We observed in late May two confidential Chinese datasets known as the VenusTech Data Leak and the Salt Typhoon Data Leak.
The leaks were about two Chinese cybersecurity organizations:
These leaks from the newly created accounts “IronTooth” & “ChinaBob” were created in May 2025. The leaked information gives us unusual and valuable insight into China’s hidden world of hackers who are paid to execute cyberattacks. It also shows that this hacking isn’t just random or independent; it’s linked to the Chinese government.
Venustech started in 1996 and is headquartered in Beijing. It is one of the top cybersecurity companies in China. They make security products and help more than 30,000 customers, like big banks, government and phone companies. They have a talented research team with many inventions, including China’s first intrusion detection device and fast security technology. Venustech has been number one in China for many years for security tools like IDS, UTM, and SIEM. They also helped keep the 2008 Beijing Olympics safe. People around the world know them well because they have been listed as leaders by important companies like Gartner and Frost & Sullivan for things like firewalls and industrial security.
Salt Typhoon is a hacking group that began in 2020 and is believed to work for China’s Ministry of State Security (MSS). They commonly target the United States, spying on the government and stealing important business information. Although they have hacked many countries worldwide. In late 2024, U.S. officials said Salt Typhoon broke into the computer systems of nine major U.S. phone companies, like Verizon and AT&T, focusing on key parts of the internet, including Cisco routers that manage a lot of traffic. In October 2024, it was also revealed they accessed systems used by internet providers that help U.S. law enforcement listen to phone calls legally. The hackers saw details from over a million users’ calls and texts, such as date/times, phone numbers, and IP addresses, mostly affecting people near Washington D.C.
On May 17, 2025, a user identified as “IronTooth” posted a leak claiming to offer stolen data from a Chinese technology company, VenusTech. The actor stated the leak included internal documents, information on products sold to government agencies, access credentials, client details, and miscellaneous files. The post noted the data would be sold to the highest bidder after 48 hours and was being shared across multiple platforms.
Based on the open-source translation, the screenshot contains information about various organizations and how their power usage is categorized. The list includes entities such as schools, government offices, municipalities, and private companies. These groups consume electricity for specific operational needs, including the Foreign Ministry, Police Bureau, Parliament, airline companies, telecommunications operators, foreign guest accommodations, server rooms, and immigration services. Certain categories—like the Foreign Ministry and server rooms—appear multiple times, suggesting widespread or high-frequency usage.
Power consumption varies by function: some tasks, such as managing confidential files, require significant energy (e.g., 300W+, 600W+, 4500W+, 7100W+), while others consume minimal power (e.g., 10W+, 17W+, 22W+). The energy distribution is also tailored by user role—allocated per person (10W per user) and per domain (1.7W+ per domain user)—indicating a customized power plan for each operational group.
Based on the open-source translation, the screenshot contains information on tracking power usage across different groups, including government entities, utility companies, and other organizations.
We observed a conversation in the comments where multiple users discussed the availability of the stolen information. One user confirmed that there was “no visible link,” but assured others it would still work. Following this, both users “jack0001” and “qfjlihdvf” expressed interest in purchasing the data and indicated they were ready to pay.
On May 18, 2025, a user named “ChinaBob” posted a data leak allegedly sourced from hacking companies contracted by the government. The actor claimed the leak contained employee records, financial data, bank details, hacked router configurations with passwords, and communications between staff and government officials under investigation. The data was made available in multiple formats, including CSV, XLSX, TXT, and PDF.
In the screenshot above, the threat actor references the first URL listed under the News Article section, which redirects to a Telegram channel. The link points to a February 2025 Wall Street Journal article titled “Salt Typhoon Hackers Used Old Cisco Bug, Stolen Credentials to Hop on Routers,” as shown in the screenshot below. Additionally, the leaked samples included employee data such as names, ID numbers, phone numbers, and email addresses. A second sample reveals compromised router usernames and passwords.
Translation :
The actor also mentioned a second URL under the Government Customers sample. This URL leads to an image of an XLS sheet containing bank account numbers, buyer names, seller names, and seller bank account numbers.
On 20th May 2025, user “OscarT” was asking about the price to purchase this data and after 21st May 2025 Hacker confirmed it’s “Sold out”.
The VenusTech and Salt Typhoon data leaks underscore the persistent and evolving risks posed by both targeted cyberattacks and poor security hygiene within organizations handling sensitive data.
Conversely, the Salt Typhoon data leak highlights a critical internal misconfiguration—an exposed cloud storage bucket containing employee PII, strategic documents, and system logs.
Together, these incidents reflect a broader trend: cyber adversaries are increasingly capitalizing on both technical vulnerabilities and operational oversights. We recommend that organizations proactively monitor underground spaces, audit their infrastructure regularly, and prioritize data protection measures.
(By Rudra Pratap, Siva Prasad Boddu & Abhishek Samdole)
