TAIPEI (Taiwan News) — Two alleged Taiwanese clients of a Chinese ransomware group behind attacks on the Mackay Memorial Hospital and other targets in Taiwan have been arrested and released on bail.
According to a Ministry of Justice Investigation Bureau, between February and March, the group CrazyHunter used ransomware to attack hospitals, publicly listed companies, and academic institutions, per CNA. Victims who refused to pay ransoms informed the bureau’s Taipei field office.
Investigators said the targets included the Mackay Memorial Hospital, Changhua Christian Hospital, and the listed firm Keding Enterprises, with at least four organizations filing complaints. Analysis of IP addresses and ransomware samples led to the discovery that CrazyHunter sold stolen information to data trafficking groups in China and Taiwan.
The hacker group included a Chinese man surnamed Lo (羅), who has been placed on the wanted list, and another man surnamed Hsu (徐). Data trafficking group members known to be involved include a Chinese man surnamed Chao (趙), as well as two Taiwanese men surnamed Liu (劉) and Cheng (鄭).
From May to August, the bureau conducted three search operations. Investigators questioned Cheng, while Liu, who fled overseas after the crimes, was arrested upon returning to Taiwan.
Computers seized from the suspects showed that Liu and Cheng had been trading personal data both domestically and abroad for a long time. Evidence included tens of thousands of personal records and records of cryptocurrency transactions with the CrazyHunter hacking group.
After questioning, prosecutors released Liu and Cheng on bail of NT$30,000 (US$915) each, imposing travel restrictions. Meanwhile, suspects Lo, Hsu, and Chao remain under investigation by prosecutors.
The bureau urged public and private institutions to strengthen cybersecurity training and establish joint defense systems. In the event of a cyberattack, it advised disconnecting networks, changing passwords, checking compromised devices, preserving digital evidence, and reporting the cyberattack.
