Fake jobs, real intelligence gathering.
Intelligence agencies across the Five Eyes alliance, including the FBI, MI5, and counterparts in Australia, Canada, and New Zealand, have issued a coordinated warning about what they describe as an “aggressive” online recruitment campaign linked to Chinese intelligence services.
According to the advisory, operatives are using professional networking platforms such as LinkedIn, Indeed, and Upwork to pose as recruiters, consultants, or human resources staff working for legitimate-looking firms.
The aim, officials say, is to draw in individuals who may have access to sensitive or strategically useful information.
How the recruitment scheme works
According to the Five Eyes bulletin, the operation often begins with online job advertisements seeking candidates for positions related to foreign policy, defense analysis or similar fields. Applicants’ resumes are then reviewed to determine whether they may have access to valuable information.
Interviews are typically conducted online, with recruiters concealing their true identities. During these conversations, candidates may be questioned about government contacts, military activities or professional expertise.
The recruitment process can then progress to trial assignments. Applicants may be asked to produce reports covering subjects such as China’s international relationships, defense matters, trade issues or developments in the Indo-Pacific region. As trust develops, recruiters seek increasingly sensitive information and often move conversations to encrypted messaging platforms.
The bulletin says recruits can receive payments ranging from a few hundred dollars to several thousand dollars per report, with larger sums offered for more sensitive information. Payment methods cited include PayPal, Wise, Payoneer, Skrill, Zelle, Western Union and cryptocurrency.
Must-read security coverage
- UK Police Convicts Pair in £5.5 Billion Bitcoin Launder Case
- Blackpoint Cyber vs. Arctic Wolf: Which MDR Solution is Right for You?
- How GitHub Is Securing the Software Supply Chain
- 8 Best Enterprise Password Managers
Who is being targeted?
The advisory identifies several groups that Chinese intelligence services are particularly interested in approaching.
These include security clearance holders, military personnel, government employees, and individuals working in defense, foreign affairs, intelligence, and security-related fields. Academics, journalists, freelance writers, and think tank researchers are also considered potential targets because they may possess useful information or professional networks.
“China’s military intelligence services ultimately seek to acquire privileged military, political and economic intelligence that can provide China with a strategic and tactical advantage over the Five Eyes,” the agencies warned.
Officials stressed that direct access to classified material is not always necessary for intelligence gathering. The Five Eyes notice states that “even unclassified information on government policy, or on military strategy, capabilities and installations, can be collected and combined with more sensitive reporting to form a comprehensive operational picture.”
Authorities warned that such information could affect national security, place military personnel at risk and contribute to foreign interference efforts. The bulletin also notes that people who disclose sensitive information without authorization may face criminal prosecution under national espionage laws.
Beijing rejects the allegations
The Chinese embassy in London rejected the allegations, describing them as “purely false” and “malicious slander,” the BBC reported. They also accused Western intelligence services of engaging in espionage themselves.
Meanwhile, LinkedIn told TechCrunch that creating fake accounts or misrepresenting identity violates its policies, adding: “We remain focused on detecting state-sponsored abuse, and will continue to enforce our policies against fake accounts.”
The warning comes as online platforms face growing scrutiny over security risks, including a recently disclosed GitHub Dev vulnerability that exposed VS Code extension OAuth tokens and highlighted how trusted developer tools can become attractive targets for attackers.