Recently, a massive number of prolific Chinese human rights defenders, grassroots groups, and organizations have found themselves targets of “spear-phishing” on X (formerly Twitter). Spear-phishing refers to targeted attacks designed to trick people into handing out private information, such as account passwords. The successful attacks then allowed hackers to tweet from compromised accounts and access private direct messages. Hundreds, if not thousands of accounts, mostly within the Chinese dissident community, have been targeted, in one of the largest known attacks amongst the Chinese community on X.
Xiang Li, a well-known US-based human rights activist who was one of the targets during the 709 Crackdown in 2015, recounted her experience with the hackers (translated to English below by HRIC):
“At around 7 a.m. on August 17, 2024, an X account named Help X @TouchXAnswers that I was not following sent a private message to my X account @xiangli001, saying that my tweet was under review for possible copyright violations and that it needed to be appealed within 24 hours, or the account would be suspended. A web link was attached. Because it was morning and my head wasn’t too clear, I clicked on the link and probably filled in some information. Then, my account was hacked.
Image 1: Example of a direct message received for alleged copyright violations.
I realized that my account had been stolen when I received an email that said my X account “successfully changed the email address of X account login.” At this point, I was no longer able to change my email address back to my own email address. Although my X account on my iPhone was still logged in, I couldn’t modify any information or get my email login information back.
Images 2 & 3: Once logged in, it will lead the user to a phishing website that uses a fake X interface to make victims log in. After that, they will steal passwords and then control the accounts.
So, I immediately asked my friends how to appeal and get my X account back. I appealed the hacked account through X support, and then sent more supporting information via email once they replied. Because my X account was also linked to a mobile phone account, the appeal was quickly accepted. At the same time, I posted a post on my X account at around 8 o'clock, saying that my account was stolen, so that users on X would be alerted to this scam.
Perhaps the hacker knew that I had discovered that my number was stolen, and my X account name had been changed to Help X @BreachFaqX. The hacker began to send private messages to my friends on my X account, again saying that their tweets contained copyright violations and that they needed to appeal within 24 hours, otherwise their accounts would be frozen, with a link attached. I realized that the hacker wanted to steal other people's accounts as well.
So, I asked my friend IceJade #StandWithUkraine@bingyuicejade (her account has 176,000 followers) to post information about my X account being stolen, and to warn other users not to be fooled. At around 9 o'clock, she posted about how my account was stolen, and attached a screenshot of the private message sent by the hacker when stealing the account, reminding other X users to be wary of such private messages and not to click on the link.
At this time, I discovered that many other similar X accounts had been stolen using the same method as mine, and they had posted about it on X as well.”
Image 4: Example of an independent journalism outlet, Mighty Voice Media, which fell prey to the spear-phishing attack.
Xiang Li’s warning to her followers, amplified by user “@bingyuicejade,” quickly drew attention to the spear-phishing attacks and helped other community members avoid falling prey to the hackers.
According to HRIC Executive Director Fengsuo Zhou, “X is the main platform for freedom loving Chinese communities to share information, away from the censorship of CCP regime. Therefore, it has also become a primary target of the CCP’s surveillance and hacking efforts. The quick action of Xiang Li and the X team prevented a more disastrous outcome this time. We urge X to remain alert and pay special attention to the hacking efforts by the Chinese authorities. We also urge X users to pay close attention to their accounts and not to fall prey to the same spear-phishing attack.”
HRIC stands with the Chinese human rights defenders, grassroots groups, and organizations that have had their X accounts stolen or compromised through the recent spear-phishing attacks. These attacks are not random or accidental. Targeting these prolific human rights defenders and groups prevents them from exercising their freedom of expression online, on a platform that thousands of Chinese users use as a medium of free expression and a time-sensitive news site. X also has a responsibility to all users to prevent such extensive attacks, so that all users can safely access the platform without repercussions.
