX was the discovery of tools and zero-day vulnerabilities associated with the Shadow Brokers—the mysterious hacking group that leaked the NSA's most sophisticated cyber weapons in 2016-2017.

Who Are the Shadow Brokers?

The Shadow Brokers emerged in summer 2016, publishing leaks containing hacking tools and zero-day exploits stolen from the "Equation Group"—widely assessed to be the NSA's elite hacking division.

What they leaked:

EternalBlue: A worm-enabling vulnerability in Windows SMB protocol
DoublePulsar: A backdoor implant
Zero-day exploits: Previously unknown vulnerabilities in widely-used software
Exploitation frameworks: Complete toolkits for penetrating networks

The EternalBlue Legacy: WannaCry Ransomware

The Shadow Brokers' most consequential leak was EternalBlue, released on April 14, 2017. One month later, criminals weaponized it to create the WannaCry ransomware attack on May 12, 2017:

WannaCry impact:

200,000+ computers infected in over 150 countries
UK National Health Service: Hospitals forced to cancel surgeries and turn away patients
FedEx, Honda, Nissan: Major corporations crippled
Estimated $4 billion in damages globally

The fact that tools derived from Shadow Brokers leaks were found on the Singapore hackers' devices demonstrates how nation-state cyber weapons proliferate to criminal actors, creating global security risks far beyond their original intended targets.

Attribution Questions

Edward Snowden stated that "circumstantial evidence and conventional wisdom indicates Russian responsibility" for the Shadow Brokers leak, though some evidence points to North Korea's Lazarus Group.

Regardless of who stole the tools, the Singapore case demonstrates that once nation-state cyber weapons are leaked, they become available to any sufficiently skilled criminal group.

The Hacker Network: Sun Jiao and Custom Tools

The trio didn't operate in isolation. They maintained connections with:

Sun Jiao: An independent hacker "also in Singapore" who operated separately from Xu, conducting his own hacking and data broking operations. The trio regularly consulted Sun on technical matters and shared zero-day vulnerabilities.

Unknown developer: Commissioned to create custom, centralized web-based software for managing their operations. The software wasn't completed before their arrest, but its development shows the sophistication and scale of their intended expansion.

This network demonstrates that Singapore had become host to multiple independent cybercrime operators, some working for hire (the trio) and others as independent brokers (Sun Jiao).

The Raid and Arrest: September 9, 2024

Police Operation

In early September 2024, Singapore Police Force intelligence indicated suspicious activities centered around the Mount Sinai bungalow. On September 9, 2024, police launched coordinated raids:

The operation:

160 law enforcement officials mobilized
Multiple locations raided simultaneously
Six individuals arrested total (the three Chinese hackers plus three others)
Comprehensive digital forensics conducted on seized devices

What Triggered Detection

While specific intelligence sources haven't been publicly disclosed, Singapore's enhanced cybersecurity monitoring likely detected:

Unusual network traffic patterns from the bungalow
International coordination with foreign law enforcement
Financial intelligence regarding cryptocurrency transactions
Tips from victims of the hacking operations

Before the raid, sometime prior to September 5, 2024, the trio asked Xu when they would be paid for their work. Xu transferred US$3 million worth of cryptocurrency to Liu.

The distribution plan:

The trio agreed to split the bulk among themselves
Sun Jiao would receive an equal fourth share

This payment structure reveals:

The significant profitability of hacking-for-hire operations
Use of cryptocurrency to obscure financial trails
Compensation levels comparable to legitimate high-skilled employment

At the time of arrest, only four days after receiving payment, the hackers had not yet distributed the funds, providing police with evidence of the financial dimensions of their operation.

Xu's Disappearance: The Mastermind Escapes

The mastermind behind the operation, Xu Liangbiao, left Singapore in August 2023—shortly before police arrested 10 people involved in the billion-dollar money laundering case on August 15, 2023.

Xu's current whereabouts are unknown.

His departure just before a major law enforcement operation suggests:

Possible intelligence about the money laundering investigation
Connections to broader criminal networks
Careful monitoring of Singapore's law enforcement environment
Preparation for exit before detection of hacking operations

The fact that Xu remains at large means the mastermind of the operation faces no consequences while his hired hackers serve prison time in Singapore.

The Legal Proceedings: "Epic Failures" or Sophisticated Criminals?

The Charges and Sentencing

On November 5, 2025, more than 14 months after their arrest, the three Chinese nationals were sentenced:

Yan Peijian and Huang Qin Zheng: 28 months and one week in prison Liu Yuqi: 28 months and four weeks in prison

(Singapore courts spell out sentences in months plus weeks when four or more weeks are added, as months vary in length.)

Additional charges: The men committed further offenses after their initial arrest by lying to the Ministry of Manpower about their false employment, claiming they had actually worked at their purported jobs.

Prosecution's Position: Reputational Damage to Singapore

Deputy Public Prosecutor Hon Yi argued for sentences of 30 to 38 months plus additional weeks, emphasizing the reputational damage to Singapore:

"This is not just amongst the general global public, but also on a government-to-government basis, given the foreign government-related data found on Yan and Liu's devices. This is despite the fact that the accused persons allegedly tried to avoid targeting government websites."

Key prosecution arguments:

1. Singapore as a criminal hub: While the organized crime group didn't directly target Singapore, using Singapore as a base for international hacking operations damages the country's reputation as a secure business and financial hub.

2. Essential skilled operatives: Though characterized as "foot soldiers" working for Xu, the three possessed critical technical skills and were the "main engine of Xu's illicit cyber operations."

3. Well-funded sophistication: The operation was well-funded and well-maintained, with specific targets and careful avoidance of high-risk targets that might attract attention.

4. Significance of government data: The presence of foreign government data on their devices is significant regardless of whether governments were deliberately targeted.

5. Effort matters, not just success: DPP Hon used an analogy: "A burglar going down the street trying doors. Just because he can't open doors, doesn't mean he was completely unsuccessful. He now knows which doors he can't open with his level of skill."

Defense's Position: "Epic Failures" Who Couldn't Actually Hack

The defense attorneys presented a dramatically different narrative:

Mr. Lee Teck Leng (representing Huang and Liu) and Mr. Kelvin Ong (representing Yan) argued:

1. No criminal intent upon initial entry: The men didn't come to Singapore in 2022 with any intention to commit crimes. (The judge noted she was "more concerned" with their second entry in May 2023.)

2. Limited technical expertise: While Yan had some IT background, Liu and Huang were "really not techies in that sense."

3. Failed to achieve objectives: They "did not manage to achieve any of their objectives."

4. Couldn't actually hack: Mr. Lee stated: "The three main hackers in this organized criminal group basically can't hack."

5. Attempting vs. succeeding: Using the prosecution's door analogy, Mr. Lee argued that trying to penetrate without succeeding "is not really hacking. To me, hacking is when you knock on the door, manage to go in and see what's inside."

6. "Epic failures": Mr. Ong concurred, saying the three men were "basically epic failures" who did not meet their key performance indicators.

The Judge's Response: Attempting Is the Crime

The presiding judge challenged the defense's logic by asking whether "the very act of hacking was not the very act of probing the sites."

She questioned whether any success in obtaining data would instead be an aggravating factor rather than a required element of the crime.

This exchange cuts to the heart of cybercrime law: Is unauthorized access itself the crime, or must hackers successfully steal data?

Under Singapore's Computer Misuse Act and most international cybercrime laws, unauthorized access is the offense—success in stealing data is an aggravating factor that increases penalties, but isn't required for conviction.

Sentencing Rationale: Deterrence and Reputation

The judge's sentences of 28+ months reflect several considerations:

Aggravating factors:

Organized crime group structure
Sophisticated tools and techniques (PlugX, Shadow Brokers tools)
Foreign government data discovered
Use of Singapore as operational base
False documentation and employment
Large financial rewards (US$3 million)
Lying to authorities after arrest

Mitigating factors:

The men were hired operatives, not masterminds
No direct harm to Singapore entities
Incomplete nature of some planned operations
Cooperation during some phases of investigation

Deterrent message: The prosecution emphasized that "The Police will not tolerate the use of Singapore as a base for cybercriminal activities."

The sentences send a clear signal to international cybercrime groups: Singapore will prosecute hackers even if their targets are elsewhere.

Singapore's Cybersecurity Posture: A Regional Hub Under Threat

Why Singapore Attracts Cybercriminals

Singapore's position as a target and base for cybercrime stems from several factors:

1. Advanced infrastructure: World-class internet connectivity and telecommunications infrastructure ideal for cyber operations

2. Financial hub: Major international financial center with connections to global banking systems

3. Business-friendly environment: Relatively easy to establish presence and obtain work permits (legitimately or fraudulently)

4. Geographic location: Central position in Southeast Asia provides access to regional targets

5. International connectivity: Major hub for data traffic between Asia, Australia, and the West

6. Wealth concentration: High concentration of wealthy individuals and organizations makes Singapore attractive for financially-motivated cybercrime

Singapore's Legislative Response

Singapore has aggressively strengthened its cybersecurity laws in response to rising threats:

Cybersecurity (Amendment) Act 2024

Passed by Parliament on May 7, 2024, and came into force on October 31, 2025, the amended Cybersecurity Act introduces significant new criminal offenses:

New offenses:

1. Handling stolen data from cybercrime:

Making it an offense to obtain, retain, supply, transmit, or make available personal information if the offender knows the information was obtained through cybercrime
Creates liability for the entire data supply chain, not just initial hackers

2. Tools for hacking:

New offense of obtaining or making "tools for hacking"
Only applies if tools are obtained with "intent" to commit a cybercrime
Directly addresses the PlugX and Shadow Brokers tools issue in this case

3. Enhanced regulatory powers:

Expanded scope to regulate four new classes of persons
Enhanced powers for the Commissioner of Cybersecurity
Mandatory reporting requirements for cybersecurity incidents

September 2024 Arrests: Part of a Pattern

The September 9, 2024 raids that netted the three Chinese hackers were part of a larger operation:

Total arrests: Six individuals

Five Chinese nationals
One Singaporean

Scale of operation: Approximately 160 law enforcement officials mobilized, indicating a major investigation.

One suspect was found with "a laptop containing credentials to access web servers used by known hacker groups," suggesting connections to the broader international cybercrime ecosystem.

Singapore Police characterized the suspects as being "linked to a global syndicate that conducts malicious cyber activities."

Regional Context: ASEAN Under Cyber Siege

The Singapore arrests occur against the backdrop of intensifying cyber operations targeting Southeast Asia:

Recent campaigns:

October 2025: PlugX variants targeting Asian telecom and ASEAN networks
2024: RedDelta targeting Myanmar, Vietnam, and Cambodia with custom PlugX
2025: Earth Preta hitting Asia with DOPLUGS malware, a new PlugX variant

Singapore's aggressive prosecution sends a message to regional partners that it will not become a safe haven for cyber mercenaries targeting the ASEAN region.

The Geopolitical Dimensions: Chinese Cyber Operations and Cyber Mercenaries

State-Sponsored vs. Criminal: A Blurred Line

This case exemplifies the increasingly blurred boundaries between state-sponsored cyber espionage and profit-motivated cybercrime:

Traditional state-sponsored cyber operations:

Directly controlled by intelligence agencies
Targeting government and military networks
Motivated by strategic intelligence gathering
Using custom-developed malware
Long-term persistent access objectives

This case:

Hired by private criminal enterprise (Xu Liangbiao)
Targeting commercial gambling and SMS services
Motivated by profit (US$3 million payment)
Using leaked state-sponsored malware (PlugX, Shadow Brokers)
Accidentally capturing government data

The convergence: When criminal hackers use state-grade tools and accidentally compromise government systems, the distinction becomes meaningless from a victim's perspective.

China's Cyber Ecosystem: State Sponsorship and Criminal Enterprise

China's approach to cyber operations has long involved a complex relationship between state intelligence agencies and nominally independent actors. As detailed in Breached's analysis of China's Ministry of State Security, the country has built the world's most formidable cyber power through a sophisticated ecosystem spanning direct state operations to criminal proxies.

Known patterns in China's cyber operations:

1. Direct state-sponsored campaigns: Groups like Volt Typhoon targeting U.S. critical infrastructure for pre-positioning and Salt Typhoon infiltrating telecommunications to compromise wiretapping systems—both operating under direct intelligence agency control.

2. Patriotic hackers: Skilled hackers who operate independently but receive tacit support or direction from state agencies, often targeting foreign entities that conflict with Chinese interests.

3. Front companies: Private enterprises that conduct cyber operations on behalf of intelligence agencies, as seen in Silk Typhoon's IT supply chain attacks.

4. Moonlighting intelligence officers: Active or former intelligence personnel conducting private operations—potentially the category these Singapore hackers' tools came from.

5. Tool sharing: State-developed malware like PlugX "leaking" to criminal actors, creating plausible deniability while expanding China's cyber capabilities through criminal proxies.

6. Commercial espionage: Private companies stealing intellectual property that ultimately benefits Chinese state-owned enterprises, as documented in massive Chinese espionage campaigns targeting global network infrastructure.

The Singapore case represents the criminal mercenary end of this spectrum—financially motivated actors using state-grade tools—but the tools themselves (PlugX, Shadow Brokers exploits) originated from or were used by state-sponsored groups, demonstrating the interconnected nature of China's cyber ecosystem.

The Ni-Vanuatu Connection: Flags of Convenience

Xu Liangbiao's status as a Ni-Vanuatu citizen raises additional questions about citizenship-for-investment schemes and their abuse by criminal networks.

Vanuatu's citizenship by investment:

Vanuatu offers economic citizenship programs where foreign nationals can obtain passports through investment
Chinese nationals are among the largest users of such programs
Provides visa-free travel to over 130 countries
Creates challenges for international law enforcement in tracking criminals

Why criminals seek second passports:

Complicates extradition procedures
Provides travel flexibility
Obscures connections to country of origin
May provide banking and financial advantages

Xu's use of Ni-Vanuatu citizenship to recruit Chinese nationals for operations in Singapore demonstrates how citizenship-for-investment schemes can facilitate international organized crime.

China's Response to Arrests

China's government has not issued public statements about the Singapore arrests, which is typical when Chinese nationals are arrested abroad for non-political crimes.

Likely considerations:

1. Diplomatic complexity: Any defense of the hackers would imply Chinese state involvement

2. Plausible deniability: Maintaining distance suggests purely criminal rather than state-sponsored activity

3. Domestic narrative: Chinese media likely won't report on the case to avoid discussion of Chinese citizens engaged in international cybercrime

4. Bilateral relations: Singapore and China maintain strong economic and diplomatic ties that both prefer to preserve

The Technical Ecosystem: How Modern Cyber Mercenaries Operate

The Business Model of Hacking-for-Hire

This case reveals the economics of professional cybercrime:

Revenue structure:

US$3 million payment for approximately 5-6 months of operations (May-September 2024)
Four-way split: Each participant receiving approximately US$750,000

Operating costs:

Accommodation: S$33,000/month (~US$24,000) for luxury bungalow
Personnel: Monthly salaries of S$2,000 (~US$1,500) per hacker for cover employment
Support staff: Cooks and cleaners
Operational expenses: S$52,000+ in cash for day-to-day costs

Profitability: Even with substantial operating costs, the criminal enterprise was highly profitable, explaining its attractiveness to technically skilled individuals facing limited legitimate employment opportunities.

Zero-Day Vulnerability Markets

The trio's interaction with Sun Jiao and unknown developers highlights the underground markets for cyber capabilities:

What's traded:

Zero-day vulnerabilities: Previously unknown software flaws
Exploits: Code that takes advantage of vulnerabilities
Malware: Including state-grade tools like PlugX
Credentials: Stolen usernames and passwords for target systems
Data: Stolen information sold to interested parties

Market participants:

Researchers: Finding and selling vulnerabilities
Brokers: Connecting buyers and sellers (like Sun Jiao)
Developers: Creating custom tools for hire
Operators: Conducting intrusions (like the trio)

Pricing: Zero-day exploits for popular systems can sell for $100,000 to $1 million+ depending on the target and sophistication.

Tools of the Trade: Open Source and Underground

The malware arsenal discovered in the raids reflects the democratization of hacking capabilities:

Open-source frameworks:

Metasploit: Legitimate penetration testing framework widely used by security professionals and hackers alike
Spark RAT: Open-source remote access tool
Silver: Command and control framework

Underground tools:

PlugX: Obtained through criminal forums or connections
Shadow Brokers exploits: Available on underground forums since 2017 leaks
Custom malware: Commissioned from developers

This combination allows criminals to operate with capabilities that previously required state-sponsored resources.

Operational Security Failures

Despite their sophistication, the hackers made critical operational security mistakes:

1. Geographic concentration: Operating from a single physical location (the bungalow) created a single point of failure

2. Financial traces: Large cash payments and cryptocurrency transactions created evidence trails

3. Data retention: Keeping stolen government data on personal devices rather than secure remote servers

4. Network patterns: Conducting operations from Singapore IP addresses linked to their accommodation

5. Local connections: Using local support staff (cooks, cleaners) who could provide evidence

6. Extended operations: Running the operation for months from the same location increased detection probability

Professional state-sponsored operators typically employ much stronger operational security, suggesting these criminals, despite sophisticated tools, lacked the tradecraft of true intelligence professionals.

Implications and Future Trends

The Proliferation of State-Grade Malware

This case demonstrates a critical cybersecurity challenge: once nation-state malware is leaked or stolen, it becomes permanently available to criminal actors.

The proliferation cycle:

State agencies develop sophisticated malware (PlugX by Chinese intelligence, EternalBlue by NSA)
Leaks occur through insider threats, breaches, or deliberate leaks (Shadow Brokers)
Cybercrime forums host and distribute the tools
Criminal actors obtain and weaponize nation-state capabilities
Further proliferation as criminals share tools among themselves

Consequences:

Every organization faces threats using state-grade capabilities
The "APT gap" between nation-states and criminals narrows
Attribution becomes increasingly difficult
Defensive costs increase for all organizations

The Cyber Mercenary Industry

The hacking-for-hire model employed by Xu Liangbiao represents a growing industry of cyber mercenaries:

Growth factors:

High profitability attracts skilled talent
Technical skill barriers lowering due to available tools
International law enforcement challenges
Growing demand from criminal enterprises

Known cyber mercenary types:

1. Ransomware-as-a-Service: Developers lease ransomware to affiliates who conduct attacks

2. Access brokers: Hackers who breach networks and sell access to other criminals

3. Data brokers: Specialists in stealing and monetizing sensitive information

4. DDoS-for-hire: Services that attack targets on demand

5. Custom hacking operations: Like this case, bespoke operations for specific clients

Singapore's Role in Regional Cybersecurity

Singapore's aggressive prosecution serves multiple strategic purposes:

1. Deterrent effect: Signals to international criminals that Singapore won't be a safe haven

2. Regional leadership: Demonstrates enforcement capability to ASEAN partners

3. Intelligence value: Investigation yields insights into criminal networks and TTPs

4. Bilateral cooperation: Strengthens partnerships with countries whose data was compromised

5. Reputation protection: Preserves Singapore's image as secure business and financial hub

Legislative and Policy Recommendations

This case highlights several areas where international cooperation and domestic legislation must evolve:

1. Citizenship by investment reforms:

Enhanced due diligence for economic citizenship programs
Information sharing about criminal use of second passports
Revocation procedures for passports obtained by criminals

2. Cryptocurrency tracing:

Enhanced international cooperation on cryptocurrency forensics
Mandatory know-your-customer procedures for crypto exchanges
Real-time monitoring of large crypto transfers

3. Work permit verification:

Improved verification of employment for work permit holders
Periodic audits to ensure permit holders actually work at stated employers
Enhanced penalties for companies facilitating fraudulent permits

4. Malware proliferation:

International agreements on non-proliferation of cyber weapons
Criminal penalties for spreading state-grade malware
Cooperation in taking down malware distribution forums

5. Cross-border cyber investigations:

Enhanced mutual legal assistance treaties for cybercrime
Rapid information sharing protocols
Joint investigation teams for transnational cybercrime

Conclusion: A Warning to Cyber Mercenaries

The sentencing of Yan Peijian, Huang Qin Zheng, and Liu Yuqi marks a significant moment in Singapore's cybersecurity enforcement. These were not amateur hackers—they possessed sophisticated tools associated with state-sponsored APT groups, operated for months from a well-funded base, and successfully compromised multiple targets.

Yet despite their capabilities, they now face 28+ months in Singapore prisons while their mastermind remains at large.

Key Lessons

For cybercriminals: Singapore's prosecution demonstrates that:

Small, wealthy nations take cybercrime seriously even when targets are elsewhere
Advanced persistent threat tools won't protect you from law enforcement
Cryptocurrency payments don't ensure anonymity
Physical presence in a jurisdiction creates arrest vulnerability
"Foot soldiers" serve time even if masterminds escape

For organizations: This case shows that:

State-grade malware is in criminals' hands
Hacking-for-hire services offer APT-level capabilities
Even "non-political" targets can be collateral victims
Attackers may inadvertently compromise your systems while targeting others
Defense must assume adversaries have nation-state tools

For governments: The Singapore case highlights:

Cross-border cybercrime requires international cooperation
Work permit and immigration systems can be abused by criminal networks
Economic citizenship programs create law enforcement challenges
Aggressive prosecution deters use of territory as criminal base
Public disclosure educates industry and demonstrates capability

The Bigger Picture

This case is not isolated—it's part of a broader trend of cyber mercenaries using state-grade tools for profit. As nation-state malware continues to proliferate through leaks and the underground economy, the distinction between "APT" and "cybercriminal" becomes increasingly meaningless.

Organizations must defend against the assumption that any sufficiently motivated adversary can deploy nation-state capabilities. The era when only government agencies faced advanced persistent threats is over.

Unanswered Questions

Several critical questions remain:

1. Where is Xu Liangbiao? The mastermind's current location and whether he faces charges elsewhere

2. What about Sun Jiao? The independent hacker collaborating with the trio—was he arrested or is he still operating?

3. Were targets notified? Did the organizations compromised by the trio receive notification and assistance?

4. What was actually stolen? Specific data exfiltrated and its potential use by criminal networks

5. State connections? Any indirect links between the operation and Chinese intelligence services

6. How many victims? The full scope of compromised systems beyond the examples mentioned

The Final Word

On November 5, 2025, a Singapore judge sent a clear message: using our territory as a base for international cybercrime will be prosecuted to the fullest extent of the law.

For three Chinese hackers, what began as a lucrative job offer from a Ni-Vanuatu citizen ended with 28 months in prison, forfeiture of their US$3 million payment, and permanent criminal records.

They possessed tools used by elite Chinese APT groups. They had access to Shadow Brokers exploits that crippled hospitals worldwide. They operated from a luxury bungalow with professional support staff. They were paid in cryptocurrency to evade detection.

None of it mattered when Singapore Police came knocking on September 9, 2024.

The defense called them "epic failures" who couldn't really hack. The prosecution called them the "main engine" of organized cybercrime. The judge called them criminals and sentenced them accordingly.

The rest of the cyber mercenary industry should take note: Singapore is not a safe harbor.

Key Takeaways

✅ Three Chinese hackers sentenced to 28+ months in Singapore (Yan Peijian, Huang Qin Zheng, Liu Yuqi)
✅ US$3 million in cryptocurrency payment for hacking gambling sites and SMS service providers
✅ PlugX malware discovered - sophisticated RAT associated with Chinese APT groups (Mustang Panda, APT22, APT26, APT41)
✅ Shadow Brokers tools found - NSA exploits that enabled WannaCry ransomware attack
✅ Foreign government data seized from Australia, Argentina, Vietnam, Kazakhstan, Philippines
✅ Mount Sinai bungalow served as operational base with S$33,000/month rent paid in cash
✅ September 9, 2024 raids involved 160 law enforcement officials
✅ Fraudulent work permits used to enter Singapore (listed as sales rep and construction workers)
✅ Mastermind Xu Liangbiao (Ni-Vanuatu citizen) escaped Singapore in August 2023, whereabouts unknown
✅ Target: Yi Mei SMS service to hijack two-factor authentication for gambling sites
✅ Collaborative hacking network including independent operator Sun Jiao also in Singapore
✅ State-grade tools in criminal hands demonstrates proliferation of nation-state cyber weapons
✅ October 31, 2025: Singapore's enhanced Cybersecurity Act makes possessing hacking tools criminal offense
✅ Defense argued "epic failures" who couldn't really hack; prosecution argued sophisticated organized crime
✅ Reputational damage to Singapore as foreign governments' data found on hackers' devices

Singapore's message to international cybercrime networks: We will not tolerate being used as a hub for global hacking operations, regardless of whether targets are local or foreign.

Related Reading:

Chinese Cyber Threat Landscape:

Recent Law Enforcement Actions:

This case demonstrates the dangerous proliferation of state-sponsored malware into criminal hands. When nation-state cyber weapons leak, every organization becomes a potential target for sophisticated attacks previously limited to APT groups.

Source: Channel News Asia, Singapore Police Force, Singapore Statutes Online, various cybersecurity research