Suspected Chinese intelligence-linked actors used fake consulting websites, job platforms, artificial intelligence-generated photos, stolen identities, encrypted messaging, and overseas payments to target Americans with security clearances, according to a newly public FBI affidavit.
The redacted filing, identified by the U.S. Attorney’s Office for the District of Columbia as for case 26-sz-42, gives the most detailed public account so far of the alleged recruitment network behind the Justice Department’s June seizure of 13 internet domains.
The affidavit says the operators posted jobs on LinkedIn and other platforms, offering roles such as “Senior Analyst” and “International Affairs Consultant” on topics tied to the interests of the Chinese regime. The targets included current and former U.S. government employees, military personnel, and others with security clearances.
FBI Norfolk, which investigated the case jointly with the FBI Washington Field Office, told The Epoch Times that people should report suspicious consulting offers even if they did not provide classified information.
“The Chinese government continues to pursue U.S. innovation, research, and sensitive information through a variety of deceptive techniques, including fraudulent job postings and online recruitment efforts,” FBI Norfolk Special Agent in Charge Dominique Evans said in an emailed statement.
“By seizing these domains and exposing these tactics, we are working to protect national security, safeguard American ingenuity, and help the public recognize and defend against these threats. We urge anyone approached with suspicious job opportunities or recruitment efforts to remain vigilant, recognize the warning signs, and report suspicious activity to the FBI.”
The filing does not name the operators. It also does not say whether any U.S. target provided classified information.
How the Scheme Worked
The Justice Department announced on June 10 that federal authorities had disabled 13 domains that prosecutors said were backed by suspected Chinese agents. The public warrant and affidavit packet shows the seizure warrant was signed June 5 by U.S. Magistrate Judge G. Michael Harvey and authorized authorities to redirect the domains to FBI-controlled servers.
The affidavit says the alleged operators posted job listings and created websites that posed as consulting or nonprofit-style organizations, including Centrik Global Consulting, Rightinfo Consulting, Pulse Wave Global, GeoIndopacific, SafeSec Group, The TruthInfo, Vandercons, and Gulf Peace Foundation. The domains of these websites were registered from November 2023 through October 2025, according to the affidavit.
The websites were often linked or referenced in the job postings on LinkedIn and other job-search platforms, including Upwork, Expertia AI, Hubstaff Talent, Wellfound, and Post Job Free, the affidavit says.
The FBI said the alleged operators used aliases, fictitious personas, stolen identities, and AI-generated photographs. They also used Telegram and other encrypted apps to communicate with targets.
The affidavit says recruits were paid through online payment accounts held in the names of fictitious people and through cryptocurrency. Prosecutors said the payments helped conceal the operators’ identities and the true source of the money.
LinkedIn did not respond by publication time to a request for comment.
Clearance Holders Targeted
The affidavit says the fake consulting network targeted people with access to classified, open-source, proprietary, or sensitive information that “the PRC government can use for economic, political, or military decision-making or advantage.”
The filing describes China’s intelligence services as using human sources, online aliases, false identities, encrypted communications, and payments to collect information. It says the United States is a principal target of those operations.
The alleged scheme did not begin with an open request for classified information.
According to the affidavit, applicants were recruited to write reports and then pressed for “exclusive” or “insider” material. The operators asked recruits to share confidential information and reports from insider sources.
A separate Five Eyes advisory issued June 3 by U.S. and allied security agencies warned that Chinese military intelligence services use online job platforms to approach people with access to sensitive information.
The advisory said targets can include security-clearance holders, military personnel, academics, journalists, freelance writers, think-tank employees, and people linked to defense, security, policy, and economic sectors.
Warning Signs
FBI Norfolk referred The Epoch Times to FBI guidance for clearance holders targeted online.
The warning signs include job offers that appear too good to be true, remote or flexible work with disproportionately high pay, excessive praise of the target’s skills or background, and pressure to treat the opportunity as exclusive or limited.
Tune in to China Watch, a podcast on Chinese politics, technology, and business.
Other red flags include vague company information, a lack of verifiable online presence, pressure to move off a networking platform to another communication method, use of personal email addresses or encrypted messaging apps, and requests for written reports that later shift toward nonpublic or sensitive information.
The FBI guidance also warns of recruiters offering favors, including help with visas, travel, hotels, or meals.
FBI Norfolk said current or former clearance holders, military members, contractors, or federal employees who interacted with one of the seized domains or a related recruiter should report the interaction to the FBI at 1-800-CALL-FBI or tips.fbi.gov.
Earlier Online Recruitment Case
The FBI affidavit cites the earlier case of Jun Wei Yeo, also known as Dickson Yeo, a Singaporean man who pleaded guilty in 2020 in federal court to acting in the United States as an unregistered agent of the Chinese Communist Party (CCP).
According to Yeo’s statement of facts, cited in the affidavit, he used social media and other online sites to identify and assess U.S. persons with access to valuable nonpublic information.
Yeo recruited some of those people to write reports without telling them that the reports were intended for the CCP, according to the statement.
In one meeting, the affidavit says, Yeo was instructed by his handlers to obtain nonpublic information about the U.S. Department of Commerce, artificial intelligence, and the U.S.–China trade war.
Allied Agencies Warn of Job-Platform Targeting
The Five Eyes advisory described a recruitment process that begins with professional networking sites or freelance platforms and moves toward private communications, paid reports, and requests for more sensitive material.
The advisory said recruiters may ask for a trial report on topics such as China’s foreign relations, the Indo-Pacific, defense issues, or international trade. Payments can range from hundreds to thousands of dollars per report, according to the advisory.
“Even unclassified information on government policy, or on military strategy, capabilities and installations, can be collected and combined with more sensitive reporting to form a comprehensive operational picture,” the advisory states.
That warning matches one of the central concerns in the FBI affidavit: The target does not have to hand over classified material at the first contact for the approach to carry counterintelligence value.
The affidavit does not identify the overseas operators by name, say whether similar websites remain active, or state whether any job platform notified users who may have interacted with the postings or recruiter profiles.
