DarkForums Leak Unveils China’s ‘Hack-for-Hire’ Operations – VenusTech & Salt Typhoon Exposed

In a development sending ripples through the cybersecurity world, two new datasets have surfaced for sale on DarkForums, an English-language data breach forum, revealing fresh insights into China’s shadowy hack-for-hire industry.

The leaks, named the “VenusTech Data Leak” and the “Salt Typhoon Data Leak,” showcase how Chinese cyber operations are blending state and private interests in unprecedented ways.

VenusTech Data Leak – Government Ties and Offensive Operations

VenusTech, a publicly traded IT security vendor with a focus on Chinese government clients, has been thrust into the spotlight after an anonymous seller, dubbed “IronTooth,” allegedly posted leaked documents on DarkForums.

The data, presented in 16 screenshots, includes evidence of sensitive contracts, client lists, product details, and most critically spreadsheets revealing the company’s involvement in offensive cyber services.

The most alarming disclosure is the repeated documentation of VenusTech seemingly providing access to hacked foreign organizations, including the Korean National Assembly’s email server.

Detailed spreadsheets list intelligence targets spanning Hong Kong, India, Taiwan, South Korea, Croatia, and Thailand, with monthly data delivery quotas and associated prices ranging from 30,000 to 85,000 yuan (approx. $4,100 to $12,000 USD).

These records suggest an established commercial relationship between VenusTech and Chinese government clients, with possible links to wider state-sponsored hacking networks.

Salt Typhoon Leak – Employee Data, Router Breaches, and Transaction Trails

A day after the VenusTech leak, a user named “ChinaBob” posted a new dataset attributed to Salt Typhoon, an advanced persistent threat (APT) group believed to work under China’s Ministry of State Security.

The material on offer spans employee PII (names, national ID numbers, phone numbers), financial data, hacked router credentials, and chat logs purportedly extracted from internal communications.

Technical details include samples of compromised Cisco routers, an attack vector previously associated with Salt Typhoon, and an expansive list of 242 allegedly hacked devices.

Transaction records link three obscure Chinese shell companies, one already sanctioned by the U.S., and two newly identified entities to sales of hacking services to both commercial cybersecurity vendors and state military units, such as the PLA’s Unit 61419.

Public records confirm that several individuals named in the leak are company directors, deepening suspicions about direct state and commercial collaboration in cyber espionage.

Key Takeaways – A Leaky but Lucrative Digital Underworld

While the origins of the leaks are unclear, this event underscores two significant trends: China’s intelligence apparatus is vulnerable to insider-driven breaches, and Chinese cybercriminals are increasingly active in Western crime forums.

As these leaks reverberate, they offer a rare glimpse into the mechanics of China’s hybrid state-private cyber operations and the global reach of its digital espionage industry.