Key Takeaways
- In May 2025, a person posing as journalist Yi‑Shan Chen contacted Kuochun Hung of Watchout via email and LINE, using a forged ICIJ interview request to gather information.
- Hung recognized irregularities—such as the use of English‑spelled Chinese names, non‑ICIJ domains, and overly basic questions—and avoided clicking on suspicious links.
- Citizen Lab’s analysis linked the incident to a wider Chinese‑state‑sponsored campaign targeting ICIJ, its partners, and diaspora activists after the publication of the China Targets exposé.
- The attackers employed high‑volume, AI‑assisted tactics, including ChatGPT‑generated research, OAuth phishing kits, and fake websites mimicking ICIJ pages.
- Attempts to steal credentials extended to offers of free smartphones and fabricated whistleblower tips (e.g., the “Bai Bin” persona), all designed to harvest login credentials or install malware.
- The operation reflects a broader pattern of digital transnational repression aimed at surveilling, intimidating, and disrupting critics of the Chinese government overseas.
- Taiwanese authorities and civil society groups have logged multiple similar approaches, prompting ongoing investigations by the Ministry of Justice Investigation Bureau.
- Citizen Lab and ICIJ continue to document these intrusions to improve detection, inform policymakers, and hold perpetrators accountable.
Initial Suspicious Contact
In May 2025, Kuochun Hung, chief operating officer of the Taiwanese media outlet Watchout, received an email that appeared to come from Yi‑Shan Chen, a respected reporter and ICIJ collaborator. The message claimed Chen was working for the International Consortium of Investigative Journalists and requested an interview on topics ranging from Taiwan’s impeachment proceedings to Watchout’s civil‑society events. Hung found the request odd: the questions were overly rudimentary for a senior journalist, the sender used an English spelling of the Chinese name, and the email address lacked the official icij.org domain. Suspicious but curious, Hung moved the conversation to LINE, a popular messaging app in Taiwan, to learn more.
Discovery of Impersonation
On LINE, the interlocutor continued to use Chen’s name and profile picture, promising that an American ICIJ journalist would meet Hung in Taipei and sharing a link to what resembled an ICIJ landing page. Hung noticed the URL was not affiliated with ICIJ and that a second link purportedly containing interview questions came with a vague warning about information security. Recognizing the hallmarks of malicious phishing, he refrained from clicking and pretended to be unaware of the request. The purported “Chen” soon ceased contact after realizing Hung would not engage with the links. Hung later concluded that the actor was likely a Chinese spy impersonating the real Yi‑Shan Chen, aiming to collect intelligence under the guise of journalistic outreach.
Citizen Lab Investigation Findings
Following Hung’s report, ICIJ enlisted the Citizen Lab at the University of Toronto to investigate the episode. Analysts examined dozens of suspicious emails sent to ICIJ reporters and their contacts across Asia, Europe, and the United States. Their report, released one year after the publication of China Targets, concluded that the attacks formed part of a “wide‑ranging campaign” orchestrated by threat actors linked to the Chinese government. The campaign’s objectives included harvesting credentials, enabling surveillance, and facilitating harassment of individuals deemed of interest to Beijing—such as Uyghur, Tibetan, Taiwanese, and Hong Kong diaspora activists, as well as journalists covering these communities.
Use of AI and Automation
Citizen Lab’s technical analysis revealed that the attackers likely employed artificial intelligence to scale their operations. Several messages displayed hallmarks of AI‑generated text, including formulaic phrasing and the frequent use of em dashes. Moreover, a link sent to Hung that purportedly led to a China‑based correspondent’s bio page ended with “source=chatgpt.com,” indicating the imposter had used OpenAI’s ChatGPT to gather background information on targets. Lab researcher Rebekah Brown noted that the high volume of attacks, combined with minimal oversight in message generation, pointed to an automated, “high‑volume” approach rather than a finely tuned, manual operation.
Smartphone Offer and Failed Delivery
A few weeks after the initial contact, the fake Chen re‑approached Hung, this time asking about Taiwanese religious organizations and the latest U.S. White House national‑security strategy. The messages were timed to office hours in Taiwan or China, further suggesting a non‑journalist operator. During one exchange, the imposter offered Hung a brand‑new Samsung smartphone, claiming it would be delivered to a convenience store in central Taipei. Hung accepted, intending to test whether the device had been tampered with, but the delivery never materialized—the store refused private parcels, and subsequent address changes yielded no phone. Similar offers were made to at least five other individuals in Taiwan, including a city councilor and a legislative assistant, none of whom received the promised devices.
Fake Whistleblower Attempt
While the Chen impersonation focused on Taiwanese targets, a separate phishing thread emerged in June 2025 targeting an ICIJ reporter. An email from someone identifying as “Bai Bin,” a purported former judicial assistant from Beijing, claimed to possess documentary evidence of a $10 million embezzlement scheme within China’s top anti‑graft agency. The message contained AI‑like phrasing, an em dash at sentence endings, and a sender address linked to a former U.S. diplomat rather than anyone named Bai Bin. The email included a link supposedly leading to an archive of confidential records. ICIJ deemed the link malicious and the whistleblower a fabrication designed to harvest login credentials via an OAuth phishing kit. After a dozen exchanged emails, the fake Bai grew frustrated and ceased contact, while attempts to locate the real Bai Bin proved unsuccessful.
Broader Patterns of Digital Repression
The Citizen Lab report situates these incidents within a larger trend of digital transnational repression employed by authoritarian regimes, notably China and Russia. A European Parliament study cited in the article highlights how online tools are used for intimidation, threats, and surveillance against dissidents abroad. In China, a growing market of hackers‑for‑hire supplies services ranging from monitoring negative social media posts to selling spyware and phishing kits. ICIJ’s own interviews with over 100 targets of Beijing’s repression revealed that roughly half had experienced online smear campaigns, hacking attempts, or phishing efforts aimed at stealing information. Activist Jiang Shengda, a Paris‑based artist whose family in Beijing faces regular interrogations, reported receiving two to four phishing emails daily from accounts mimicking supermarkets or postal services, underscoring the persistent, low‑level harassment faced by critics of the Chinese state.
Implications and Ongoing Work
Rebekah Brown and her team at Citizen Lab emphasize that exposing these coordinated attacks is vital for both prevention and accountability. By demonstrating that the incidents are not isolated but part of a systematic campaign, researchers can help journalists, activists, and policymakers recognize patterns, improve detection mechanisms, and advocate for stronger protective measures. Brown hopes that increased public awareness will enable authorities to trace the infrastructure behind such operations and impose consequences on those responsible. The note appended to the article reminds readers that genuine ICIJ staff use the @icij.org domain and advises anyone encountering an impostor to refrain from engagement and report the incident to [email protected]. Through vigilance and continued documentation, ICIJ and its partners aim to blunt the effectiveness of digital transnational repression and safeguard the flow of information critical to democratic societies.