China-Linked Hackers Orchestrate Phishing Campaigns Targeting Journalists and Activists Using Over 100 Malicious Domains
Freelance hackers connected to the Chinese government have executed extensive phishing campaigns, utilizing more than 100 malicious domains to target journalists and opposition activists over a nine-month span. This troubling trend, uncovered through recent research, highlights the increasing sophistication and reach of cyber operations aimed at suppressing dissent and undermining civil society.
The investigation, conducted in collaboration with the International Consortium of Investigative Journalists (ICIJ), identified numerous journalists and activists from the diaspora communities of Tibet, Taiwan, Hong Kong, and the Uyghur region as primary targets. The findings suggest that the main objective of these campaigns was to steal credentials, potentially enabling further operations aligned with the interests of the Chinese government.
Origins of the Investigation
The inquiry commenced in April 2025 when Uyghur Canadian activist Mehmet Tohti reported suspicious communications to the Citizen Lab, a digital forensic research institute. Tohti received a WhatsApp message that appeared to be from a prominent Uyghur filmmaker, requesting his personal email address to send a preview of a documentary. After clicking a link in a follow-up email, he was directed to a webpage soliciting his Google credentials, which he wisely chose not to provide.
Following this, Tohti received an email that mimicked a Google security alert, entirely written in Chinese, notifying him of a suspicious login attempt. This prompted him to contact the Citizen Lab, leading to the discovery of two distinct phishing and digital impersonation campaigns likely orchestrated by state-linked hackers.
Campaigns Identified: GLITTER CARP and SEQUIN CARP
The Citizen Lab identified the first campaign targeting journalists and activists as GLITTER CARP. This initiative involved hackers who not only targeted but also impersonated members of the ICIJ. The second campaign, named SEQUIN CARP, primarily focused on ICIJ journalist Scilla Alecci and other reporters covering topics of interest to the Chinese government.
The tactics employed in these campaigns reveal a disturbing trend in digital transnational repression. The use of independent contractors allows the Chinese government to conduct these operations at a significantly reduced cost while providing a layer of plausible deniability. The report emphasizes the substantial implications of this industrialized model for communities vulnerable to such repression, as it lowers the cost of targeting overseas diaspora populations.
Distinct Tactics and Operational Approaches
While both campaigns share similarities, they exhibit notable differences in their operational tactics. GLITTER CARP is characterized by relentless and broad phishing attacks, often targeting individuals with only peripheral connections to the intended groups. This approach reflects an actor with substantial resources, seemingly unfazed by the risks of detection, and prioritizing impact over concealment.
In contrast, SEQUIN CARP employs sophisticated social engineering techniques, often masquerading as real individuals to deceive journalists. However, this group has shown a lack of operational finesse, struggling to adapt when initial phishing attempts encounter obstacles.
Evidence from cybersecurity firm Proofpoint corroborates the findings regarding GLITTER CARP, revealing that this group has also targeted the Taiwanese semiconductor industry, indicating a broader agenda beyond mere political repression.
The Personal Impact on Activists
Tohti has been on Beijing’s radar for some time, frequently receiving threatening phone calls from authorities due to his role as executive director of the Uyghur Rights Advocacy Project. He has also reported instances of suspected physical surveillance to Canadian authorities. Despite his vigilance, Tohti acknowledged that he was initially deceived by the campaign’s sophisticated social engineering tactics.
Now, he conducts monthly checks on all his devices for signs of intrusion. The attack has not only compelled him to replace his devices but has also instilled fear among other advocates, causing them to withdraw from collaborating with his organization. This atmosphere of fear undermines communication safety and erodes trust and credibility within the activist community.
Tohti articulated the broader implications of such cyber operations, stating that automatic censorship and fear accompany these tactics, which severely undermine communication safety and trust within both individuals and organizations.
As reported by cyberwarriorsmiddleeast.com, the emergence of these phishing campaigns illustrates a concerning trend in the realm of cybersecurity, particularly regarding the targeting of journalists and activists. The tactics employed by China-linked hackers reflect a calculated approach to digital repression, leveraging low-cost independent contractors to achieve their objectives.
Explore the latest digital editions of FAME Delivered in the Magazine section: https://famedelivered.com/magazine/
Published on 2026-04-29 16:07:00 • By FAME Delivered News Desk
