Chinese state-sponsored actors have launched a sophisticated cyber espionage campaign targeting the International Consortium of Investigative Journalists (ICIJ) and its global network of reporters and sources.
An investigation by the ICIJ, conducted with cybersecurity analysts from the University of Toronto’s Citizen Lab, revealed that the campaign follows the April 2025 publication of China Targets,...
The campaign has targeted individuals across Asia, Europe, and the United States, including members of the Uyghur, Tibetan, Taiwanese, and Hong Kong diaspora communities, as well as reporters...
Chinese state-sponsored actors have launched a sophisticated cyber espionage campaign targeting the International Consortium of Investigative Journalists (ICIJ) and its global network of reporters and sources. The operation involves the use of impersonation and phishing tactics to steal private information from journalists and activists, particularly those documenting the Chinese government’s activities overseas.
An investigation by the ICIJ, conducted with cybersecurity analysts from the University of Toronto’s Citizen Lab, revealed that the campaign follows the April 2025 publication of China Targets, an exposé that detailed Beijing’s efforts to intimidate and coerce critics of the regime abroad.
The campaign has targeted individuals across Asia, Europe, and the United States, including members of the Uyghur, Tibetan, Taiwanese, and Hong Kong diaspora communities, as well as reporters who cover these groups.
Impersonation Tactics and Target Identification
In May 2025, Kuochun Hung, the chief operating officer of the Taiwanese media outlet Watchout, was approached via email by an individual posing as Yi-Shan Chen, the editor-in-chief of CommonWealth magazine and a member of the ICIJ network. The imposter claimed to be working for the ICIJ and requested an interview regarding the Taiwanese government and pending impeachment proceedings against the president.
Taiwanese Shan Chen Kuochun Hung
Hung, whose organization monitors information manipulation, identified several red flags in the communication. He noted that the questions were too entry-level for a senior journalist and observed that the sender used an English spelling of Chen’s name rather than the original Chinese. The email address did not use the official ICIJ domain.
The interaction continued on the messaging app LINE, where the imposter provided a link to a fraudulent website designed to look like an ICIJ landing page. The fake journalist also sent a link purportedly containing a list of questions, accompanied by a warning that information security is truly very important—a comment Hung found superfluous for a professional journalist.
Hung declined to click the links, later stating that he suspected the interlocutor was a Chinese spy. They are spies with cyber capabilities, Hung said. Their goal is political.
The real Yi-Shan Chen confirmed the impersonation and reported the attempt to Taiwanese authorities, noting the irony that actors were using the credibility of investigative reporters to gather intelligence.
Technical Findings and AI Automation
Citizen Lab analysts identified more than 100 domains used to target at least a dozen individuals. The primary goal of these domains was to steal credentials, which analysts believe enables further surveillance, device compromise, and coordinated harassment.
Rebekah Brown, who led the Citizen Lab investigation and previously served as a network warfare analyst for the U.S. Government, stated that the attacks suggest Chinese government-linked threat actors sought to identify who the ICIJ was communicating with following the China Targets report.
We suspect that there was some sort of directive [saying] that it’s very important to know, especially after the China Targets report, who’s talking to you, what are you working on now? How can they intervene? How can they stop this narrative from growing?
AT&T targeted by China-linked hackers
Rebekah Brown, Citizen Lab
The analysts found evidence that the attackers used artificial intelligence to automate the identification of targets and the generation of messages. Brown suggested that the limitations in the attacks indicate the perpetrators may be private contractors within China’s commercial hacking industry working for a government agency.
The tactics mirror spear phishing campaigns previously attributed to Chinese state-sponsored actors. According to the Citizen Lab report, such credential theft allows attackers to gain insight into topics of state interest or spread disinformation via compromised accounts.
Digital Transnational Repression
These activities are part of a broader trend described as digital transnational repression—the use of online technology for surveillance, threats, and targeted intimidation. A study by the European Parliament identified this as a common tool for autocratic regimes, including Russia and China.
Beijing Linked Hackers Target
In a separate instance, Jiang Shengda, a Paris-based activist and artist, reported an increase in cyberattacks against his email account after the ICIJ exposed intimidation tactics used by Chinese officials against his family in Beijing. Jiang reported receiving two to four phishing emails daily from accounts mimicking postal services or supermarket chains.
Emile Dirks, a researcher of Chinese surveillance, noted that even unsuccessful attacks create a chilling effect, signaling to diaspora communities and human rights organizations that they are being monitored by Beijing.
A spokesperson for the Chinese Embassy in Washington, D.C., denied the allegations, stating that China opposes all forms of cyberattacks and that the concept of transnational repression is a completely fabricated narrative maliciously concocted by certain countries and organizations in an attempt to smear China.
The ICIJ has advised that official staff email addresses use the domain icij.org. Individuals who believe they have been approached by an impersonator are urged not to engage and to notify the organization at contact@icij.org.
