Salt Typhoon
Web3 / compliance
Salt Typhoon is a Chinese state-sponsored advanced persistent threat (APT) group — tracked under that name by Microsoft and also referred to in industry reporting as GhostEmperor, FamousSparrow, and Earth Estries — assessed by US and allied intelligence agencies to operate on behalf of the People's Republic of China, most likely in support of its civilian intelligence service. Where the related actor Volt Typhoon focuses on pre-positioning inside critical-infrastructure control systems for potential future disruption, Salt Typhoon's mission is espionage: the long-term, covert collection of communications intelligence. The group is best known for an exceptionally deep and sustained intrusion campaign against global telecommunications carriers, disclosed publicly in 2024, in which it compromised the networks of multiple major US and international telecom providers and reportedly accessed lawful-intercept systems — the infrastructure that carriers use to service court-authorised wiretap requests — giving the actor visibility into call metadata, geolocation, and in some cases the communications of high-value targets.
Salt Typhoon's tradecraft combines exploitation of unpatched edge and network devices (routers, switches, and VPN/firewall appliances) with living-off-the-land techniques and bespoke implants such as the GhostEmperor/Demodex rootkit, allowing it to persist at the network core where traffic from millions of subscribers transits. Like other top-tier Chinese clusters, it relies on relay infrastructure — including Operational Relay Box (ORB) networks — to proxy command-and-control and obscure attribution. The depth of the telecom compromise prompted the US Cybersecurity and Infrastructure Security Agency (CISA) and Five Eyes partners to issue hardening guidance for communications providers and elevated Salt Typhoon to a marquee example of strategic cyber-espionage against Western infrastructure.
Example
In the 2024 telecom campaign, Salt Typhoon's access to carrier lawful-intercept and call-detail systems meant the actor could potentially identify which individuals were under surveillance by US authorities and harvest the communications of senior officials — a counterintelligence breach severe enough that US agencies publicly recommended encrypted messaging for sensitive communications while remediation was under way.
Why It Matters
Salt Typhoon's compromise of the telecommunications layer is directly relevant to crypto threat modelling because so much of the sector's security still depends on it. SMS-based one-time passwords and SIM-bound recovery flows are trivially defeated by an actor with carrier-level access, and metadata collection enables precise targeting of high-net-worth holders, exchange staff, and custodians for follow-on social engineering — the same human-layer exploitation that North Korean groups such as BlueNoroff use to reach hot-wallet signing infrastructure. Salt Typhoon is therefore a structural argument for phishing-resistant hardware authentication, the elimination of SMS-based account recovery, and out-of-band verification across digital-asset operations.
Definition maintained by Cointegrity. See our editorial policy for review standards on regulatory and compliance terms.
Explore the full Web3 Glossary — 2,094+ expert-curated definitions. Need guidance? Talk to our consultants.