Three Chinese men with false work permits jailed for cybercrime run from a rented bungalow in Singapore
Three Chinese men were jailed in Singapore for carrying out hacking operations from a Mount Sinai bungalow under a Ni-Vanuatu citizen’s direction. They targeted gambling and SMS service websites, earning US$3 million in cryptocurrency before being caught in a police raid.
- Three Chinese men were jailed in Singapore for carrying out hacking operations from a rented Mount Sinai bungalow, earning US$3 million in cryptocurrency.
- The group targeted gambling websites and a Chinese SMS service firm using malware such as plugX, with evidence linking them to data from foreign government domains.
- Prosecutors said the operation caused “reputational damage” to Singapore, while defence lawyers described the trio as “epic failures” who failed to achieve their hacking goals.
SINGAPORE: Three men from Henan, China, were sentenced to prison after carrying out hacking operations from a rented bungalow in Singapore’s Mount Sinai area.
The trio were paid US$3 million (S$3.9 million) in cryptocurrency for their work, which involved infiltrating gambling websites and obtaining illicit access to a Chinese SMS service company.
Yan Peijian, 39, and Huang Qin Zheng, 36, were sentenced to 28 months and one week in jail, while Liu Yuqi, 33, received 28 months and four weeks on Wednesday (5 Nov).
They were among seven men originally charged in 2024 for suspected involvement in malicious cyber activities.
Hacking from a Mount Sinai Bungalow
A police raid on the Mount Sinai bungalow uncovered malware-related files, including remote access trojans (RATs) such as plugX—a tool associated with advanced persistent threat and state-sponsored hacker groups—and files linked to the infamous Shadow Brokers.
The Shadow Brokers were known for leaking tools and zero-day vulnerabilities stolen from the United States’ National Security Agency (NSA), one of which enabled the widespread WannaCry ransomware attacks in 2017.
While the hackers tried to avoid targeting government systems, investigators found messages discussing vulnerabilities in five Australian, Argentine, and Vietnamese government domains, as well as a confidential email between Kazakhstan’s Ministry of Foreign Affairs and Ministry of Industry and Infrastructure Development.
The Job Offer and False Work Permits
The trio were recruited by a 38-year-old Ni-Vanuatu citizen, Xu Liangbiao, who offered them lucrative work opportunities in Singapore.
In 2022, amid poor economic conditions in China due to the COVID-19 pandemic, Yan, Huang, and Liu agreed to work for Xu.
He arranged false applications for their work permits—Yan as a sales representative, and the other two as construction workers—through companies unknown to them.
After arriving in Singapore in September 2022, they were taken to their supposed workplaces and briefed to maintain a cover story, though they never performed any actual duties.
They returned to China for Chinese New Year in 2023, before returning to Singapore in May 2023, when Xu finally set them to work.
The Mount Sinai Operation
Xu’s subordinate, Chen Yiren, rented a Mount Sinai bungalow for S$33,000 in cash to house the trio.
Chen handled all logistics, including hiring moonlighting foreign workers to cook and clean.
Xu also provided day-to-day funds, with about S$52,000 later seized from Yan during his arrest.
The men were also given S$2,000 monthly salaries to maintain their cover as legitimate employees.
Initially, Xu sought unfair advantages in online gambling operations by obtaining personal data from users of rival gambling sites.
Later, his focus shifted to infiltrating SMS service companies, particularly Chinese firm Yi Mei, which serviced major gambling operators.
Xu aimed to hijack two-factor authentication systems and gain control of user data.
Roles and Methods
The trio divided their work according to their areas of expertise. Yan focused on Linux-based systems, while Huang was responsible for web systems.
Liu, on the other hand, specialised in targeting Windows-based systems.
They gathered information on domain names, scanned for vulnerabilities using open-source tools, and categorised weaknesses by severity and usefulness.
Exploitation involved direct data extraction or the deployment of RATs.
In one case, a file on Huang’s computer contained names, addresses, and billing information from a Philippine regional power company.
The trio also retrieved traffic data from Yi Mei, revealing the volume of SMS messages it transmitted.
They sourced malware online and communicated with other hackers to acquire zero-day vulnerabilities—unknown flaws exploitable before software vendors could issue fixes.
The men also worked with another hacker known as Sun Jiao, who was operating independently in Singapore, and an unnamed developer who was building custom web-based software for their operations.
The project was incomplete at the time of their arrest.
Arrest and Seizures
Singapore police raided the Mount Sinai bungalow on 9 September 2024, arresting all three men.
Xu, however, had left Singapore in August 2023, shortly before the billion-dollar money laundering arrests on 15 August that year. His whereabouts remain unknown.
During the raid, authorities seized RAT source codes, open-source tools such as Metasploit and Silver, server credentials containing plugX malware, and other hacking utilities.
Despite the presence of plugX, the men denied links to any state-sponsored groups. Prosecutors confirmed that none were legitimate cybersecurity researchers.
They also lied to the Ministry of Manpower about their supposed employment, falsely claiming they had worked in their declared roles.
Prosecutors: Reputational Damage to Singapore
Deputy Public Prosecutor Hon Yi sought sentences of up to 38 months, noting that even though the group did not target Singapore, their actions caused “reputational damage” to the country.
“This is not just among the general global public, but also on a government-to-government basis,” said Hon, citing the discovery of foreign government data on their devices.
He added that the trio were “foot soldiers” but also the “main engine” of Xu’s cybercrime operation, noting the sophistication and funding behind their work.
Even if they were unsuccessful in achieving their objectives, what they did was neither simple nor something a layperson could do, said Hon.
He explained that hacking is an activity where a lack of success does not equate to a lack of effort, and where even a negative result remains a result.
Defence: “Epic Failures”
Defence lawyer Lee Teck Leng argued that his clients, Huang and Liu, did not enter Singapore intending to commit crimes.
While Yan had some IT background, the others were “not techies in that sense”, he said.
He described the trio as “epic failures” who failed to achieve their objectives, insisting they only attempted to hack without success.
Judge and prosecutors questioned whether attempting to probe sites already constituted hacking.
Lee replied, “To me, hacking is when you knock on the door, manage to go in, and see what’s inside.”
Yan’s lawyer, Kelvin Ong, agreed, saying, “They were basically epic failures who did not meet their key performance indicators.”
0 Comments