A think tank in Washington DC has uncovered a covert network of digital front companies linked to Chinese intelligence, targeting recently laid-off US government workers.
Since Donald Trump took office, thousands in the government have lost their jobs, particularly in cybersecurity and intelligence roles. The layoffs, attributed to budget cuts by the Department of Government Efficiency led by Elon Musk, have significantly disrupted government operations. Some agencies, like the FDA, have even started to reverse these cuts.
The Federation for the Defence of Democracies (FDD), which investigates national security issues, claims Beijing is looking to exploit these job losses for intelligence-gathering. Max Lesser, a senior analyst at FDD, pointed out that these fake companies are masquerading as risk consultancies and headhunting firms, claiming to be based in countries like Japan and Singapore.
Lesser noted that the techniques used by this network are similar to past operations targeting US officials and high-value individuals. Despite appearing as separate entities, clues suggest a single organization is behind them. The FDD identified firms such as Smiao Intelligence and Dustrategy. While Smiao seems legitimate, the others appear to be little more than digital disguises, with cloned websites and AI-generated content.
It seems that the people linked to Smiao may be behind this operation. They all use the same China-based Tencent server and most have relied on a Chinese email service, chengmail. Interestingly, four of the five companies share the same SSL certificate.
The FDD traced Smiao to an older domain—eight years old—and linked it to a parent company in Beijing that handles trademark registrations.
One company, RiverMerge, falsely claimed to have offices in Colorado and Singapore; these details vanished from its site before March 26, 2025. However, US records show a related entity registered in Beijing.
The Chinese government has a history of using recruitment tactics to gather intelligence, dating back nearly a decade. In 2020, a Singapore national was sentenced for collecting resumes from over 400 US military and government figures. European targets have faced similar assaults, with significant data breaches reported in Germany and the UK.
This latest operation comes at a precarious moment for the US, as many former federal employees look for new jobs. Lesser warned that if both public and private sectors don’t act swiftly, adversaries like China will continue to exploit vulnerable workers who may not recognize the threat.
He urged the US government to raise awareness about this cyber threat, advocate for more scrutiny of job sites, and enhance monitoring of suspicious job postings aimed at ex-employees. Lesser also called for greater oversight from Congress and suggested that the US might use fake accounts to draw out Chinese intelligence operatives.