China-linked hackers led phishing campaigns targeting journalists and activists, researchers say

Freelance hackers linked to the Chinese government spearheaded two sprawling phishing campaigns that relied on more than 100 malicious domains to target journalists and opposition activists over a 9-month-period, new research shows.

Dozens of journalists were targeted along with a large number of activists and other civil society members of the diaspora community from Tibet, Taiwan, Hong Kong and the Uyghur region of China, according to a report released Monday by the digital forensic research institute the Citizen Lab.

The investigation, conducted in partnership with the International Consortium of Investigative Journalists (ICIJ), found that the aim of the campaigns was to steal credentials and likely enable “follow-on operations in the interest of the Chinese government,” the report said.

The probe kicked off in April 2025, after Uyghur Canadian activist Mehmet Tohti reported suspicious outreach to the Citizen Lab.

Tohti received a WhatsApp message purporting to be from a prominent Uyghur filmmaker who asked if he would share his personal email address so that he could be sent a preview of a documentary film. 

The activist clicked a link in the email and was taken to a webpage requesting his Google credentials. He did not supply them.

Later, he received an email impersonating a Google security alert telling him of a suspicious login. The email was written entirely in Chinese. At that point, Tohti contacted the Citizen Lab, whose researchers uncovered two separate phishing and digital impersonation campaigns that they said were likely led by hackers linked to the Chinese government.

Citizen Lab dubbed the first of two distinct campaigns targeting journalists and activists GLITTER CARP. The campaign involved hackers who both targeted and impersonated members of ICIJ. 

The other campaign, SEQUIN CARP, primarily targeted the ICIJ journalist Scilla Alecci and other reporters who cover stories of interest to the Chinese government, the report said.

Low-cost targeting

The targeting of ICIJ members and activists by the freelance hackers is just the latest example of how China commissions independent contractors to lead digital transnational repression campaigns at a very low cost, according to the report.

“The implications of this industrialized model for communities vulnerable to digital transnational repression are significant,” the report said. “When offensive cyber capabilities can be procured at such low price points, the cost of targeting overseas diaspora communities drops substantially.”

The use of independent contractors also gives China a “layer of plausible deniability,” the report said.

Despite their many similarities, the two campaigns' tactics differ in significant ways.

GLITTER CARP conducts phishing attacks that are “relentless and broad in scope, sometimes selecting individuals with only peripheral ties to targeted groups,” the report said.

“This modus operandi reflects an actor with substantial resources, seemingly unconstrained by the fear of discovery or consequences, and with a clear prioritization of impact over concealment.”

Proofpoint has separately found evidence that the group behind GLITTER CARP has targeted the Taiwanese semiconductor industry.

SEQUIN CARP also uses phishing attacks, but primarily targets journalists using sophisticated personas pretending to be real people. The group behind SEQUIN CARP spends a great deal of time on social engineering, but uses shoddy operational tactics and showed an “inability to pivot to different attack vectors when initial attempts faced complications,” the report said. 

Tothi has long been on Beijing’s radar, he said, and has regularly received threatening phone calls from police there as a result of his work as executive director of the Uyghur Rights Advocacy Project. He also has reported instances of suspected physical surveillance to Canadian authorities.

Despite his guarded posture, Tothi said in an interview that he was initially tricked by the campaign because the social engineering tactics deployed were so sophisticated.

He now has all of his devices checked for signs of intrusion once a month, he said.

In addition to having to replace his devices, Tothi said the attack has caused other advocates to pull back from working with his organization out of fear that they could be targeted, too.

“Automatic censorship and automatic fear comes with it, and for that reason, it really undermines our communications safety and our trust and credibility as a person, individual and organization,” he said.