News Desk
A joint investigation has uncovered a Chinese state‑linked espionage operation that impersonated journalists to infiltrate Taiwan’s civil society, political offices and human rights networks . The scheme used fake identities, fraudulent interview requests and malware‑laden files to target media workers, think‑tank analysts, legislators’ offices and activists for nearly a year .
The operation began in May 2025, when a person posing as “Yi‑Shan Chen”, the real editor‑in‑chief of CommonWealth Magazine, contacted Taiwanese organisations using a Gmail account with a disposable‑style name . The impersonator sustained conversations for months and even offered a free Samsung phone to build trust .
A six‑month investigation by CommonWealth Magazine, the International Consortium of Investigative Journalists (ICIJ) and the University of Toronto’s Citizen Lab confirmed that the identity was fake and linked to Chinese intelligence infrastructure . The same IP network had been used in earlier attacks on Taiwan’s semiconductor companies .
Targets included civic media outlet Watchout, a Democratic Progressive Party city councillor, a legislative aide, a former National Security Council staffer and human rights groups in Taiwan and abroad . Similar impersonation attempts also targeted Uyghur, Tibetan and Hong Kong communities .
The attackers used social engineering, not system hacking. They built rapport through casual political questions before sending malware disguised as interview outlines or fake Google documents that harvested login credentials . Investigators found no evidence that any Taiwanese targets opened the malicious files, as most verified the requests with CommonWealth before responding .
Citizen Lab traced more than 100 related domain structures used in similar campaigns worldwide, all pointing to a single master domain and cloud infrastructure commonly used by Chinese threat actors . The pattern matched earlier phishing attacks on Taiwan’s semiconductor sector, including operations linked to a group tracked as “UNK_SparkyCarp” .
Analysts say the goal was network mapping — identifying relationships, contacts and influence pathways inside Taiwan’s civil society — rather than stealing sensitive documents . The operation relied on patience, with attackers maintaining conversations for weeks or months before introducing malware .
Evidence suggests the campaign may have been carried out by private Chinese cybersecurity contractors working for state agencies, reflecting China’s expanding public‑private intelligence ecosystem . Investigators noted the attackers kept office‑hour schedules and used methods resembling commercial opinion‑monitoring firms rather than elite intelligence officers .
Taiwan’s Bureau of Investigation is examining the impersonated accounts, but legal action is difficult because the perpetrators operate outside Taiwan’s jurisdiction . National security officials say similar long‑term contact patterns have appeared in other espionage cases.
The investigation concludes that China is widening its intelligence‑gathering reach by outsourcing operations and targeting journalists, activists and political networks. Analysts warn that such systems risk becoming inefficient and distorted, echoing historical examples of overextended surveillance states .
