By Jin Yan, Vision Times
On April 30, the International Consortium of Investigative Journalists (ICIJ) released a new report detailing a sweeping digital retaliation campaign believed to be linked to Beijing. The operation, uncovered one year after ICIJ’s China Targets investigation, involved cyber actors impersonating journalists and whistleblowers to infiltrate networks, steal sensitive data, and intimidate critics abroad.
The campaign targeted ICIJ-affiliated reporters, Taiwanese political figures, and diaspora communities including Muslim Uyghurs, Tibetans, and Hong Kong activists. Researchers say the effort represents a significant evolution in China’s use of digital tools for transnational repression.
RELATED: US State Department Report Warns Hong Kong Freedoms Are Being Systematically Eroded
A slew of attacks
The attacks appear to be a direct response to ICIJ’s 2025 China Targets investigation, which was conducted in collaboration with 42 media outlets. That report exposed how Chinese authorities pressure dissenters overseas through tactics such as Interpol red notices, harassment of family members, and cyberattacks. Shortly after publication, ICIJ itself became a target.
Success
You are now signed up for our newsletter
Success
Check your email to complete sign up
A joint investigation by ICIJ and Citizen Lab found that attackers impersonated journalists using email, LINE messaging, and cloned websites. Victims received professional-looking interview requests containing malicious links designed to harvest credentials or install surveillance tools.
Citizen Lab researchers described the operation as a “broad campaign” aimed at extracting private information from individuals and organizations of interest to the Chinese government.
Taiwan as a key target
Taiwan emerged as a primary focus of the operation, with multiple incidents involving journalists, politicians, and civil society groups. In one case, attackers impersonated Yi-Shan Chen, editor-in-chief of Taiwan’s CommonWealth Magazine,” the ICIJ reported. Kuochun Hung, COO of Watchout, a Taiwanese civic media outlet, received messages from someone claiming to be Chen, requesting interviews on sensitive political topics.
RELATED: Canadian Parliament Hearing Spotlights Beijing’s Transnational Repression Tactics
The impersonator sent links to fake ICIJ webpages and even warned Hung to “pay attention to information security.” Hung declined to click the links. The attacker later asked about Taiwanese religious organizations and U.S. national security strategy.
In a particularly unusual attempt, the impersonator offered to send a “brand-new Samsung smartphone,” arranging pickup at a Taipei convenience store. The delivery never materialized due to store policy restrictions. “They are spies with cyber capabilities,” Hung told ICIJ.
Investigators noted that messages were sent during typical working hours in China or Taiwan, suggesting the operators’ likely location. At least five Taiwanese individuals, including a city councilor and a legislative aide, reported similar contact attempts. Chen later reported the impersonation to authorities, warning that attackers were exploiting the credibility of investigative journalists to gather intelligence.
Fake whistleblowers
Beyond impersonating reporters, attackers also posed as insiders. In June 2025, an ICIJ journalist received emails from a supposed whistleblower named “Bai Bin,” who claimed to be a former judicial assistant in Beijing. He alleged possession of documents detailing a $10 million corruption case involving China’s top anti-graft body.
The message was written in polished English and referenced previous ICIJ reporting to enhance credibility. Notably, the email originated from the account of a former U.S. diplomat specializing in China and Taiwan affairs. The journalist did not click the attachment but exchanged multiple emails with the sender, who eventually showed signs of frustration.
Citizen Lab identified this tactic as OAuth phishing: Tricking victims into granting access to malicious apps via legitimate-looking Microsoft or Google login pages. Once access is granted, attackers can read emails, send messages, and potentially take control of accounts.
Researchers found over 100 domains used in credential-harvesting campaigns targeting at least a dozen individuals. Some messages included traces such as “source=chatgpt.com,” suggesting the possible use of AI tools to scale operations.
Persistent harassment of dissidents
The campaign extended beyond journalists to target overseas dissidents. Paris-based artist and activist Jiang Shengda reported receiving two to four phishing emails daily after ICIJ revealed threats against his family in China. The messages, which were disguised as supermarket or postal service notifications, aimed to compromise his accounts or deliver malware. Jiang has since worked with European authorities and helped other activists improve their cybersecurity defenses.
Researchers say attackers also impersonated filmmakers and European Parliament members, sending fake security alerts to lure victims into phishing traps.
Experts believe the campaign is likely state-directed but carried out by private contractors within China’s commercial hacking ecosystem. These groups specialize in “stolen narratives,” leveraging real identities and events to quickly build trust. Common tactics include:
- Cloned ICIJ login pages
- Personalized phishing via email and messaging apps
- OAuth-based credential theft
- Physical lures such as device delivery
- AI-assisted content generation
Citizen Lab noted similarities between this campaign and previous cyberattacks targeting Taiwan’s semiconductor sector, suggesting an increasingly systematized approach to digital espionage.
A warning for press freedom
Scilla Alecci, who leads ICIJ’s China Targets project, said the timing of the attacks strongly suggests retaliation for the 2025 investigation. The incident highlights growing risks for investigative journalists reporting on authoritarian regimes—not only from legal or physical threats, but from sophisticated digital infiltration.
Fake journalists, experts warn, erode trust and may deter potential sources from coming forward. For Taiwan, the implications are particularly serious, posing risks to democratic institutions and civil society. Authorities have increased monitoring and defensive measures in response.
To protect themselves, Citizen Lab recommends that journalists and activists adopt multi-factor authentication, avoid suspicious links, use encrypted communication tools, and remain cautious of unsolicited “gifts” or exclusive tips. The operation marks a continuation, and escalation, of China’s global efforts to suppress dissent. While earlier tactics focused on physical intimidation and surveillance, the shift toward digital methods reflects a more covert and scalable strategy.
Experts warn that AI-assisted campaigns could further reduce costs and expand reach, making such operations a standard tool for authoritarian regimes. Despite the risks, ICIJ says it will continue its investigations and share defensive strategies with partners worldwide. “The responsibility to expose the truth outweighs intimidation,” the organization stated.
