The FBI and Department of Justice announced the seizure of 13 websites alleged to have been operated by Chinese intelligence services as a recruitment infrastructure targeting current and former U.S. government and military employees holding security clearances — a civil domain action coordinated with the Five Eyes intelligence alliance.
How Chinese Intelligence Used Fake Consulting Firms to Recruit U.S. Security Clearance Holders
The 13 seized websites posed as legitimate consulting companies advertising professional opportunities. Rather than targeting a broad public audience, the sites focused specifically on attracting applicants who held U.S. security clearances — a population that had already been vetted through federal background investigation processes and whose access to classified information made them high-value recruitment targets. The fake firms offered to compensate targeted individuals with cryptocurrency and online payment transfers in exchange for intelligence reports and sensitive information.
The investigation was initiated after some targets who recognized suspicious interactions reported those contacts to law enforcement — a detail that implies an unknown number of individuals who did not identify the approach as suspicious may have been approached through the same channels without triggering any report.
AI-Generated Photographs and LinkedIn Job Posts: The Chinese Intelligence Recruitment Playbook
To create the appearance of legitimate operations, the site operators used AI-generated photographs as profile images for fabricated employees, along with fraudulent identities and identities stolen from real individuals. AI-generated photographs present a verification problem that genuine photographs do not: a reverse image search returns no results because the face belongs to no actual person. The fake firms distributed their job postings through LinkedIn and similar hiring platforms, embedding the recruitment contacts within the same professional environment where candidates legitimately search for work. A job posting appearing in a trusted professional networking context, complete with employee photographs and a plausible consulting firm identity, presented fewer immediate warning signals than an unsolicited approach through other channels.
Five Eyes Coordination and the Absence of Criminal Charges Alongside the 13-Site Seizure
The seizure was executed as a civil domain action — not a criminal proceeding — coordinated with Five Eyes intelligence alliance partners: Australia, Canada, New Zealand, the United Kingdom, and the United States. The Five Eyes coordination reflects a shared assessment among all five major English-speaking intelligence partners that Chinese targeting of clearance holders through online recruitment infrastructure constitutes an active and significant threat. No criminal indictments accompanied the domain seizures. The Chinese government dismissed all allegations as “entirely fabricated” and “malicious slander,” a posture consistent with Beijing’s standard response to espionage attribution.
Concurrent Chinese Operations: Volt Typhoon Botnet Revival and AI Influence Campaigns
U.S. officials noted that the recruitment site seizure occurred within the same intelligence window as two additional observed Chinese operations: the revival of the Volt Typhoon botnet and AI-generated influence campaigns targeting U.S. AI infrastructure policy debates. Volt Typhoon has been previously documented as a Chinese threat actor focused on prepositioning access to U.S. critical infrastructure — utilities, communications networks, and transportation systems — specifically to enable disruptive operations during a potential future geopolitical crisis.
The overlap between the fake recruitment site network, the Volt Typhoon botnet revival, and AI-driven influence operations targeting a specific U.S. policy domain suggests these activities represent coordinated tracks of a broader intelligence effort rather than isolated incidents. Civil domain seizures disrupt infrastructure but do not eliminate the underlying operational capability, and the operators behind the 13 seized sites remain unindicted.
