Chinese dissident bloggers on X say they received phishing links disguised as news tips
What they described resembles almost exactly what was revealed about Chinese hacking activities on X in the leaked I-Soon documents back in February.
At least two Chinese dissident accounts on X said that they received phishing links from other users disguised as news tips.
The practice resembles what was previously revealed in a batch of leaked documents that described how one Chinese IT company helped Beijing in hacking dissidents on X and obtaining their information.
One of the bloggers who received suspicious links was Teacher Li, one of the most influential Chinese self-media accounts on X with 1.4 million followers. On Friday he said that he was sent a link from a user, who said the link contains information about crowds mourning the former Premier Li Keqiang in Hefei Province.
The user had previously sent Li news tips of the same information. But Li said he was informed that the user had then been interrogated by Chinese police and had lost access to their X account. Li suspects that the link was an attempt by police to find out his IP address.
“This is the first time that a news tip provider’s account has been compromised by police,” Li, who lives in Italy, wrote on X.
Li revealed that he had also received two other suspicious links in emails disguised as news tips. One looked like an URL to Chinese video site Bilibili, the other social media app Telegraph. But both had spelling errors.
A blogger by the name “Program also think”, after testing and analyzing the two links, wrote that they were created to look like authentic URLs with the goal of deception. The links were really to obtain victims’ IP addresses and other information, including data of their Weibo accounts.
Li gained recognition for his nonstop coverage of the anti-Covid lockdown protests in China in 2022 on what was then Twitter. He has built a trustful relation with his followers, who keep sending him news tips of things happening in China that have not been covered by local media, which Li then posts on his account for millions of others to see.
Li has also been under constant cyber-attacks on X. His account has been impersonated many times. Bots have been spreading rumors about his personal life. In February, Li said that Chinese police has been examining his followers in order to identify them.
But Li is not the only one being targeted by phishing links this time. Another dissident account on X with much fewer followers said they recently received a suspicious link, too.
Silent Defiance (隐秘抵抗记录者) was created in March and has only over 300 followers. The account posts photos of anti-Beijing and anti-Xi posters found in China. Last week, they received a link allegedly to a project about the two-year anniversary of the Shanghai Covid lockdown. They posted it without much hesitance.
But after reading comments from users who say they couldn’t open the link, Daniel, one of the account operators, took a closer look at the account that sent him the link. He discovered that the account had previously posted the same URL that Li had received.
Daniel quickly took down the link he shared on Silent Defiance. He said so far he’s not aware of any followers getting into trouble with Chinese police after clicking on it. But he is worried that his account, although nascent, is already on the authorities' hit list.
“Personally, I feel like these accounts are so good at disguising themselves. They would even share articles critical of the authorities to gain trust,” he told me. “Looking at the resources and technologies involved in this organized activity, I don’t think this is the work of just regular hackers.”
The account that sent Daniel the suspicious link used a photo of America filmmaker Rashaad Ernesto Green as profile picture. A photo it posted on its page was taken from Taiwanese social media site MOOD. The account’s location tag reads “Montana, USA”. The account did not respond to me.
It’s still not clear who is behind this round of phishing attacks. But what Li and Daniel described is almost exactly what was revealed in the I-Soon documents, which was leaked in February and provided a rare window into China’s hacking activities from behind the scene.
Several documents from the leak show that the Chinese IT company I-Soon, who had contracts with governments and police across China, had developed a system to target dissidents on X with phishing links.
By having the "targets" clicking on the links, the system would have access to their IP addresses and chat history. Similar systems were developed by I-Soon for emails as well.
Phishing is “not hard to do and is quite common”, Dakota Cary, a China-focused consultant at cyber security firm Sentinel One, told me.
The way it works is that “if a unique link is only sent to one person, then the sender can know that the IP address from that unique page belongs to the only person they sent it to open,” he said.
Unfortunately, there is no way to pre-determine if a link is safe or not, Cary added. “If a link goes to a website or blog you haven't heard of, and is sent to you by someone you don't know personally--preferably, in person, then the risk of the link being untrustworthy is higher and the user should use discretion.”
I tried to ask X to comment on what has happened to Li and Daniel, only to receive an auto-reply that says “Busy now, please check back later”.