China-Linked Hackers Led Phishing Campaigns Targeting Journalists and Activists, Researchers Say

Recent research by the Citizen Lab, in partnership with the ICIJ, uncovered two extensive phishing operations—codenamed GLITTER CARP and SEQUIN CARP—run by freelance hackers with ties to the Chinese government. Over a nine‑month window the actors registered more than 100 malicious domains, sending crafted emails to journalists, human‑rights advocates, and members of the Tibetan, Taiwanese, Hong Kong and Uyghur diaspora. The lures ranged from fake documentary previews to counterfeit Google security alerts, aiming to harvest login credentials that could enable further surveillance or sabotage. The operation also leveraged compromised social media accounts to amplify the phishing lure.

The campaigns reveal a growing industrial‑scale playbook where Beijing outsources cyber‑espionage to low‑cost independent contractors. By employing freelance actors, the Chinese state gains plausible deniability while dramatically lowering the price of targeting overseas communities. GLITTER CARP displayed broad, relentless phishing, even reaching peripheral contacts, suggesting ample resources and a willingness to accept detection risk. In contrast, SEQUIN CARP relied on sophisticated social‑engineering personas but faltered when faced with operational setbacks, underscoring the uneven maturity of these proxy groups. Such a model lowers entry barriers for other nation‑state actors seeking to replicate the approach.

For journalists and civil‑society actors, the findings signal an urgent need to harden digital defenses. Regular credential audits, multi‑factor authentication, and verification of unsolicited outreach can blunt many of the tactics observed. Governments and platform providers should also consider sharing threat intelligence on state‑linked phishing infrastructure to disrupt domain registration pipelines. As China continues to weaponize cheap cyber services, the broader security community must treat these proxy attacks as extensions of state policy rather than isolated criminal incidents. Organizations should conduct phishing simulations to keep staff alert to evolving deception techniques.