Transnational repression
Chinese spies are posing as recruiters to target officials and journalists
The U.S. and its Five Eyes partners warned that Chinese military intelligence services were behind “cover companies” using job platforms to pry sensitive information from foreigners.
The U.S. and its key intelligence partners say that China’s military intelligence services are using online job platforms and networking sites to lure foreigners who have access to sensitive information.
In a bulletin released this week, the so-called Five Eyes alliance warned that Chinese intelligence officers were posing as recruiters on LinkedIn and other sites to target government and military personnel as well as journalists and academics who could have access to classified or privileged information. The Five Eyes include domestic security agencies from the U.S., the U.K., Canada, Australia and New Zealand
The officers build relationships with job candidates and may offer targets money in exchange for reports on topics of interest to the Chinese government, including defense and trade, according to the bulletin. Their goal is to “ultimately seek to acquire privileged military, political and economic intelligence that can provide China with a strategic and tactical advantage over the Five Eyes,” the bulletin said.
The warning echoes the experience of reporters with the International Consortium of Investigative Journalists, who were recently approached by these purported recruiters. After ICIJ published China Targets, an investigation into China’s transnational repression, the targets began receiving suspicious emails and messages on LinkedIn.
Two separate consultancy agencies contacted reporters with offers to collaborate.
One “cooperation invitation letter” came from a Singapore-based firm claiming to offer risk assessment services to clients. The sender said his name was William Harrison and offered to pay $300 for “professional analytical and commentary articles,” plus “unlimited bonuses based on article quality and feedback from our clients.” Harrison did not specify the topic. When he later moved the conversation to WhatsApp, Harrison’s contact information displayed a Hong Kong phone number and a different, Chinese name.
ICIJ also received an email from a firm purportedly based in New York, interested in consulting about China’s repression campaign against the Uyghur minority in Xinjiang. “This is to support professionals in their research on China’s next-phase policies,” wrote a person who introduced himself as Gregory Thompson. In a subsequent WhatsApp message, Thompson said his company was “conducting an in-depth analysis for a client regarding Chinese transnational repression.”
Thompson later sent a link to a document on which the firm wanted “professional insights” to “flesh out some key areas.” The document was titled “The Extended Shadow: Inside Beijing’s Global Network of Transnational Repression.”
The link appeared to be similar to others previously sent by Chinese state-backed actors impersonating ICIJ journalists to activists and Taiwanese officials to steal sensitive information and access private files.
These cyber attacks were identified by ICIJ and Citizen Lab as part of a Chinese government-sponsored campaign targeting reporters who exposed Beijing’s repression tactics against dissidents overseas.
Citizen Lab, which specializes in investigating digital threats, analyzed suspicious emails sent to ICIJ reporters and other messages sent by ICIJ impersonators to targets in Asia, Europe and the United States. The attacks against the ICIJ network were part of “a wide-ranging campaign” to gather information from entities of interest to the Chinese government, according to Citizen Lab’s findings. Those targets included Uyghur, Tibetan, Taiwanese, and Hong Kong diaspora activists, as well as journalists from ICIJ and elsewhere who report on activities related to these groups.
A spokesperson for the Chinese Embassy in Washington, D.C., told ICIJ at the time that “China has always opposed and cracked down on any form of cyber attacks.”
‘The threat is real’
The recent bulletin by the five Western intelligence services titled “Safeguarding our Secrets” linked the “cover companies” to Chinese military intelligence services, describing them as a “threat.”
“Applicants beware!” the FBI posted on its social media page. “The threat is real.”
The companies, the bulletin said, pose as consulting firms and think tanks, have legitimate-looking websites and claim to be based in countries outside China. Fake recruiters then approach targets, request interviews, and ask candidates to write reports on a variety of topics, before moving the conversations to platforms they claim are more secure. In some cases, they will offer to pay hundreds or even thousands of dollars through third-party payment platforms or in cryptocurrency.
🚨 Applicants beware! China and other foreign governments are using professional networking and social media sites to target people with U.S government clearances.
The threat is real. Verify before you trust and learn more at https://t.co/l9M8TKbwI2. pic.twitter.com/EwElnAfZA5
— FBI (@FBI) June 3, 2026
Last year, an investigation by the Foundation for Defense of Democracies, a national security think tank in Washington, identified dozens of domains linked to consultancy firms like those described by the foreign intelligence services.
The agencies said targets may be coaxed into revealing compromising personal information or intelligence that could endanger people’s lives.
“Certain types of data can place the lives of frontline military or other personnel at risk, can weaken our economic prosperity, and enable interference in our democratic processes.”