Skip to content
Chimera readability score 88 out of 100, Specialist reading level.

A unit of Taiwan’s Investigation Bureau has charged two executives of a company that allegedly helped China’s cyber spies target Taiwanese officials and scholars, impersonating reporters affiliated with the International Consortium of Investigative Journalists.
After searching the offices of local firm Abigail and other locations, the Taipei City Investigation Office issued deferred prosecution orders against Li Hualun and Chen Mengsen for violating the personal data protection act and other crimes, according to a statement released by the bureau today.
The two obtained accounts for the messaging app LINE and leased them to Xiamen Empress Information Technology Co. Ltd., a firm allegedly linked to China’s cyber army, for about $161 per account. This enabled Chinese government-backed hackers to launch “social engineering attacks” against Taiwanese officials, as well as scholars and NGO workers, by impersonating journalists, the investigators found.
The suspects “acted under the direction of the Chinese Communist Party’s cyber army unit,” the bureau said.
The Taiwanese authorities’ operation follows an investigation by ICIJ and cybersecurity analysts at Toronto University’s Citizen Lab, which investigates digital threats against civil society. It identified suspicious emails by ICIJ impersonators and phony Chinese whistleblowers sent to ICIJ reporters as part of a sophisticated offensive strategy aimed at stealing private information from entities of interest to the Chinese government. The targets included Uyghur, Tibetan, Taiwanese, and Hong Kong diaspora activists, as well as journalists from ICIJ and elsewhere who report on activities related to these groups.
The attacks against the ICIJ network followed the 2025 publication of China Targets, which exposed Beijing’s tactics to silence dissidents overseas.
Citizen Lab found several errors in the suspicious emails, suggesting that the attackers may have been involved in a “high volume” of attacks and used artificial intelligence to automate them, identify targets and generate messages without much oversight.
The Taiwanese authorities’ report confirmed ICIJ and Citizen Lab’s findings: “Using the pretext that international journalists routinely use encrypted communications to protect their messages, they send emails containing malicious encryption software to trick recipients into downloading and installing it, thus enabling hacking into devices and stealing data.”
ICIJ reporters also received LinkedIn messages and “cooperation invitation letters” from consulting firms offering to pay for articles on trade, defense and other topics of interest to the Chinese government. The U.S. and other Western intelligence agencies have linked such cover companies to China’s military intelligence services seeking to lure foreigners who have access to sensitive information.

Facts Only

* The Taipei City Investigation Office issued deferred prosecution orders against Li Hualun and Chen Mengsen.
* The violation involved the personal data protection act and other crimes.
* Li Hualun and Chen Mengsen obtained LINE messaging app accounts and leased them to Xiamen Empress Information Technology Co. Ltd. for about $161 per account.
* These actions allegedly enabled Chinese government-backed hackers to launch social engineering attacks against Taiwanese officials, scholars, and NGO workers by impersonating journalists.
* The suspects allegedly acted under the direction of the Chinese Communist Party’s cyber army unit.
* The operation followed an investigation by the ICIJ and cybersecurity analysts at Toronto University’s Citizen Lab.
* The attack strategy involved sending emails containing malicious encryption software to trick recipients into installing it for data theft.
* ICIJ reporters also received LinkedIn messages and cooperation invitation letters from consulting firms allegedly linked to Chinese military intelligence services offering payment for information.

Executive Summary

Taiwan’s Investigation Bureau issued deferred prosecution orders against Li Hualun and Chen Mengsen for violating personal data protection acts and other crimes following an operation. The investigation found that the two executives obtained LINE messaging app accounts and leased them to Xiamen Empress Information Technology Co. Ltd., which is allegedly linked to China’s cyber army, for approximately $161 per account. This action reportedly enabled Chinese government-backed hackers to conduct social engineering attacks against Taiwanese officials, scholars, and NGO workers by impersonating journalists. The investigation was prompted by an inquiry from the ICIJ and cybersecurity analysts at Toronto University’s Citizen Lab, which identified suspicious emails and phony whistleblowers targeting reporters for a strategy aimed at stealing private information related to diaspora activists and journalists. Furthermore, attackers utilized malicious encryption software, delivered via deceptive means, to facilitate hacking into devices. The investigation also noted that external entities linked to China's military intelligence services attempted to lure foreigners with promises of payment for sensitive information.

Full Take

The incident reveals a systemic flow where private digital assets are commodified and weaponized by state-aligned actors, leveraging the perceived necessity of secure communication as a vector for espionage. The mechanism described—impersonation via compromised journalists and social engineering tactics—demonstrates a strategic deployment of influence operations designed to bypass traditional security layers. The involvement of entities linked to China’s cyber army suggests that state objectives are directly integrated into digital operations targeting civil society figures, including diaspora activists and journalists. The findings from Citizen Lab regarding automated, AI-assisted attacks underscore a shift toward scalable, low-oversight digital manipulation, suggesting a maturation of offensive capabilities beyond simple manual infiltration. The pattern indicates a reliance on exploiting trust—both between individuals (impersonating colleagues) and institutional structures (using compromised media networks)—to achieve goals of information extraction. This dynamic implies that cognitive sovereignty is challenged not just by direct data theft, but by the erosion of epistemic safety through sophisticated digital deception designed to induce trust and compliance from international observers and dissidents.
Bridge questions: What are the long-term implications for international digital trust when state actors leverage commercial infrastructure? How can civil society build resilience against influence campaigns that exploit journalistic credibility and digital security protocols? What systemic changes are necessary to establish new norms of accountability for cross-border cyber operations targeting academic and activist communities?

Taiwanese authorities charge executives who helped China’s cyber spies target ICIJ network — Arc Codex