In a dramatic and unforeseen twist, the FBI and U.S. Treasury Department uncovered that two of the world’s most powerful adversaries, China and Iran, were inadvertently sharing a critical piece of infrastructure for their separate cyber operations. This revelation came after a year-long investigation that linked a seemingly innocuous hosting facility in Singapore to multiple cyber intrusions. What they uncovered not only exposed the coordination gaps between these two state actors but also revealed a complex web of sanctions evasion, espionage, and technical infrastructure manipulation.

The investigation began when a defense contractor, responsible for a classified avionics program, flagged an unusual data breach. For weeks, a skilled and methodical intruder had been accessing highly sensitive files related to guidance integration, signal processing architecture, and interference suppression methodology. The breach was traced through an intricate path that began within the contractor’s network and stretched across various compromised commercial servers in the U.S. and Europe. Ultimately, the data was funneled through an unexpected relay hub—a cluster of servers in Singapore.

This wasn’t an ordinary hack. The breach was sophisticated and showed signs of being backed by a state-sponsored entity with knowledge of the contractor’s infrastructure. After weeks of technical analysis, it became evident that the servers in Singapore had been deliberately configured for this operation. What was initially suspected to be a singular Chinese operation soon revealed a darker, more complex story—one involving Iranian sanctions evasion.As the FBI cyber division dug deeper into the infrastructure, they discovered that the servers being used for data exfiltration were also involved in an ongoing Iranian sanctions evasion operation. The Treasury Department’s Office of Foreign Assets Control (OFAC) had been tracking a financial network that funneled Iranian-origin funds through multiple international jurisdictions, ultimately paying for this same technical infrastructure.

The discovery of these two parallel operations using the same servers—one linked to Chinese cyber espionage, the other to Iranian financial transactions—was the breakthrough moment. Both operations had been unknowingly dependent on the same Singapore-based infrastructure, which was funded through two separate payment channels: one from Iranian-origin funds, and the other from Chinese state-linked financial networks.