China's increasingly effective spy tactics raise alarm in the West

From sophisticated AI-backed espionage operations to mundane tactics through professional recruitment sites, a new Five Eyes report warns that Beijing's spy capabilities are growing

Sara Padovan

China's increasingly effective spy tactics raise alarm in the West

A clandestine meeting, a briefcase full of documents, a direct cyber intrusion. This is what one typically thinks of when one hears the word "spy" or "espionage". But in reality, many intelligence operations are extremely mundane. They begin with an ordinary message on a professional platform: an attractive job offer, a proposal for paid consultancy, or an approach from a company that appears entirely legitimate. But behind that seemingly routine communication, however, an intelligence service may be searching for a path to obtain sensitive information.

A recent bulletin issued in early June by the Five Eyes—an Anglosphere intelligence-sharing alliance between the US, the UK, Canada, Australia, and New Zealand—said that Chinese intelligence services are using platforms such as LinkedIn, Indeed, Upwork, and others to target military and government officials, researchers, journalists, and holders of security clearances. The target, in other words, is no longer only the person carrying a classified document. It may be anyone who possesses knowledge, expertise, or relationships that bring them into close contact with sensitive files.

The targeting process often begins in a manner that appears entirely ordinary. An account on a professional platform or recruitment site presents itself as belonging to a consulting firm or a legitimate hiring agency, then sends the target a message offering a job opportunity or paid consultancy assignment. In many cases, these offers revolve around foreign policy, defence, technology, or international affairs.

As the exchange develops, virtual interviews may follow, or the target may be asked to prepare memoranda and short reports that, at first, seem general and give little cause for suspicion. These requests may include political analyses, assessments of particular trends, or research papers on international issues, before gradually shifting toward more sensitive and specialised information.

On 10 June, the US Federal Bureau of Investigation (FBI) disclosed that it had seized more than 12 internet domains allegedly used by Chinese intelligence services, through fictitious consulting companies, to lure military personnel, security clearance holders, and government employees into false job offers and bogus consultancy assignments designed to collect sensitive information. Roman Rozhavsky, assistant director of the FBI’s Counterintelligence Division, said these networks have increasingly relied on artificial intelligence, professional networking platforms, and electronic payment services for recruitment, deception, and intelligence targeting.

All this demonstrates how information-gathering tools are rapidly evolving. The information sought may include an unpublished assessment, knowledge of what is taking place inside an institution, the names of influential figures, or a political appraisal. Such information may appear insignificant at first, but it can be dangerous when used to put together a broader picture. Once the target's trust is secured, requests may shift from general, publicly available subjects to more specialised and sensitive questions.

AFP
A passerby near a LinkedIn office sign in San Francisco, on 26 July 2023.

Widening net

In 2023, MI5 Director General Ken McCallum said that around 20,000 people in the UK had been approached by Chinese-linked actors through LinkedIn and other professional platforms. The figure was striking because it revealed that the targeting was not limited to senior officials or former officers but encompassed a broad range of individuals whose expertise, relationships, or knowledge could be useful to a foreign intelligence service. Beijing was quick to deny the accusations, with its Chinese embassy in London describing them as "pure fabrication and malicious slander" and warning the UK against further undermining bilateral relations.

In the US, the case of Kevin Mallory stands out. The former Central Intelligence Agency officer was facing financial difficulties when, in 2017, he received a message through LinkedIn from a representative of a Chinese research institution—or so he thought. The relationship later developed into meetings and secret communications, before a US court convicted him of transmitting classified defence information to China. In 2019, he was sentenced to 20 years in prison, in a case that has been used to illustrate the dangers of such seemingly mundane approaches.

The Five Eyes warning concerns far more than fake accounts on the internet. It points to a broader transformation in the tools of information gathering.

The Hafnium attacks on Microsoft Exchange servers in 2021 also stand out. At the time, Microsoft said the group had exploited previously unknown vulnerabilities to target on-premises email servers. Washington later accused hackers linked to China's Ministry of State Security of exploiting those vulnerabilities. The significance of this kind of attack lies in the role of email within companies and governments. Beyond a means of communication, email serves as an archive of decisions, contracts, internal exchanges, and institutional relationships.

In another operation in 2024, at least nine American telecom companies were targeted, and their call data and communications records were compromised. The US accused China of being behind what later became known as the Salt Typhoon campaign. The operation heightened fears that the targeting of technical infrastructure was not just aimed at data theft but also at gaining access to the networks through which sensitive information and communications pass.

AFP
Surveillance cameras appear near a portrait of former leader Mao Zedong at the Tiananmen Gate leading to the Forbidden City in Beijing, on 15 May 2026.

In 2025, the US Cybersecurity and Infrastructure Security Agency and its partners issued a joint warning about cyber activities attributed to Chinese state-sponsored actors, stating they had targeted multiple sectors worldwide, including telecommunications, government entities, transportation, hotels, and military infrastructure.

Tech as target

More recently, artificial intelligence has emerged as another front in technological and intelligence competition. In January this year, the US Department of Justice announced the conviction of Linwei Ding, a former Google engineer, for stealing trade secrets related to the technical architecture of advanced data centres used to train and run AI models. Prosecutors said the case involved links to companies and projects in China, making it one of the most prominent espionage cases using AI technologies and the computational infrastructure that supports them.

Espionage is no longer limited to obtaining government secrets. Amid a growing battle for tech dominance, it now targets firms developing advanced technologies.

In 2023, the US Department of Justice charged Weibao Wang, a former Apple engineer, with stealing trade secrets related to the company's autonomous driving project. According to the indictment, he took engineering files, software materials, and confidential documents. US authorities said he left for China after the FBI searched his home and accepted a position with a Chinese company operating in the same field.

Together, these cases suggest that espionage is no longer limited to cyber intrusions or the acquisition of government secrets. It also extends to the expertise and proprietary knowledge held by companies developing advanced technologies. According to Western security assessments, such knowledge may be obtained through cyber operations, professional recruitment, consultancy arrangements, or direct access to information from within the institutions themselves.

font change