A simple request in the mail was the easiest way to open the safe.
Chinese activists in exile and journalists who write about Beijing’s pressure abroad have faced a new wave of targeted attacks. According to the Citizen Lab, the attackers did not just send fake letters, but carefully played with other people's names, copied the pages of well-known organizations and selected stories that could interest a specific victim.
Citizen Lab together with the International Consortium of Investigative Journalists (ICIJ) described two groups that were named GLITTER CARP (carp with glitter) and SEQUIN CARP (carp with sequins). The authors of the report believe that both acted in the interests of the PRC and attacked Uighur, Tibetan, Taiwan and Hong Kong activists, as well as journalists working on topics that were sensitive to the Chinese authorities.
GLITTER CARP, according to Citizen Lab, since April 2025, has been sending phishing emails and messages, posing as familiar activists, ICIJ employees and security services. The purpose was the accounts of the mail accounts. In one case, Uighur-Canadian activist Mehmet Tohti received a message allegedly from a well-known Uighur director with a request to watch a future documentary. The link led not to the video, but to the fake login page to Google.
A similar scheme was used against the World Uighur Congress, the Uyghur Human Rights Project, Tibcenter, the Taiwanese Watchout media and Hong Kong activist Carmen Lau. The emails encountered hidden pixels to track message opening, and some of the links led to pages that simulated Google, ICIJ or other trusted resources. Citizen Lab also found more than a hundred connected domains, some of which could be used in other attacks.
SEQUIN CARP acted differently. The group tried to access Gmail through malicious OAuth queries in which the victim herself allows a third-party application to read mail. Such a scheme is dangerous because it does not require a password and can save access even after its change until the user manually withdraws the resolution.
The main goal of SEQUIN CARP was ICIJ journalist Shilla Alekchi, coordinator of the China Targets project. She was written on behalf of Bai Bin, a former court official in Beijing, whose history previously appeared in Chinese media. The attackers used the image of the whistleblower and promised to pass the documents on corruption, but the link ran an OAuth chain to access Gmail. Citizen Lab also recorded a similar attempt against a journalist writing about the Pentagon.
The authors of the report associate both campaigns with the practice of digital transnational pressure. According to them, the attacks could be carried out by private contractors working in the interests of the Chinese state. This version is indicated by a wide range of targets, reuse of infrastructure, technical errors and similarities with the previously described Proofpoint, Volexity and Trend Micro operations.
Citizen Lab believes that such cyber-spy campaigns undermine confidence within the diasporas and editorial offices, forcing activists and journalists to constantly check even familiar contacts and give the authorities the opportunity to deny direct involvement. For protection, the authors advise to check the addresses of senders, not to enter passwords after clicking on letters, use hardware keys and regularly view applications that have been given access to the Google account.
Chinese activists in exile and journalists who write about Beijing’s pressure abroad have faced a new wave of targeted attacks. According to the Citizen Lab, the attackers did not just send fake letters, but carefully played with other people's names, copied the pages of well-known organizations and selected stories that could interest a specific victim.
Citizen Lab together with the International Consortium of Investigative Journalists (ICIJ) described two groups that were named GLITTER CARP (carp with glitter) and SEQUIN CARP (carp with sequins). The authors of the report believe that both acted in the interests of the PRC and attacked Uighur, Tibetan, Taiwan and Hong Kong activists, as well as journalists working on topics that were sensitive to the Chinese authorities.
GLITTER CARP, according to Citizen Lab, since April 2025, has been sending phishing emails and messages, posing as familiar activists, ICIJ employees and security services. The purpose was the accounts of the mail accounts. In one case, Uighur-Canadian activist Mehmet Tohti received a message allegedly from a well-known Uighur director with a request to watch a future documentary. The link led not to the video, but to the fake login page to Google.
A similar scheme was used against the World Uighur Congress, the Uyghur Human Rights Project, Tibcenter, the Taiwanese Watchout media and Hong Kong activist Carmen Lau. The emails encountered hidden pixels to track message opening, and some of the links led to pages that simulated Google, ICIJ or other trusted resources. Citizen Lab also found more than a hundred connected domains, some of which could be used in other attacks.
SEQUIN CARP acted differently. The group tried to access Gmail through malicious OAuth queries in which the victim herself allows a third-party application to read mail. Such a scheme is dangerous because it does not require a password and can save access even after its change until the user manually withdraws the resolution.
The main goal of SEQUIN CARP was ICIJ journalist Shilla Alekchi, coordinator of the China Targets project. She was written on behalf of Bai Bin, a former court official in Beijing, whose history previously appeared in Chinese media. The attackers used the image of the whistleblower and promised to pass the documents on corruption, but the link ran an OAuth chain to access Gmail. Citizen Lab also recorded a similar attempt against a journalist writing about the Pentagon.
The authors of the report associate both campaigns with the practice of digital transnational pressure. According to them, the attacks could be carried out by private contractors working in the interests of the Chinese state. This version is indicated by a wide range of targets, reuse of infrastructure, technical errors and similarities with the previously described Proofpoint, Volexity and Trend Micro operations.
Citizen Lab believes that such cyber-spy campaigns undermine confidence within the diasporas and editorial offices, forcing activists and journalists to constantly check even familiar contacts and give the authorities the opportunity to deny direct involvement. For protection, the authors advise to check the addresses of senders, not to enter passwords after clicking on letters, use hardware keys and regularly view applications that have been given access to the Google account.
