In collaboration with the International Consortium of Investigative Journalists (ICIJ), we identified what we conclude to be two distinct actors aligned with the People’s Republic of China. Our findings provide insight into the Chinese government’s practice of digital transnational repression and its shift to a system of state-sponsored attacks carried out by private contractors.

cross-posted from: https://scribe.disroot.org/post/8624156

Shortly after the International Consortium of Investigative Journalists (ICIJ) published the ‘China Targets’ - a series of articles illustrating how the Chinese Communist Party abuses international institutions to terrorize its critics and extend its repressive tactics worldwide - a slew of fake ICIJ reporters approached journalists, Taiwanese officials, and human rights advocates seeking sensitive data.

Together with Canada’s Citizen Lab, they investigated Beijing’s move in detail.

Archived version

There are two separate actors aligned with the People’s Republic of China:

  • In Part I, the report discusses the operators we track as GLITTER CARP who both targeted and impersonated various ICIJ members.

  • In Part II it discusses the operators as SEQUIN CARP, whose primary observed target was ICIJ journalist Scilla Alecci and other international journalists writing about topics of critical interest to the Chinese government.

The dual targeting of the ICIJ—with distinct approaches and tactics—gives insight into the Chinese government’s practice of digital transnational repression (DTR) and its shift to a Military-Civil Fusion system of state-sponsored attacks carried out by private contractors.

Key findings:

GLITTER CARP

  • Since April 2025, we have observed a wide-ranging campaign of phishing emails and digital impersonation targeting Uyghur, Tibetan, Taiwanese, and Hong Kong diaspora activists, as well as journalists reporting on issues related to these groups.
  • The actor employs well-thought-out digital impersonation schemes in phishing emails, including impersonation of known individuals and tech company security alerts.
  • Although the targeted groups vary, this activity employs the same infrastructure and tactics across all cases, frequently reusing the same domains and same impersonated individuals across multiple targets.
  • This infrastructure and activity have also been documented by the cybersecurity company Proofpoint, which observed targeting of other entities aligned with the interests of the Chinese government.
  • We assess that the group behind this activity likely focuses exclusively on initial access to email-based accounts. This tactic may indicate a specific contract within China’s Military-Civil Fusion system that leverages civilian contractors, with other groups perpetuating DTR such as targeted surveillance, device compromise, and coordinated harassment campaigns.

SEQUIN CARP

  • Since June 2025, we have observed a phishing campaign targeting journalists who report on the transnational repression practices of the Chinese Communist Party (CCP), particularly those involved in ICIJ’s “China Targets” investigation.
  • This phishing campaign leverages co-opted narratives and well-developed personas designed to capture the interest of journalists working on China-related topics; however, the actors frequently make operational mistakes.
  • The attackers attempt to gain persistent access to email accounts by socially engineering the target into granting access to a third-party OAuth token, abusing legitimate system functionality for malicious purposes.
  • This campaign is consistent with a broader, systematic effort by the Chinese government to surveil and intimidate overseas diaspora communities and journalists who seek to raise awareness of and bring transparency to the Chinese state’s repressive practices.