China-Linked Hackers Spearhead Phishing Campaigns Targeting Journalists and Activists Across 100 Malicious Domains
Freelance hackers associated with the Chinese government have orchestrated extensive phishing campaigns that utilized over 100 malicious domains to target journalists and opposition activists over a nine-month period. This alarming trend, revealed through recent research, underscores the growing sophistication and reach of cyber operations aimed at silencing dissent and undermining civil society.
The investigation, which involved collaboration with the International Consortium of Investigative Journalists (ICIJ), identified dozens of journalists and numerous activists from the diaspora communities of Tibet, Taiwan, Hong Kong, and the Uyghur region as primary targets. The findings indicate that the primary goal of these campaigns was to steal credentials, potentially facilitating further operations aligned with the interests of the Chinese government.
Origins of the Investigation
The inquiry began in April 2025 when Uyghur Canadian activist Mehmet Tohti reported suspicious communications to the Citizen Lab, a digital forensic research institute. Tohti received a WhatsApp message that appeared to be from a well-known Uyghur filmmaker, requesting his personal email address to send a preview of a documentary. Upon clicking a link in a follow-up email, he was directed to a webpage asking for his Google credentials, which he wisely refrained from providing.
Subsequently, Tohti received an email that mimicked a Google security alert, written entirely in Chinese, notifying him of a suspicious login attempt. This prompted him to reach out to the Citizen Lab, leading to the discovery of two distinct phishing and digital impersonation campaigns likely orchestrated by state-linked hackers.
Campaigns Identified: GLITTER CARP and SEQUIN CARP
The Citizen Lab identified the first campaign targeting journalists and activists as GLITTER CARP. This initiative involved hackers who not only targeted but also impersonated members of the ICIJ. The second campaign, named SEQUIN CARP, primarily focused on ICIJ journalist Scilla Alecci and other reporters covering topics of interest to the Chinese government.
The tactics employed in these campaigns highlight a disturbing trend in digital transnational repression. The use of independent contractors allows the Chinese government to conduct these operations at a fraction of the cost, while also providing a layer of plausible deniability. The report emphasizes the significant implications of this industrialized model for communities vulnerable to such repression, as it lowers the cost of targeting overseas diaspora populations.
Distinct Tactics and Operational Approaches
While both campaigns share similarities, they exhibit notable differences in their operational tactics. GLITTER CARP is characterized by relentless and broad phishing attacks, often targeting individuals with only peripheral connections to the intended groups. This approach reflects an actor with substantial resources, seemingly unfazed by the risks of detection, and prioritizing impact over concealment.
In contrast, SEQUIN CARP employs sophisticated social engineering techniques, often masquerading as real individuals to deceive journalists. However, this group has demonstrated a lack of operational finesse, struggling to adapt when initial phishing attempts encounter obstacles.
Evidence from cybersecurity firm Proofpoint corroborates the findings regarding GLITTER CARP, revealing that this group has also targeted the Taiwanese semiconductor industry, indicating a broader agenda beyond just political repression.
The Personal Impact on Activists
Tohti has been on Beijing’s radar for some time, frequently receiving threatening phone calls from authorities due to his role as executive director of the Uyghur Rights Advocacy Project. He has also reported instances of suspected physical surveillance to Canadian authorities. Despite his vigilance, Tohti admitted that he was initially deceived by the campaign’s sophisticated social engineering tactics.
Now, he conducts monthly checks on all his devices for signs of intrusion. The attack has not only forced him to replace his devices but has also instilled fear among other advocates, causing them to withdraw from collaborating with his organization. This atmosphere of fear undermines communication safety and erodes trust and credibility within the activist community.
Tohti articulated the broader implications of such cyber operations, stating, “Automatic censorship and automatic fear comes with it, and for that reason, it really undermines our communications safety and our trust and credibility as a person, individual and organization.”
Conclusion
The emergence of these phishing campaigns illustrates a concerning trend in the realm of cybersecurity, particularly regarding the targeting of journalists and activists. The tactics employed by China-linked hackers reflect a calculated approach to digital repression, leveraging low-cost independent contractors to achieve their objectives. As the landscape of cyber threats continues to evolve, the implications for civil society and the safety of those advocating for human rights remain profound.
Source: therecord.media
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
