Volt Typhoon
Web3 / compliance
Volt Typhoon is a Chinese state-sponsored advanced persistent threat (APT) group — tracked under that name by Microsoft and also referred to in industry reporting as Vanguard Panda, BRONZE SILHOUETTE, and Voltzite — assessed by the US government and Five Eyes intelligence partners to be operating on behalf of the People's Republic of China. The group is distinguished from financially motivated actors by its mission: rather than stealing data or money for immediate gain, Volt Typhoon conducts strategic pre-positioning, quietly establishing and maintaining persistent access inside the networks of critical-infrastructure operators so that the access can be exploited for disruptive or destructive effect during a future crisis or conflict. US officials have publicly characterised this as positioning to disrupt communications, energy, water, and transportation systems, and the activity prompted unusually direct public attribution and a coordinated international advisory in 2023–2024.
Volt Typhoon's tradecraft is defined by two hallmarks. First, 'living off the land' (LOTL): the group avoids custom malware wherever possible, instead abusing legitimate built-in system tools (PowerShell, WMI, netsh, ntdsutil) and valid stolen credentials so that its activity blends into normal administrative traffic and evades signature-based detection. Second, the use of an Operational Relay Box (ORB) network for covert command-and-control: Volt Typhoon built the so-called 'KV Botnet' from hundreds of compromised end-of-life small-office/home-office routers and other edge devices (Cisco, NETGEAR, Fortinet) to proxy its traffic, routing operations through devices geographically close to the targets so that intrusions appeared to originate from benign, in-region IP space rather than from abroad. This combination — no malware to find, and traffic that looks domestic and ordinary — makes the group exceptionally difficult to detect through conventional indicators of compromise and pushes defenders toward behavioural analytics and edge-device hardening.
Volt Typhoon is frequently discussed alongside Salt Typhoon, a separate but related Chinese state-sponsored actor responsible for deep intrusions into telecommunications carriers, and the two are often paired in policy discussion as evidence of a broad PRC campaign against Western critical infrastructure. The US Department of Justice obtained court authorisation to remotely disrupt the KV Botnet in January 2024, removing the malware from compromised US routers; the actor subsequently rebuilt relay capacity, demonstrating the resilience characteristic of ORB-based operations and the limits of one-off infrastructure takedowns.
Example
In May 2023 Microsoft and the Five Eyes agencies jointly disclosed that Volt Typhoon had gained and maintained covert access to critical-infrastructure organisations in the United States — including in Guam, a strategically significant location for Indo-Pacific military logistics — using compromised SOHO routers as relays and living-off-the-land techniques to persist undetected, in some cases for years, without deploying conventional malware.
Why It Matters
while Volt Typhoon is not primarily a cryptocurrency-theft actor, it is the canonical public case study in ORB-based relay infrastructure and edge-device compromise — the same techniques that financially motivated state groups such as Lazarus Group adapt for crypto operations. For CASPs, exchanges, and custodians, Volt Typhoon's playbook is instructive on three fronts: it demonstrates why IP-reputation and geofencing controls are insufficient against actors who relay through in-region residential infrastructure; it underscores the criticality of patching and replacing end-of-life edge devices that adversaries weaponise as relays; and it exemplifies the living-off-the-land tradecraft that security teams must detect behaviourally rather than by signature. Understanding Volt Typhoon is therefore foundational to reasoning about advanced relay-based threats to digital-asset infrastructure.
Definition maintained by Cointegrity. See our editorial policy for review standards on regulatory and compliance terms.
Explore the full Web3 Glossary — 2,094+ expert-curated definitions. Need guidance? Talk to our consultants.