Welcome to Memetic Warfare.

When it rains, it pours. This emergency post is going to review, in-depth, the latest FBI affidavit exposing 13 Chinese virtual espionage domains.

Open AI also released a report on Chinese IO targeting data centers, which we will review in a later post.

Let’s dive right in. The FBI and DOJ announced a takedown of 13 Chinese virtual espionage domains, with the announcement and affidavit available here.

The affidavit is lengthy so we’ll focus on the key points.

The summary is straightforward:

By virtue of this being an FBI indictment, we get some information we don’t usually get just from open sources, such as their use of identity theft and information on correspondence between the handlers and those targeted:

LinkedIn, as well as multiple freelancing platforms, are mentioned as key hubs of activity:

Paypal and crypto are the main methods of payment:

The domains seized are listed:

The domains are interesting in that they’re more dispersed geographically than we usually see, with companies based in Europe and the Middle East - not just Taiwan, Hong Kong and Singapore:

Some of these are a bit older and frankly unimpressive:

We’ll skip ahead to their analysis of the domains. While there’s still much to be desired, the affidavit actually provides indicators and basic analysis of the domains. I’d call this a big step forward for FBI affidavits.

We see that the FBI relies on a few overly basic indicators, such as sharing a host server (and its affiliated IP address), without including more advanced domain analysis techniques. Hopefully we’ll see more of that soon. That aside, the FBI relies heavily on other heuristics, such as job text similarity, vagueness, stock photos and so on which we’re used to relying on here. In only a few cases are other indicators, such as impersonation, use of stolen identities or so on are brought up, and only three were the result of reports to the FBI.

We’re also lucky enough to get analysis of each domain. We won’t cover every single one, but there are some points to review. Firstly, the reliance on stolen credentials for individuals is interesting, with the operators relying on exposed credentials and information on US citizens to set up the infrastructure:

They use stock images - of course:

The operators have a sense of humor, which I appreciate greatly. Make espionage funny again.

Many of the domains go back at least 2 and sometimes 3 years. As we’ve shown on Memetic Warfare, Chinese espionage has also expanded to covering the Middle East and other “international hotspot” issues:

Many such cases of this:

Unique text is always a good pivot point too:

Some of those recruited were a bit wary, understandably:

Some domains were not hiding their intentions:

While most of the entities in these networks are on LinkedIn, some are active on Facebook and even Bluesky:

Stolen credentials and PII of US citizens were used to set up the domains:

In one case, the FBI identified passports sold online as being used in the operation:

The FBI can acquire data from platforms with warrants, which they did with one Gmail address. That address, used in the operation to set up infrastructure, had been connected to from China/HK/Macau a few times and had also had a copy of the operators’ crypto transactions sent to it:

Astoundingly, some of the domains were successful. One illuminative case covers the recruitment of a member of the US military

Other cases also show what China was interested in, unsurprisingly, at that point in time:

We also get a look at some of the recruiting emails sent:

We see Twitter also used, which is a first as far as I remember:

The centrality of Israel and the various ongoing wars in the region astound me:

They of course push them to go for “exclusive” sources:

They can’t seem to get the writing down, and proofreading with ChatGPT or even a local model seems problematic, especially when their recruits push back:

The Centrik domain operated a Linkedin group as well:

This line of effort came off as a little more professional:

It was also more successful, recruiting at least seven targets:

The correspondence is also more convincing:

Some of their content is also similar to Chinese IO efforts, using the “share your thoughts” line to try to garner interaction and engagement:

There’s quite a bit more, but we’ll stop here for now. There are a few conclusions I’d draw from this and other reports on the topic:

• Chinese operations are pervasive and long-term, with some going back to 2023. We can safely assume that they won’t stop.

• The operations are successful and clearly worth it for China. We know this because they keep running them, and now we have confirmation that people with clearances can be successfully recruited.

• Multiple actors in China (presumably different teams in the MSS, though the MPS may also run some) run these. Differing levels of quality and investment are the main indicator here, as well as certain clusters being distinct from others.

• China is interested mainly in the US, but also interested increasingly in other flashpoints and seemingly lacks its own human intelligence assets there.

That’s it for this week, thanks for reading.