Where is i-SOON Now?
i-SOON’s business struggles after the leak reflect the cruel reality of China’s hacker-for-hire industry
One hour before we were going to publish this post, US Department of Justice unsealed an indictment charging eight i-SOON employees and highlighting the importance of companies like i-SOON in China's cyberthreat landscape.Cyber threats from China have never stopped evolving; analysts grapple with who Silver Fox is and why they targeted Chinese-speakers, or who was using Shadowpad malware deploying ransomware and what their motivations were. To understand these new developments, we need to keep in mind the dynamics and constraints that Chinese cyberthreat actors face. For this, the i-SOON leaks remain crucial.
After over a year, the Natto Team continues to discover that the i-SOON leaks – product marketing white papers, compromised data samples, chat logs among employees and clients, screenshots and images of business operations from the Chinese information security company i-SOON – are a gift that keeps on giving. For example, the recent Natto Thoughts’ post from Eugenio Beninicasa dug into the i-SOON leaks to explore China’s elite vulnerability research giant, the Pangu Team, and the relationship between elite vulnerability researchers and government-contracted hackers. Meanwhile, many curious minds like us have been wondering:
“Where is i-SOON now?”
“Is i-SOON still in operation?”
“Have we seen any new cyber campaigns from i-SOON after the leak?”
“Have we seen any consequences for i-SOON after the leak?”
……
We believe finding answers for these questions will not just satisfy our curiosity, which is absolutely necessary, but also shed light on how China organizes its cyber operations.
i-SOON is Still in Operation …
In January, Substack writer NETASKARI published a post about his/her/their on-the-ground research project of visiting US-sanctioned cyber security companies in China, including i-SOON, Chengdu 404, and Sichuan Silence. NETASKARI reflected, “The cybersecurity landscape (in China) is something you can watch from afar but rarely get firsthand voices.” The Natto Team assesses that obstacles at two levels hinder us from hearing firsthand commentaries by Chinese people about the local cybersecurity landscape. First, those voices might be censored or self-censored, and second, they themselves might be unaware of realities on the ground because of state censorship, blockage or deletion of information. Therefore, even for people who are brave enough to have their voice heard, they may not get any firsthand information. The i-SOON leak is a good example. As we searched “i-SOON leak” (安洵信息泄露) across several Chinese search engines, we didn’t get any results related to the leak. It looks like i-SOON leaks are not known to the public in China at all. This indicates how tightly information is controlled by the Great Firewall of China – the country’s online system for monitoring and censorship.
Although information about the leaks cannot be found within China, information about the company’s activities and fortunes remains publicly available. The Natto Team cross-checked several Chinese business registration databases and discovered that, as of March 4, 2025, Shanghai i-SOON and its three related companies – Sichuan i-SOON, Sichuan Daitabosi, and Taizhou i-SOON – are still registered as being in business operation. The current total number of employees from the four i-SOON companies is 104 (see chart below) which is close to a 33 percent decrease from the 160 employees recorded in 2022.
In March 2024 the Natto Team reported, based on information from the i-SOON leaks, that Shanghai-headquartered i-SOON had around 160 employees across its six locations in China as of October 2022. Sichuan i-SOON was the largest component, with close to 100 employees. According to the company’s website, Shanghai i-SOON was established in 2010. In 2015, Shanghai i-SOON established its subsidiary, Sichuan i-SOON, and followed with i-SOON branch offices in Yunnan province in 2017, Jiangsu province in 2020, and Zhejiang province in 2021. In addition, i-SOON founder and CEO Wu Haibo wholly owns a company named Sichuan Daitabosi Information Technology Limited (四川戴塔柏斯信息技术有限公司) (Sichuan Daitabosi), established in 2017. According to business registration information and the i-SOON leaked documents, Sichuan Daitabosi shared the same management team with Sichuan i-SOON and hosted two attack and defense research labs. One is Xingshi Attack and Defense Lab (行什攻防实验室), previously known as penetration testing team 2; the other is Kuishao Lab(魁杓实验室), which was formerly penetration test team 3. The two research labs were renamed in May 2022. Lastly, in March 2022, Shanghai i-SOON established another subsidiary, Taizhou i-SOON.
However, while conducting this research in 2025, the Natto Team discovered that i-SOON’s operation is now on a much smaller scale than in 2022. As of this writing, i-SOON companies in operation include Shanghai i-SOON and its three wholly owned subsidiaries: Sichuan i-SOON, Sichuan Daitabosi, and Taizhou i-Soon.
We also learned that both Shanghai i-SOON and Sichuan i-SOON moved to new locations after the leak. Right after the i-SOON leaks came to light in February 2024, the Associated Press reporter Dake Kang visited the i-SOON office in Chengdu and verified with two employees that the company had acknowledged the leak and that i-SOON and the Chinese police were investigating how it occurred. Later, likely in the summer of 2024, reporters from NHK (Japan Broadcasting Corporation) visited i-SOON offices in Chengdu and Shanghai, and found both offices empty and abandoned. A person who was likely from the building management of i-SOON’s Shanghai office told the NHK reporters that “something happened, people from this office were taken by the police.” In January 2025, reporters from ITV News, a British news television channel, visited the same i-SOON office in Chengdu where NHK reporters had visited and saw the same scene: abandoned office desks and cabinets inside the office, with – the word “i-SOON” still visible on the outside wall where company signs had been taken down.
However, Sichuan i-SOON’s new office location looks like a much nicer office building than its previous location (see picture below.) The leasing office for the building advertised it as “a rare Grade A office building” and “a business landmark building” in the west of Chengdu. “It has attracted hundreds of outstanding enterprises.” i-SOON’s choice of this building seemingly reflects its aspiration to be such an “outstanding enterprise.”
But Struggling in Business
Despite moving to a much nicer location, i-SOON’s business seems to have been struggling since the exposure of the leak. Shanghai i-SOON and Sichuan i-SOON together have debts of over a million US dollars as of February 2025, according to court orders. The local courts have designated the two companies as “judgment debtors” (被执行人) or “entities subject to enforcement” a total of 30 times. The courts have also ordered “high consumption/spending restrictions”(限制高消费) on i-SOON ‘s founder and CEO Wu Haibo. Lastly, i-SOON has had 30 court cases since July 2024.
In detail, Shanghai i-SOON has been designated as a judgment debtor five times since November 2024 with a total debt amount of 4.472 million yuan (US$616,989) while Sichuan i-SOON has been labeled a judgment debtor 25 times since July 2024 with a total debt amount of 3.8332 million yuan (US$528,800). The CEO Wu Haibo was on high consumption restrictions three times related to Shanghai i-SOON and 20 times related to Sichuan i-SOON since November 2024.
As to i-SOON’s 30 court cases since July 2024, 24 cases are related to labor disputes, four cases are contractual disputes with four Chinese information technology companies, two cases are financial loan contract disputes with financial service institutes, and one case is a service contract dispute with the Institute of Information Engineering of the Chinese Academy of Sciences.
In addition, in July 2024, both Sichuan i-SOON and Sichuan Daitabosi failed to meet the deadline for publicizing the company’s annual report which is required by the Company Law. Several business information platforms labeled both companies as having a record of “abnormal operation.”
Lastly, the Natto Team has not seen any hiring ads from Shanghai i-SOON, Sichuan i-SOON or Sichuan Daitabosi or Taizhou i-SOON since the leak in February 2024. There are no approvals of proprietary software or patents issued after October 2022 for Shanghai i-SOON and after October 2023 for Sichuan i-SOON.
Overall, apparently i-SOON companies have been struggling to survive after the leak in February 2024. They seemed unable to deliver some of their contracted obligations, loan payments or employee salaries and ended up with debts worth over a million US dollars and many lawsuits to deal with.
How About i-SOON’s Cyber Operation and Targeting?
While watching China’s cyber targeting from afar, it seems we have not seen much i-SOON-linked threat activity since the leak in mid-February 2024. One exception is that in late March 2024, US-based cybersecurity company Recorded Future reported that their Insikt Group researchers had identified “newly observed domain and infrastructure developments from i-SOON-linked groups RedAlpha and RedHotel” after the leak. The two examples in the report were as follows: RedAlpha registered a phishing domain on February 27, 2024, and an additional domain on March 1, 2024, and known RedHotel subdomains resolved to a new IP address on March 2, 2024. The Natto Team gauges that these activities by i-SOON-linked groups were an effort to quickly cover up right after the leak. Although the Insikt Group stated that it “anticipates that i-SOON-linked threat activity groups will continue to remain active and largely operate unabated in the future,” subsequent Natto Team research found almost no i-SOON-linked threat activities or operations from March 2024 to February 2025. Maybe China related “Typhoons” blew others away? Let us know if you have seen it differently.
It makes sense to us that i-SOON companies’ business was crippled after the leak. Contracts from China’s Ministry of Public Security, Ministry of State Security and Ministry of Defense – formerly providing a major part of i-SOON’s revenue – likely dried up.
Where is the Support for i-SOON?
Now some of us may have wondered what happened to i-SOON’s state backing. Where is the support for the company when it needs help?
For years many reports on Chinese state-sponsored threat groups, like other advanced persistent threat (APT) groups, have had the notion that these groups are sophisticated and have ample resources because they are backed by the state. However, in i-SOON’s case, as the Natto Team’s previous analysis pointed out, i-SOON is far from a “significant superpower.” It appears APT operations directed by Chinese government agencies rely on a variety of companies like i-SOON for tools and services. In reality, these companies are often walking on thin ice in their relationships with the state agencies. For example, the i-SOON leaks suggested that i-SOON’s executives and employees seemed to exist constantly on the edge, forever looking for new contracts and saving existing contracts from failing, because each business deal had so much uncertainty and so many moving parts. To Chinese state agencies, a company like i-SOON is disposable.
When i-SOON suffered a seemingly unexpected leak that exposed details of China’s cyber operations, this seems to have hurt the company’s business significantly. Furthermore, i-SOON as a company has disappeared from the Chinese media after the leak. We believe this is an intentional move by the Chinese government to limit the attention to i-SOON and the state’s cyber operations. Although still in operation, i-SOON companies likely have had even more trouble securing contracts and making profits than before. This is likely because, amidst fierce competition among Chinese information security companies, the leak has damaged i-SOON’s reputation. Last year, when addressing the question - “what are the possible consequences for i-SOON after the leak?” the Natto Team predicted few negative consequences for i-SOON. We speculated that, if the Chinese government were scrupulous, i-SOON’s failure to secure its own documents which led to the leaks could have violated “the Qualification Standard for Class II Secrecy for Weapons and Equipment Research and Production Company.” If i-SOON’s Class II Secrecy certificate were suspended, that could hurt its business revenue. This year, we discovered i-SOON’s Class II Secrecy certificate has not been listed on the company’s credential in several business information databases. Although we are not able to confirm if the certificate was suspended, we do see i-SOON’s business has been struggling.
Similarly, as the Natto Team has shown, fellow Chinese government contractor
Sichuan Silence suffered financial hardships, lawsuits and management upheavals after revelations in 2020 about their offensive operations for the Chinese government. Both i-SOON and Sichuan Silence seem to remain vulnerable and to receive little protection after performing risky services for the state.
Well, for the Chinese state cyber operations, i-SOON is down, but thousands of other entities like i-SOON will be up to compete for state contracts. So, the Chinese cyber operations continue.