Three Chinese nationals who entered Singapore on fraudulent work permits have been sentenced to jail after being found operating a sophisticated hacking operation from a rented bungalow. Investigations revealed that the trio possessed sensitive data from foreign governments and were part of a larger cybercrime network funded through cryptocurrency.
A Fake Job Offer Turned Cybercrime Base
The convicts — Yan Peijian (39), Huang Qin Zheng (36) and Liu Yuqi (33) — hailed from China’s Henan province. They were lured to Singapore under the guise of employment by Xu Liangbiao, a Ni-Vanuatu citizen who arranged fake work permits through shell companies.
Yan was listed as a “sales representative,” while Huang and Liu were registered as “construction workers.”
Once in Singapore, they were housed in a bungalow in the Mount Sinai area, which became the command center for Xu’s illegal hacking operations. The trio never performed legitimate work for the companies that supposedly employed them.
Cyber Operations and a $3 Million Payout
Xu directed the men to hack into gambling websites and a Chinese SMS service provider, Yi Mei, which serviced two major gambling platforms. The aim was to steal personal data, bypass two-factor authentication systems, and redirect users to Xu’s own betting websites.
For their work, the hackers were reportedly paid US$3 million (S$3.9 million) in cryptocurrency — an amount later found transferred to Liu and divided among the group.
Police Raid Uncovers Malware Linked to Global Hacker Groups
On September 9, 2024, Singapore police raided the Mount Sinai residence. They discovered remote access trojans (RATs) and malware linked to plugX and Shadow Brokers, a notorious hacker collective that had previously leaked cyber tools stolen from the U.S. National Security Agency (NSA).
The plugX malware has been tied to state-sponsored advanced persistent threat (APT) groups. One such exploit was later connected to the WannaCry ransomware attacks of 2017.
Investigators also found a confidential email between Kazakhstan’s Ministry of Foreign Affairs and its Ministry of Industry, along with discussions on vulnerabilities in Australian, Argentine, and Vietnamese government domains.
Court Sentences and Prosecutor’s Remarks
The court sentenced Yan and Huang to 28 months and one week, and Liu to 28 months and four weeks in prison.
Prosecutors argued that although Singapore was not their direct target, the reputational harm to the country was significant, as it became the base for their cyber operations.
Deputy Public Prosecutor Hon Yi told the court:
“Even if these individuals were merely foot soldiers, they possessed the technical expertise that powered Xu’s network. Their activities, conducted from Singapore, have tainted the nation’s image as a secure and trusted hub.”
He noted the well-funded nature of the operation — the hackers lived rent-free in luxury, received steady salaries, and were provided all necessary resources to carry out their attacks.
Defense: “Epic Failures at Hacking”
Defense lawyers contended that the men were not skilled hackers and that their attempts largely failed.
Attorney Lee Teck Leng argued:
“They were essentially amateurs — the three main hackers who couldn’t hack. Their efforts resulted in no tangible data breaches.”
However, the presiding judge disagreed, noting that the act of attempting to breach systems constitutes a cybercrime, regardless of success.
“Hacking,” she said, “is not defined by success but by the unlawful attempt itself.”
Xu’s Whereabouts Unknown
Police confirmed that Xu Liangbiao, the mastermind, fled Singapore in August 2023, just before the arrest of ten people in the country’s billion-dollar money laundering case. His current location remains unknown.
Authorities seized multiple devices, servers, and cryptocurrency wallets linked to the trio. The investigation also revealed their interaction with other hackers, including one known as Sun Jiao, who was allegedly developing custom hacking software for them.
A Warning for Singapore’s Cybersecurity Landscape
While the group avoided targeting local or government websites in Singapore, their actions underscore the transnational nature of modern cybercrime.
The case highlights how global hacking networks exploit digital infrastructure across borders — turning even high-security nations into unwitting bases for cyberattacks.
