The FBI said on Wednesday that it seized more than a dozen internet domains used by Chinese intelligence services to gain personal information in hopes of fooling, conscripting or blackmailing Americans with security clearances into divulging sensitive information.
“The fake consulting company domains seized by the FBI illustrate the lengths the Chinese government’s intelligence services will go to as they try to use AI-generated content to trick, recruit, or coerce current and former US security clearance holders into sharing sensitive information,” said Roman Rozhavsky, assistant director of the FBI’s Counterintelligence and Espionage Division, in a statement.
“The FBI and our partners have observed China’s intelligence services resort to using AI, professional networking sites, and online payment platforms to target Americans, and we have taken actions to defend the homeland and our national security.”
The seizures, announced on the same day that the US Treasury Department formally blacklisted China’s top hi-tech companies, underscore the uneasy nature of Washington-Beijing ties. Even as Chinese President Xi Jinping and US President Donald Trump touted bilateral ties after last month’s summit in Beijing, their respective government agencies have pursued policies that hamper, embarrass, or infuriate the other side.
“The allegation of so-called ‘Chinese espionage threat’ is entirely fabricated and constitutes malicious slander,” the Chinese embassy in Washington said. “We strongly condemn this.”
The Justice Department said on Wednesday that the 13 sites targeted Americans with claims of easy money, especially current and former officials holding security clearances to handle classified and sensitive US government information.
“Anyone approached online with offers of easy income for vague ‘consulting’ work should treat those overtures with extreme caution and remain vigilant for warning signs of malicious targeting,” said Assistant Attorney General for National Security John A. Eisenberg.
According to an affidavit filed to obtain warrants for the seizures, “conspirators” set up the sites beginning in November 2023 using the lure of generic consulting jobs suited to currently employed or ex-US government and military workers “to provide expertise to unspecified clients”.
Despite the FBI crowing, analysts said the seizures were “inconsequential”.
“These websites are AI-generated”, allowing China to generate tens of thousands of domains with little effort, said Nicholas Eftimiades, a former CIA officer and president of Shinobi Enterprises, a security consultancy. The FBI will never be able to keep up with the MSS on this effort.”
Fake positions reportedly advertised on hiring platforms
The job ads were reportedly posted on various hiring platforms, such as Upwork, Expertia AI, Hubstaff Talent, Wellfound, and Post Job Free, using aliases, fake profiles, and the stolen identities of real people, often including AI-generated photographs.
Typical enticements and instructions reportedly included relatively large payments offered to write research reports on “topics of interest” to China; instructions to communicate using Telegram or other encrypted applications; pressure to provide “exclusive” or “insider” information; and funds, including cryptocurrency, transferred from overseas locations to US accounts.
The conspirators reportedly advertised such fake positions as “Senior Analyst” and “International Affairs Consultant”. The recruiters would then pressure candidates to share confidential information and reports from “insider” sources. Recruits were at times asked to sign confidentiality agreements to give the bogus consulting companies an “air of legitimacy”.
No conspirators were named, and given that many were presumably operating overseas, it was unclear whether they could be prosecuted.
On Wednesday, the 13 domains, which used names such as Rightinfo Consulting, GeoIndopacific, Global Peace Foundation, TruthInfo and Gulf Peace Foundation, either could not be accessed or displayed an FBI warning that the site had been seized as part of a coordinated law enforcement operation.
“For too long, the Chinese government has tried to exploit US government employees behind the cover of fake companies and phoney job postings,” said Daniel Wierzbicki, an FBI special agent with the agency’s Counterintelligence and Cyber Division. “Today, we shut them down ... The FBI will continue to use every tool available to protect Americans and our national security from this threat.”
Although China was seen as the pioneer, online recruiting is increasingly used by intelligence services worldwide, especially after the pandemic, because it is less expensive, enables the dissemination of tens of thousands of AI-generated attempts, and affords greater deniability than traditional face-to-face recruitment.
Western agencies tend, however, to do it more frequently openly and under their own flag, in part because, at least inside China, the CIA is at a disadvantage relative to Beijing’s Ministry of State Security (MSS) operations in the US, analysts said.
“China has far greater control and surveillance of its internet,” said Eftimiades, author of Chinese Intelligence Operations. It’s “far easier to target overseas Chinese”.
The CIA, Britain’s MI6, and Israel’s Mossad all have verified, official corporate profiles on LinkedIn, Instagram, and X to attract linguists, analysts and technology officers and public tutorials on how foreign citizens who want to defect or share secrets can safely reach out to them. This often includes instructions on using Telegram, the Dark Web, secure Tor browsers, and encrypted virtual private networks to make contact without their home governments finding out.
Beijing slammed the CIA’s “clumsy” effort riddled with “slanderous claims”.
A recent advisory released by the “Five Eyes” security services of the US, Britain, Australia, New Zealand, and Canada, titled Safeguarding our Secrets, detailed what it described as China’s “aggressive online” strategy to recruit spies.
As outlined, and in many ways echoing Wednesday’s FBI disclosure, Chinese military intelligence services will dangle attractive jobs claiming to be from countries other than China. Recruits who answer are reviewed with those “that can provide China with a strategic and tactical advantage over the Five Eyes” selected, it said.
Chinese agents then allegedly cultivate long-term relationships, with a particular focus on those with top secret and other security clearances, military personnel, including those posted in the Indo-Pacific region, and those with “peripheral access” to government information, including academics, freelance writers and think tank employees.
Once identified, promising leads are reportedly turned over to recruiters, who conduct virtual interviews, mask their identities, and pose questions such as which unit, home base, or naval vessel a military candidate is attached to.
Candidates are then asked to write a trial report on topics such as China’s bilateral relations, an analysis of the Indo-Pacific region or international trade, before being told they will need to include more privileged information in the future.
“At some point in the recruitment process, intelligence officers typically move the conversation to a more ‘secure’ platform, such as encrypted messaging applications,” the advisory said. “Recruits receive anywhere from a few hundred to several thousand dollars per report, and may be offered more money in return for increasingly sensitive information.”
Payment is generally done through PayPal, Payoneer, Zelle, Skrill, Wise, Western Union, e-transfer or cryptocurrency, it added.
Eftimiades said a private US company was the first to get wind of China’s widespread use of job sites, and that Facebook and X have been taking down fake Chinese websites for years.
Beijing allegedly using fake domains for decade
Beijing has reportedly been using many of these tactics for close to a decade. In 2018, William Evanina, then director of the National Counterintelligence and Security Centre, claimed that Beijing had reached out to thousands of LinkedIn members in a bid to unearth US government and commercial secrets.
And in May 2019, former CIA officer Kevin Patrick Mallory was sentenced to 20 years in prison for conspiring to send national defence secrets to Chinese intelligence after responding two years earlier to a LinkedIn message from a Chinese operative posing as a think tank recruiter.
Even seemingly innocuous information, when combined with more sensitive intelligence, can help form a “comprehensive operational picture”, the Five Eyes alert said, warning that those who disclose classified information could lose their job, see their security clearance revoked or face prosecution for espionage.
A 2019 report in the Journal of Science Policy & Governance titled China’s Data Collection on US Citizens: Implications, Risks, and Solutions by researcher Ming Shin Chen suggested that the recruitment efforts were often more targeted than scattershot.
As outlined, Beijing collects information from breached online US government and US corporate employee databases, promising LinkedIn profiles, travel histories, medical records, and completed hacked SF-86 applications for secret and top secret clearance data.
This is then compiled into a master intelligence “jigsaw” database, a reference to pieces assembled into a fuller picture, to determine who might be desperate financially or otherwise, making them vulnerable to a recruitment pitch. -- SOUTH CHINA MORNING POST
