One year after its "China Target" report on Beijing's repression of dissidents abroad, the international consortium behind major probes like the Panama Papers is reporting suspicious attempts to access emails and sensitive data. According to researchers at the University of Toronto's Citizen Lab, private contractors are behind the operations of China's growing government-sponsored commercial hacking industry.

Milan (AsiaNews/Agencies) – In May 2025, Kuochun Hung, editor-in-chief of Taiwanese media outlet Watchout, received a suspicious email from a person claiming to be Yi-Shan Chen, a respected local journalist.

The message suggested a link to the International Consortium of Investigative Journalists (ICIJ), an independent global network of journalists who have worked on high-profile investigations in recent years, such as the Panama Papers.

Hung immediately noticed inconsistencies: the interview questions on Taiwanese politics were too superficial for a seasoned journalist, the name was in English rather than Chinese, and the email address wasn't in the official ICIJ domain.

Suspicious, Hung began interacting with the alleged journalist via LINE, a messaging app.

The person used Chen's name and photo and claimed that an American journalist would be conducting the interview in Taipei, even providing a link to a website imitating the ICIJ's.

Hung recognised it as a fake. When sent a further link with questions and cybersecurity recommendations, he decided not to click until the contact stopped responding. The real Yi-Shan Chen confirmed his fears and reported the case to Taiwanese authorities.

The ICIJ recently published an article revealing that, with the support of the University of Toronto's Citizen Lab, it discovered that this was not an isolated incident, but rather part of a broader and more sophisticated campaign against the organisation and its collaborators, launched immediately after the publication of the China Targets investigation.

Released just a few weeks ago, that investigation shed light on Beijing's strategies to intimidate and control the voices of dissidents abroad. The investigation was based on more than a hundred interviews with anonymous participants in 23 different countries.

According to the Citizen Lab report, attacks like the one against Hung are part of a vast operation aimed at obtaining sensitive information from individuals and groups deemed relevant to the Chinese government, including Uyghur, Tibetan, Taiwanese, and Hong Kong activists, as well as journalists.

Analysts identified over 100 fraudulent domains used to steal credentials and facilitate surveillance and harassment. While it's impossible to definitively attribute the orders to a specific agency, experts believe highly likely the involvement of Chinese authorities.

The attacks included impersonating ICIJ journalists to contact officials and activists, as well as sending emails from fake informants. In one case, a supposed former Chinese judicial assistant offered documents on a corruption case, but the message had suspicious features, such as an artificial style and a likely malicious link. The goal was to trick the victim into providing login credentials through phishing techniques.

Experts believe the attackers used automated tools, likely AI-based, to create credible identities and send messages on a large scale, though they also made mistakes that betrayed their origin. Some evidence also suggests the use of services like ChatGPT to gather information on targets.

Researchers believe these operations may be conducted by private contractors in China's growing commercial hacking industry, acting on behalf of the government. The techniques used, such as “OAuth phishing”, allow attackers to gain access to emails and sensitive data.

These campaigns are part of a broader phenomenon called “digital transnational repression”, the use of online technologies to intimidate, monitor, and control dissidents abroad.

Studies indicate that authoritarian regimes, including China and Russia, make extensive use of these tools. Interviews conducted by the ICIJ show that approximately half of those targeted have suffered cyberattacks or smear campaigns.

One example is that of Paris-based activist Jiang Shengda, who reported the pressure his family faced in China and experienced a significant increase in phishing attempts. He now receives fraudulent emails daily and helps other dissidents protect themselves.

Even when the attacks are unsuccessful, they produce a "chilling effect”, discouraging activism and investigative journalism. However, researchers are continuing to gather evidence to better understand these operations and strengthen defences, with the goal of informing the public and holding the governments involved accountable.

RED LANTERNS IS THE ASIANEWS NEWSLETTER DEDICATED TO CHINA. WOULD YOU LIKE TO RECEIVE IT EVERY THURSDAY? TO SUBSCRIBE, CLICK HERE.

• china
• taiwan
• dissidents
• icij
• international consortium on investigative journalism
• phishing
• digital theft
• transnational surveillance