Intelligence agencies from five nations issued a joint advisory on June 5 warning that Chinese intelligence officers are running fake recruiter personas on LinkedIn, Indeed, and Upwork to collect sensitive information from individuals with government security clearances.
How the operation works
The operation proceeds in stages. An intelligence officer creates a recruiter profile on a professional networking platform and contacts the target with a plausible offer, typically framed as a defense analyst or policy research position. If the target responds, the conversation moves to Signal or WhatsApp. The operator then commissions written reports on policy or security topics, paying via PayPal or cryptocurrency. Each request escalates in sensitivity, testing whether the target will share protected information.
Who is being targeted
The advisory identifies primary targets as individuals who currently hold or recently held a government security clearance, have worked in defense, intelligence, or diplomatic roles, or have access to sensitive government, military, or contractor systems. Academic researchers with defense-relevant expertise are also identified as targets.
How to recognize the pattern
Several signals distinguish this operation from legitimate recruiting. The role description is vague or changes over time. Payment is offered via cryptocurrency or peer-to-peer services rather than standard payroll. The recruiter requests communication on an encrypted messaging app rather than a corporate platform. Written work requests escalate in sensitivity beyond what a legitimate research role would require. Any combination of these signals should prompt the target to disengage and report the contact.
What to do
Personnel with active or former security clearances should report unsolicited recruiter contacts showing these patterns to their designated security officer. Reporting to the FBI Internet Crime Complaint Center at ic3.gov is also recommended. Organizations holding classified contracts should brief cleared personnel on this advisory and incorporate professional-network social engineering scenarios into annual security awareness training.
Gigia Tsiklauri is a security architect and AI security practitioner. Follow more analysis at infosec.ge.