TL;DR: Internal documents, credentials, client records, router passwords, and employee data exposed in the VenusTech and Salt Typhoon leaks point to Chinese cyber mercenary activity and MSS-linked operations, according to Gurucul’s analysis of the datasets. The security lesson is that exposed operational data and compromised NHI secrets turn attribution, access control, and containment into one problem.
NHIMG editorial — based on content published by Gurucul: Unveiling China’s hidden cyber mercenary networks through VenusTech and Salt Typhoon breaches
By the numbers:
- Salt Typhoon broke into the computer systems of nine major U.S. phone companies in late 2024.
- The leaks from the newly created accounts “IronTooth” and “ChinaBob” were created in May 2025.
Questions worth separating out
Q: What should organisations do when router passwords or access credentials appear in leaked data?
A: Treat the leaked material as an active compromise path, not a publication event.
Q: Why do exposed infrastructure files create more risk than a simple data leak?
A: Because infrastructure files often contain both the secret and the scope of the access behind it.
Q: What do security teams get wrong about third-party access after a relationship ends?
A: They often remove the named user but leave behind inherited entitlements, shared secrets, or support pathways that still work.
Practitioner guidance
- Revoke exposed secrets immediately Search for router passwords, API keys, and internal credentials appearing in leaked datasets, then rotate or revoke them before validating whether they still work.
- Unify network and IAM inventories Bring router configurations, privileged accounts, and support access under the same inventory and review process used for other non-human identities.
- Review third-party offboarding paths Check whether vendor, contractor, and partner access still exists after business relationships change.
What's in the full article
Gurucul's full blog post covers the operational detail this post intentionally leaves for the source:
- Open-source translation detail from the VenusTech leak screenshots and account names
- The leaked sample structure, including CSV, XLSX, TXT, and PDF formats from the Salt Typhoon dataset
- Comment-thread activity showing how buyers discussed availability and pricing of the leaked material
- The specific references to router credentials, employee records, bank details, and internal communications
👉 Read Gurucul’s analysis of the VenusTech and Salt Typhoon data leaks →
VenusTech and Salt Typhoon leaks: what they reveal about cyber mercenaries?
Explore further
Leaked NHI material becomes an access primitive, not just evidence. Router passwords, internal credentials, and configuration files are operational secrets because they can be replayed against live systems. Once that material leaves the intended trust boundary, the question is no longer whether a breach occurred, but which identities still authenticate successfully. Practitioners should treat exposed credentials as active control failures, not archival disclosures.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, followed by inadequate monitoring and logging at 37%.
A question worth separating out:
Q: How can teams reduce the impact of leaked NHI credentials?
A: Build a single review process for privileged access across routers, cloud services, and application credentials, then pair it with rapid revocation and leak monitoring. The goal is to make exposed secrets short-lived, visible, and tied to accountable owners before they can be replayed elsewhere.
👉 Read our full editorial: VenusTech and Salt Typhoon leaks expose hidden mercenary cyber networks