China-Linked Fake Consulting Sites Targeting US Clearance Holders Seized
US Federal authorities have seized 13 domains allegedly used in a Chinese intelligence-linked operation to recruit Americans with access to classified government information. The websites posed as legitimate consulting firms, offering vague consultancy and advisory roles to current and former US government employees, military personnel, and security clearance holders. The operation, which began in November 2023, used fake company websites, online job postings, and social media recruiting to approach potential targets. Recruiters offered paid consulting work, then pressured candidates to share confidential insider information. The campaign employed false personas, stolen identities, AI-generated profile photos, encrypted messaging, cryptocurrency, and fake contracts to appear legitimate. Job postings appeared on platforms including Upwork, Expertia AI, and Hubstaff Talent, covering topics aligned with Chinese government interests.
AI Analysis
Technical Summary
This campaign involves a China-linked espionage operation that employed fake consulting websites and social engineering tactics to recruit US clearance holders and government personnel. The adversaries created fake companies and job offers to pressure targets into disclosing confidential insider information. The operation used sophisticated methods including AI-generated profiles, stolen identities, encrypted communications, and cryptocurrency payments to appear legitimate and evade detection. The campaign was active since November 2023 and leveraged popular job platforms to reach potential victims. US authorities have seized 13 domains associated with this operation.
Potential Impact
The campaign targeted individuals with access to classified US government information, potentially leading to unauthorized disclosure of sensitive or classified data. The use of social engineering and fake consulting roles could result in insider threats and compromise of national security information. The operation's sophisticated tactics increased the likelihood of successful recruitment and information exfiltration.
Mitigation Recommendations
US Federal authorities have seized the domains used in this operation, disrupting the campaign infrastructure. Organizations and individuals with security clearances should remain vigilant against unsolicited job offers or consulting opportunities, especially those that pressure for confidential information. Verify the legitimacy of consulting firms and job postings, particularly on freelance platforms. No official patch or fix applies as this is a social engineering campaign. Continued awareness and reporting of suspicious recruitment attempts are recommended.
Affected Countries
United States
Indicators of Compromise
- domain: thetruthinfo.com
- domain: catalystglobalsolutions.com
- domain: centrikglobalconsulting.com
- domain: cydfconsulting.com
- domain: finnaclevesperconsulting.com
- domain: geoindopacific.com
- domain: gpf-ina.org
- domain: gulfpeace.org
- domain: pulsewaveglobal.com
- domain: rightinfoconsult.com
- domain: safesec-group.com
- domain: thehorizzen.com
- domain: vandercons.com
China-Linked Fake Consulting Sites Targeting US Clearance Holders Seized
Description
US Federal authorities have seized 13 domains allegedly used in a Chinese intelligence-linked operation to recruit Americans with access to classified government information. The websites posed as legitimate consulting firms, offering vague consultancy and advisory roles to current and former US government employees, military personnel, and security clearance holders. The operation, which began in November 2023, used fake company websites, online job postings, and social media recruiting to approach potential targets. Recruiters offered paid consulting work, then pressured candidates to share confidential insider information. The campaign employed false personas, stolen identities, AI-generated profile photos, encrypted messaging, cryptocurrency, and fake contracts to appear legitimate. Job postings appeared on platforms including Upwork, Expertia AI, and Hubstaff Talent, covering topics aligned with Chinese government interests.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This campaign involves a China-linked espionage operation that employed fake consulting websites and social engineering tactics to recruit US clearance holders and government personnel. The adversaries created fake companies and job offers to pressure targets into disclosing confidential insider information. The operation used sophisticated methods including AI-generated profiles, stolen identities, encrypted communications, and cryptocurrency payments to appear legitimate and evade detection. The campaign was active since November 2023 and leveraged popular job platforms to reach potential victims. US authorities have seized 13 domains associated with this operation.
Potential Impact
The campaign targeted individuals with access to classified US government information, potentially leading to unauthorized disclosure of sensitive or classified data. The use of social engineering and fake consulting roles could result in insider threats and compromise of national security information. The operation's sophisticated tactics increased the likelihood of successful recruitment and information exfiltration.
Mitigation Recommendations
US Federal authorities have seized the domains used in this operation, disrupting the campaign infrastructure. Organizations and individuals with security clearances should remain vigilant against unsolicited job offers or consulting opportunities, especially those that pressure for confidential information. Verify the legitimacy of consulting firms and job postings, particularly on freelance platforms. No official patch or fix applies as this is a social engineering campaign. Continued awareness and reporting of suspicious recruitment attempts are recommended.
Affected Countries
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://hackread.com/fbi-seizes-china-fake-consulting-sites-us-clearance/"]
- Adversary
- null
- Pulse Id
- 6a2a625931731a23250efb39
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainthetruthinfo.com | — | |
domaincatalystglobalsolutions.com | — | |
domaincentrikglobalconsulting.com | — | |
domaincydfconsulting.com | — | |
domainfinnaclevesperconsulting.com | — | |
domaingeoindopacific.com | — | |
domaingpf-ina.org | — | |
domaingulfpeace.org | — | |
domainpulsewaveglobal.com | — | |
domainrightinfoconsult.com | — | |
domainsafesec-group.com | — | |
domainthehorizzen.com | — | |
domainvandercons.com | — |
Threat ID: 6a2a66e09e049e7b7ed2bb11
Added to database: 6/11/2026, 7:42:24 AM
Last enriched: 6/11/2026, 7:57:14 AM
Last updated: 6/11/2026, 12:03:32 PM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.