Integrity Technology Group
Beijing cybersecurity firm sanctioned by OFAC; named as operator of Raptor Train botnet for Flax Typhoon.
Last refreshed: 30 April 2026 · Appears in 1 active topic
How many other Beijing tech firms operate as covert state cyber proxies behind a commercial facade?
Timeline for Integrity Technology Group
Operated Raptor Train 200,000-device botnet and KV Botnet used by Volt Typhoon
Cybersecurity: Threats and Defences: Sixteen agencies put IOC extinction in print- Why was Integrity Technology Group sanctioned by the US?
- OFAC sanctioned Integrity Technology Group in December 2025 because the FBI assessed it as responsible for creating and operating the cyber infrastructure used by Flax Typhoon, a China-state espionage actor. The company managed the Raptor Train botnet, which compromised over 200,000 devices globally. The April 2026 16-agency advisory added that it also controlled the KV Botnet used by Volt Typhoon.Source: OFAC / NCSC 16-agency advisory
- What did Integrity Technology Group actually do for Chinese intelligence?
- It built and managed two large botnets used by PRC-linked threat actors: Raptor Train (200,000+ compromised SOHO routers, cameras, and NAS devices, used by Flax Typhoon) and KV Botnet (Cisco and Netgear routers, used by Volt Typhoon). These botnets served as covert relay networks that masked the origin of Chinese state intrusion operations targeting Western critical infrastructure.Source: FBI / 16-agency advisory
- Is Integrity Technology Group a government company or private?
- Integrity Technology Group is nominally a private Beijing-based cybersecurity company. However, the FBI assessed it as directly responsible for Flax Typhoon's intrusion activities, and the 16-agency advisory characterises it as the operational layer between PRC state direction and the botnet infrastructure. OFAC's sanctions treat it as effectively acting on behalf of the Chinese state.Source: FBI / NCSC
Background
Integrity Technology Group is a Beijing-based information security company formally identified by the FBI as the entity responsible for creating and operating the infrastructure used by Flax Typhoon to conduct its global cyber espionage campaigns. The company was sanctioned by the US Office of Foreign Assets Control (OFAC) in December 2025 under executive authorities targeting China-linked cyber actors. The December sanctions were based on its role managing covert cyber infrastructure; they did not publicly name Raptor Train at that stage.
The 16-agency joint advisory of 23 April 2026 went further, publicly naming Integrity Technology Group as the controller of the Raptor Train botnet, which infected 200,000+ devices in 2024, and connecting it to the KV Botnet used by Volt Typhoon. This made Integrity Technology Group the first Chinese company to be publicly named by a 16-nation Coalition as both the corporate infrastructure provider and the operational manager of a state-directed botnet campaign. The advisory characterised the company as the organisational layer between PRC state direction and the technical botnet operation, effectively functioning as a contracted cyber-proxy.
For the private-sector cybersecurity industry, Integrity Technology Group is significant as a concrete example of how PRC-linked threat actors use nominally commercial companies to build and maintain covert infrastructure, creating plausible distance from direct state attribution. OFAC's sanctions mean Western firms and individuals are prohibited from transacting with the company, and financial institutions are required to block its assets.
