US moves to seize 13 websites tied to alleged Chinese scheme paying American insiders for intelligence
Article is based on federal domain-name seizure warrant — filed in Washington, D.C.
WASHINGTON, June 11, A federal judge has authorized the FBI to seize 13 internet domains that investigators say were used by operatives working on behalf of China's government to run fake consulting firms that recruited Americans, including current and former security clearance holders, and paid them for sensitive and potentially classified information.
U.S. Magistrate Judge G. Michael Harvey signed the warrant in the District of Columbia on June 5, ordering it executed by June 18 "at any time in the day or night," after finding probable cause that the sites were used in a conspiracy involving bribery of public officials, theft of government property, identity fraud and international money laundering, according to a redacted copy of the warrant and supporting FBI affidavit in case 26-sz-42.
"The United States is investigating unlawful activity conducted by actors believed to be working, wittingly and unwittingly, on behalf of the government of the People's Republic of China," an FBI special agent, whose name is redacted, wrote in the affidavit.
The filing describes, in effect, a paid informant network: front companies that used job advertisements to spot Americans with access to government secrets, then placed them on retainer-style arrangements in which compensation rose with the sensitivity of what they delivered.
The domains, centrikglobalconsulting.com, rightinfoconsult.com, finnaclevesperconsulting.com, cydfconsulting.com, pulsewaveglobal.com, catalystglobalsolutions.com, thehorizzen.com, geoindopacific.com, gpf-ina.org, safesec-group.com, thetruthinfo.com, vandercons.com and gulfpeace.org, are to be redirected to FBI name servers and display a seizure notice describing a joint operation by the U.S. Attorney's Office for the District of Columbia, the Justice Department's National Security Division counterintelligence section, and the FBI's Washington and Norfolk field offices. (Source: https://www.justice.gov/usao-dc/media/1445291/dl?inline). Registrars of the domains are distributed across German 1API (rightinfoconsult, finnacle, cydf), NameCheap/NameSilo in Phoenix, Wix, GoDaddy, UK-based PDR.
CASH FOR 'EXCLUSIVE' INFORMATION
Starting around November 2023, the conspirators created at least 13 sham consulting websites using stolen identities, AI-generated photos and boilerplate text, then advertised vague analyst and consultant jobs on LinkedIn, Upwork, Hubstaff Talent, Wellfound and other platforms, the affidavit says. Postings sought candidates with U.S. government, military or NATO experience; one Centrik Global Consulting listing appeared in a LinkedIn group for Defense Department careers requiring security clearances, and another sought a "Global Risk Specialist (US Government)" who had served in the CIA or Congress.
Recruits were offered $500 "paid assessment tests," contracts of $1,000 or more per report, and $700 referral fees for bringing in others, according to the filing. A national political reporter offered up to $2,500 per article told the FBI the money was suspiciously high for freelance work and suspected the approach was Russian or Chinese "agitprop."
Handlers, who moved conversations to Telegram, repeatedly pressed for non-public material. One recruiter persona said the firm was "not looking for secret information, only insight that our internal team cannot obtain," citing a client question about NATO's assessment of Ukraine's strikes on Russian territory, then urged the recruit to "[m]aximize the granularity of information," promising higher pay.
After a U.S. government contractor employee with a Secret clearance was asked to assess Iran's internal deliberations and any "private communication with Hezbollah" following Israel's killing of Hassan Nasrallah, and objected that revealing government information would be illegal, the handler replied: "I don't ask you to break the laws," adding, "I will make the payment done first." The affidavit says at least one active-duty U.S. military member holding a Top Secret/SCI clearance sent a front company a resume, payment details and a strategy report.
Tasking tracked Beijing's priorities, the agent wrote, including the South China Sea, U.S.-China trade policy, the Trump administration's China deliberations, and the U.N. human rights office's scrutiny of Xinjiang.
STOLEN IDENTITIES, AI-GENERATED FACES
Two real U.S. citizens' identities were used without their knowledge to register domains and operate recruiter personas, including a fake "HR Director," the affidavit says; one victim's U.S. passport had been posted for sale on a cyber-criminal marketplace. Site imagery included stock and AI-generated "executives," and one site carried client testimonials from "Ron Burgundy" and other characters from the film "Anchorman." Another front impersonated a legitimate Indonesia-affiliated nonprofit, which publicly warned of a "job scam" and stamped "FAKE" across the bogus postings.
MONEY TRAIL THROUGH CHINESE BANKS
Payments to recruits flowed from overseas into U.S. accounts via PayPal profiles registered to fictitious names and linked to cards issued by Chinese banks including Bank of China, Agricultural Bank of China, Ping An Bank, Shanghai Pudong Development Bank and Bank of Communications, the affidavit says. Domain and hosting bills were paid with cryptocurrency and cards from banks in China, Pakistan, India, the UAE, Thailand and France. Account logins resolved to China, Hong Kong and Macau, and devices tied to the operation were set to Shanghai time on Chinese mobile networks.
The affidavit identifies no defendants by name, referring instead to "SUBJECT A," who allegedly operated Centrik from South Africa and recruited at least seven current and former U.S. government employees in late 2024, and "SUBJECT B," a Caribbean national believed to have lived in China. "No offender is known to have, or have had, residence within any United States district," the agent wrote.
The case echoes that of Jun Wei "Dickson" Yeo, a Singaporean who admitted in 2020 to acting in the United States as an unregistered agent of Chinese intelligence after using LinkedIn and a fake consultancy to recruit Americans. LinkedIn wound down its China operations in 2023.
NEW DELHI FLAGS SIMILAR TACTICS
India has warned of a near-identical playbook. In a January 22 circular to all universities and colleges, the University Grants Commission, the country's higher-education regulator, said the Education Ministry had flagged "vested foreign entities" collecting information on India's national security, defence establishment and critical infrastructure, recruiting people with journalism and defense experience through job portals such as LinkedIn and Naukri.com, commissioning "source-based articles" on troop deployments, weapon systems, defense procurement and military exercises, and paying through Indian bank accounts, at times using proceeds of cyber fraud. The advisory, which did not name any country, said the recruiters typically pose as consulting firms operating abroad and have collected applicants' PAN and Aadhaar identity documents through Indian intermediaries, and asked institutions to caution students and faculty.
TECHNICALITIES OF DOMAIN SEIZURE
The judge orders the registries, not the website owners, to act:
- VeriSign, Inc. (for all the .com names) and Public Interest Registry (for the two .org names) must:
- Redirect the domains to FBI-controlled name servers: ns1.fbi.seized.gov and ns2.fbi.seized.gov
- Lock the domains so they cannot be transferred, sold, or edited
- Push the changes through DNS "as quickly as practicable"
- Provide "reasonable assistance" and not frustrate the order
Once redirected, anyone visiting the sites will see the standard FBI seizure banner:
"This domain has been seized by the Federal Bureau of Investigation in accordance with a seizure warrant issued pursuant to 18 U.S.C. § 981(a)(1)(A), 18 U.S.C. § 982(a)(1), and 21 U.S.C. § 853, issued by the U.S. District Court for the District of Columbia as part of a joint law enforcement operation and action by: The United States Attorney's Office for the District of Columbia; National Security Division, Counterintelligence and Export Control Section; and FBI Washington Field Office and FBI Norfolk Field Office."
Several of the targeted sites were already offline by April 2026, but investigators sought the seizures to prevent their reuse. Beijing has consistently rejected U.S. accusations of state-directed espionage; the recruiters themselves, the affidavit notes, "denied any involvement by any foreign government."