A recent report reveals that since April 2025, researchers have identified a large-scale phishing and digital impersonation campaign targeting overseas Uyghur, Tibetan, Taiwanese, and Hong Kong activists, as well as journalists covering related issues. Two primary threat groups were identified: GLITTER CARP, which conducts broad and persistent phishing operations—even targeting individuals loosely connected to its main targets—and SEQUIN CARP, which focuses specifically on journalists reporting on China’s transnational repression, including those involved in the International Consortium of Investigative Journalists (ICIJ) project “China Targets.”
The attackers’ primary objective is to steal login credentials—particularly for Google and Microsoft 365 accounts—by redirecting victims to highly convincing fake login pages via links sent through email or messaging apps such as Signal and Line. Researchers also found evidence of coordinated operations using multiple phishing toolkits, suggesting collaboration among groups with varying technical capabilities. The campaign includes impersonation of legitimate media domains, such as fake versions of The Epoch Times, and relies on a large infrastructure of IP addresses and domains, indicating broader—and potentially ongoing—operations beyond those identified.
The report argues that these activities form part of a long-standing pattern of China-linked digital transnational repression, targeting overseas dissidents through hacking, spyware, and online intimidation. It highlights the growing role of private Chinese companies in this ecosystem, describing a “public-private” model in which contractors develop and sell cyber tools—such as spyware and phishing kits—to state agencies. Leaked documents from a sanctioned firm suggest the emergence of a commercialized market for cyber operations, with relatively low costs for data theft and system access.
The report further warns that the outsourcing and industrialization of such activities reduce operational costs, expand their scale, and complicate attribution and accountability. Beyond their technical impact, these campaigns generate a broader “chilling effect,” fostering fear, self-censorship, and distrust among targeted communities.
For example, following the publication of the ICIJ’s “China Targets” investigation in April 2025, journalists involved in the project were themselves targeted by phishing and impersonation campaigns—highlighting how scrutiny and reporting on these issues can trigger retaliatory cyber operations.
Source: Epoch Times, April 29, 2026
https://www.epochtimes.com/gb/26/4/29/n14752403.htm