Taiwanese authorities charge executives who helped China’s cyber spies target ICIJ network

The Ministry of Justice Investigation Bureau probe corroborates ICIJ and Citizen Lab’s findings that attacks against journalists were part of a coordinated espionage campaign sponsored…

A unit of Taiwan’s Investigation Bureau has charged two executives of a company that allegedly helped China’s cyber spies target Taiwanese officials and scholars, impersonating reporters affiliated with the International Consortium of Investigative Journalists.

After searching the offices of local firm Abigail and other locations, the Taipei City Investigation Office issued deferred prosecution orders against Li Hualun and Chen Mengsen for violating the personal data protection act and other crimes, according to a statement released by the bureau today.

The two obtained accounts for the messaging app LINE and leased them to Xiamen Empress Information Technology Co. Ltd., a firm allegedly linked to China’s cyber army, for about $161 per account. This enabled Chinese government-backed hackers to launch “social engineering attacks” against Taiwanese officials, as well as scholars and NGO workers, by impersonating journalists, the investigators found

The suspects “acted under the direction of the Chinese Communist Party’s cyber army unit,” the bureau said. 

The Taiwanese authorities’ operation follows an investigation by ICIJ and cybersecurity analysts at Toronto University’s Citizen Lab, which investigates digital threats against civil society. It identified suspicious emails by ICIJ impersonators and phony Chinese whistleblowers sent to ICIJ reporters as part of a sophisticated offensive strategy aimed at stealing private information from entities of interest to the Chinese government. The targets included Uyghur, Tibetan, Taiwanese, and Hong Kong diaspora activists, as well as journalists from ICIJ and elsewhere who report on activities related to these groups.

The attacks against the ICIJ network followed the 2025 publication of China Targets, which exposed Beijing’s tactics to silence dissidents overseas. 

Citizen Lab found several errors in the suspicious emails, suggesting that the attackers may have been involved in a “high volume” of attacks and used artificial intelligence to automate them, identify targets and generate messages without much oversight.

The Taiwanese authorities’ report confirmed ICIJ and Citizen Lab’s findings: “Using the pretext that international journalists routinely use encrypted communications to protect their messages, they send emails containing malicious encryption software to trick recipients into downloading and installing it, thus enabling hacking into devices and stealing data.”

ICIJ reporters also received LinkedIn messages and “cooperation invitation letters” from consulting firms offering to pay for articles on trade, defense and other topics of interest to the Chinese government. The U.S. and other Western intelligence agencies have linked such cover companies to China’s military intelligence services seeking to lure foreigners who have access to sensitive information.