TAIPEI (Taiwan News) — The International Consortium of Investigative Journalists (ICIJ) and cybersecurity analysts at the University of Toronto’s Citizen Lab have uncovered a large-scale, China-backed digital campaign targeting individuals associated with the consortium.

The campaign emerged shortly after ICIJ published “China Targets,” which revealed how the Chinese government coerces and intimidates regime critics overseas, according to an ICIJ report. Targets of the new campaign include Taiwan officials, Uyghur, Tibetan, and Hong Kong diaspora activists, and journalists investigating these groups.

Citizen Lab researchers found more than 100 internet domains specifically made to steal sensitive credentials.

One prominent case involved Kuochun Hung (洪國鈞), chief operating officer of Taiwanese media outlet Watchout. Hung was contacted by an individual impersonating Yi-Shan Chen, editor-in-chief of Taiwan’s CommonWealth magazine.

The person claimed to be working for the ICIJ to secure an interview. Suspicious of the basic questions asked and an unofficial email domain, Hung continued to engage with the impersonator.

He later discovered that the person was trying to lure him into clicking a malicious link. "They are spies with cyber capabilities," Hung told the ICIJ. "Their goal is political."

The impersonators often use technical automation, ICIJ said. Researchers suggest that artificial intelligence may have been used to identify targets and generate convincing, customized messages.

Hung observed that the fake Chen appeared to be using ChatGPT to research topics, a tactic previously associated with Chinese law enforcement’s cyber special operations.

ICIJ reporters also received emails from purported whistleblowers offering secret documents related to Chinese anti-graft investigations. One email, supposedly from a former judicial assistant named Bai Bin, had AI-generated content, ICIJ said.

Analysts concluded that these messages were part of an "OAuth phishing" strategy. The strategy redirects victims to fake sign-in pages that grant attackers unauthorized access to emails, files, and contacts, per ICIJ.

Rebekah Brown, the lead Citizen Lab researcher on the investigation, said these attacks were likely orchestrated by private contractors working for Chinese government agencies.

"We suspect that there was some sort of directive saying that it's very important to know, especially after the China Targets report, who's talking to you, what are you working on now?" Brown said, per ICIJ.

While the investigation has not identified which government agency gave the orders, “we are highly confident that this is China,” Brown added.

The impact of this type of campaign extends beyond data theft. Such campaigns serve as a tool of transnational repression, ICIJ said.

Emile Dirks, a researcher of Chinese surveillance, noted that attempts to monitor and harass individuals signal to activists and reporters that they are constantly being watched. The Chinese Embassy in Washington, DC, denied the allegations, calling them a "fabricated narrative" meant to smear China, according to ICIJ.

ICIJ and Citizen Lab continue to investigate the campaign, seeking to protect the consortium’s own network and provide relevant authorities with information to ensure accountability. Researchers also hope to find better ways to counter such campaigns and protect dissidents from being silenced or intimidated.