May 16, 2025 | Memo
FDD Uncovers Likely Chinese Intelligence Operation Targeting Recently Laid-Off U.S. Government Employees
May 16, 2025 | Memo
FDD Uncovers Likely Chinese Intelligence Operation Targeting Recently Laid-Off U.S. Government Employees
Chinese intelligence moved quickly to take advantage of the mass layoffs of federal workers that began right after the Trump administration took office. On Craigslist.org, a post advertising “Job Opportunities for Recently Laid-Off U.S. Government Employees” appeared on February 6 on the website’s Washington, DC, jobs board.1 The post links to the website of what is supposedly a consulting services company located in Singapore.2 Yet peering beneath the surface reveals that this company is part of a broader network of websites, LinkedIn pages, and job advertisements that appear to be a Chinese intelligence operation.
The tactics employed by this network closely resemble previous Chinese intelligence operations targeting U.S. government officials and other high-value targets across the United States, Europe, and beyond. Despite the network’s efforts to create the illusion that several separate firms outside of China are seeking to recruit laid-off federal employees, the network’s technical features point both to its Chinese origins and to the role of a single entity in creating all of its components.
The network consists of five companies that rely on the same dedicated, Chinese-owned server to host their websites, and all but one of the five used (or still use) the niche Chinese email provider chengmail[.]com. In addition, four of the five sites share a single SSL certificate, a digital identity card for a website that enables secure, encrypted communication with visitors. Yet only one of the five companies in the network, Smiao Intelligence, appears real. The others are little more than digital facades, a conclusion apparent from their use of cloned websites, fake customers, AI-generated text, and other signs of artificiality. Common internet infrastructure and other shared features between the website of Smiao Intelligence and the four seemingly inauthentic firms indicate that one or more individuals associated with Smiao likely created the network for intelligence purposes.
After documenting this network, this report recommends several mitigation measures that the public and private sectors can employ to proactively detect and respond to these types of operations. While federal employees who were recently laid off should exercise heightened vigilance, the U.S. government should work to increase Beijing’s costs and deny it the benefits of conducting online targeting operations. Most importantly, the government should work with job recruiting websites and social media platforms to monitor suspicious activity more aggressively, while Congress should conduct oversight to ensure this effort is effective.
History of Chinese Intelligence Operations Leveraging Job Recruiting Websites
For the better part of a decade, the Chinese Communist Party (CCP) has leveraged job recruiting websites to gather intelligence against the United States. In 2018, Singaporean national Jun Wei Yeo created a fake consulting company and posted job advertisements on LinkedIn and other social networking sites to recruit Americans with access to sensitive government information.3 Two years later, the U.S. government sentenced Yeo to prison after he succeeded in obtaining more than 400 resumes — more than 90 percent of which came from military and government officials with security clearances — that Yeo then passed to Chinese intelligence operatives.4 In another high-profile case, a Chinese national posing as a headhunter reached out via LinkedIn to former American intelligence officer Kevin Mallory in 2017 and recruited him to commit espionage for Beijing.5
These episodes reflect a much larger problem plaguing the United States and Europe. German intelligence reported in 2017 that Beijing used LinkedIn to target at least 10,000 Germans as potential intelligence sources.6 In 2019, French intelligence stated that Chinese operatives attempted to contact more than 4,000 French citizens using LinkedIn and other social networks.7 In 2023, British intelligence estimated that Chinese state actors on LinkedIn had approached more than 20,000 Britons.8 LinkedIn provides “the ultimate playground for collection,” according to William Evanina, former director of the U.S. National Counterintelligence and Security Center.9 Evanina explained that “instead of dispatching spies to the U.S. to recruit a single target, it’s more efficient to sit behind a computer in China and send out friend requests to thousands of targets using fake profiles.”10
Former officials who have just left government positions and government employees seeking new opportunities are particularly vulnerable to Chinese recruiting campaigns.11 Additionally, Chinese intelligence officials have historically sought to recruit academics and high-value targets from the private sector for the purposes of economic espionage, especially in critical technology sectors such as artificial intelligence (AI).12 Many of these Chinese operations employ common tactics, such as creating fake consulting and headhunting companies supposedly based in Singapore or Hong Kong.13 Since both cities have majority ethnic Chinese populations, a CCP operation could blend in more easily, and it may even be easier for Chinese operatives to entice a target to visit Singapore and Hong Kong as opposed to mainland China.
The Network Discovered by FDD
FDD discovered a network spanning five companies. One company appears to be an internet services company, and the other four companies variously describe themselves as consulting or headhunting firms based in the United States, Singapore, and Japan:
- Smiao Intelligence — smiao.com[.]cn14
- Dustrategy — dustrategy[.]com15
- RiverMerge Strategies — rivermergestrategies[.]com16
- Tsubasa Insight — tsubasainsight[.]com17
- Wavemax Innov — wavemaxinnov[.]com18
Evidence indicates that Smiao Intelligence is an actual company based in China and that one or more individuals associated with Smiao created the other four companies in the network, which are not authentic businesses. Additionally, Smiao’s website became unavailable at some point between March 11 and March 25 while Reuters was reviewing the research findings presented in this paper, on which it later reported.19 However, FDD was able to archive Smiao’s website in February before it went offline.20
Smiao stands out from the other four firms in the network because its domain name ended with .cn, a Chinese top-level domain. The company offered an array of professional services, ranging from web development and digital marketing to trademark registration.21 For a web developer like Smiao, building sites for other firms, real or fake, would not be difficult.
Smiao’s website, smiao.com[.]cn, also had the oldest domain in the network, registered on February 7, 2017.22 The next oldest belongs to dustrategy[.]com, registered on March 25, 2024.23 The Smiao homepage also listed what appears to be its parent company, Beijing Simiao Intelligent Information Technology Co., Ltd. (北京思妙智能信息科技有限公司), whose roots go back further.24 Its name matches that of a company registered in China in 2012, according to AsiaVerify, a due diligence platform focused on Asia. Another indication of the parent company’s authenticity is that a Chinese government website refers to it as a trademark application agency officially recognized by the State Intellectual Property Office.25
Additionally, a database error that appeared on Dustrategy[.]com on March 19, 2024, revealed backend configuration details that implicate Smiao. Specifically, Dustrategy[.]com attempted to retrieve content from a table named “tp_smiao” in a database named “dustrategy_com” but failed, thus revealing the name of the table in an error message.26 This suggests that whoever created the website configured it to rely on this database.
There are several telltale signs that a single entity created and controls all five companies’ websites. Between December 7, 2024, and March 14, 2025, the domains for all five sites were hosted on the same server at IP address 43[.]134.121.240.27 That server is owned by the Chinese multinational company Tencent, and it hosts only domains associated with the five firms in the network, suggesting it is a dedicated hosting environment. In contrast to shared hosting environments, where multiple unrelated entities can rent space on the same server, websites on dedicated hosting environments are typically operated by a single entity.28
Figure 1: Domains hosted on web hosting server at IP address 43[.]134.121.240, according to Validin
Another indicator of the four sites’ common origin in China is that their SPF and MX records list the same Chinese email service provider, chengmail[.]cn.29 SPF records specify which servers are authorized to send emails on behalf of a domain, and MX records specify servers responsible for receiving incoming email for a domain.30 SPF and MX records are publicly accessible, and FDD identified these records using Silent Push. Chengmail[.]cn is a relatively niche provider, receiving a fraction of the traffic seen by major Chinese enterprise email services such as Tencent Exmail. (See Appendix B.) The use of chengmail[.]com across the Smiao network supports the assessment that a single entity created and controls the four sites. Using the niche provider chengmail[.]com is not only uncommon in China but also highly unusual for an authentic firm located outside of China. Perhaps to mask their connections to China, rivermergestrategies[.]com and tsubasainsight[.]com switched their email provider to privateemail[.]com in June and September 2024, respectively.31
Figure 2: MX records for rivermergestrategies[.]com as of April 21, 2025, showing a shift from Chinese email provider chengmail[.]cn to privateemail[.]com, according to Silent Push
Other Shared Attributes of the Websites
In addition to shared web hosting and email infrastructure, several overlapping traits of the websites in the Smiao network suggest they were created by the same entity. (See Appendix C.)
This first involves a misconfiguration where a user encounters different versions of the same website depending on whether a user visits the HTTP or HTTPS version of the website.32 HTTP is the fundamental protocol used to transfer content from servers, such as web hosting servers, to clients, like web browsers. HTTPS is the secure version of HTTP, which encrypts communication to prevent malicious actors from intercepting, altering, or spoofing exchanged data. Today, HTTPS serves as the default protocol for over 87 percent of websites.33
In the Smiao network, the HTTP versions of wavemaxinnov[.]com and tsubasainsight[.]com are distinct as of May 4.34 However, the HTTPS versions of wavemaxinnov[.]com, and tsubasainsight[.]com display content that is identical to that of dustrategy[.]com.35 Notably, the HTTP version of Smiao.com[.]cn was also distinct from dustrategy[.]com before it went offline, but the HTTPS version of the website previously displayed content identical to dustrategy[.]com.36 As of March 11, 2025, the HTTPS versions of these same four sites also shared the same SSL certificate. (See Appendix D.)37
In addition, three of the four seemingly inauthentic websites — dustrategy[.]com, tsubasainsight[.]com, and wavemaxinnov[.]com — partially clone legitimate business websites from outside the network. (See Appendix E.) This common behavior strengthens the assessment that a single entity created them, likely having cloned legitimate websites as a shortcut to avoid building a new website from scratch.
Signs of Inauthenticity for RiverMerge Strategies, Wavemax Innov, Dustrategy, and Tsubasa Insight
RiverMerge Strategies served as the initial lead in FDD’s investigation. FDD first discovered the company when searching on LinkedIn for geopolitical risk consultant positions. The company purports to be a consulting business specializing in geopolitical risk and offers services ranging from political risk assessments to business intelligence.38 RiverMerge Strategies previously purported to be based in Colorado and Singapore; however, the company removed the Colorado address from its website prior to March 26.39 Starting at least as early as January 2025, RiverMerge Strategies posted job listings on LinkedIn seeking professionals with government experience and talent recruiters with strong networks in DC. (See Appendix F.)40 RiverMerge Strategies also posted listings for an investigative journalist and a research analyst focused on “monitoring, documenting, and reporting Human Rights’ abuses.” (See Appendix F.)
Corporate registries show that a company titled “RiverMerge Strategies LLC” is in fact registered in Colorado, listing its head office at the same location that RiverMerge Strategies once listed on its LinkedIn page and website.41 The company was formed on June 3, 2024, roughly one month after the web domain for RiverMerge Strategies was registered on May 7, 2024.42 According to data from WHOIS, which provides registration information about domain names and IP addresses, the domain for RiverMerge Strategies was registered in Beijing.43 The website also includes a phone number that begins with the digits 400, a Chinese prefix.44 Notably, RiverMerge Strategies previously shared a phone number with siss.org[.]cn, a website affiliated with Smiao, according to corporate records, and which also shared overlapping internet infrastructure with Smiao.45 All of these factors suggest that RiverMerge Strategies’ website was created and controlled by a Chinese entity — more specifically, Smiao.
The apparent inauthenticity of RiverMerge is also suggested by its websites’ inclusion of fake clients with sample concept logo designs and company names pulled from social media sites such as Pinterest. (See Appendix G.)46 The website also includes a section entitled “insights” with short-form analyses of various geopolitical events. The AI-detection tool ZeroGPT rates the text of these “insights” as highly likely to be AI-generated. (See Appendix H.)
Dustrategy
Dustrategy’s website, which presents the company as a headhunting firm, has multiple features that suggest it was likely created in China. WHOIS data does not make the identity or location of the registrant public.47 However, as of April 27, the source code for dustrategy[.]com notably includes developer comments with simplified Chinese characters.48 Clicking on a button at the bottom of the webpage that says “submit your resume” also leads to an error page written in Chinese.49 As noted above, the website uses Chinese hosting and email infrastructure. The Dustrategy site also has features that overlap with other companies in the network. For example, an orphaned webpage on dustrategy[.]com describes the company as Singaporean.50 A company with the name Dustrategy LLC was registered in Denver, Colorado, where RiverMerge Strategies was also registered.51
Dustrategy previously listed “case studies” on its website for a “networking specialist” focused on building professional networks, a geopolitical risk analyst, and an AI researcher, suggesting that Dustrategy likely sought to recruit professionals with experience aligned with these roles.52 By March 18, 2025, however, these case studies no longer appeared on the website.53
The strongest indicator that Dustrategy is not an authentic business is that Dustrategy[.]com partially clones Kforce[.]com, which appears to be the website for a legitimate staffing company. (See Appendix E.)
Figure 3: Example of Chinese characters in the source code of Dustrategy[.]com. Red oval added for emphasis.
Tsubasa Insight
Tsubasa Insight’s website, tsubasainsight[.]com, describes the company as a “boutique policy consulting firm based in Japan, dedicated to helping businesses and organizations navigate the complexities of the regulatory and policy environment.”54 Tsubasainsight[.]com’s Chinese web hosting and email infrastructure show that it was likely created in China.55
Like Dustrategy, Tsubasa Insight’s website partially clones an apparently legitimate website, indicating a lack of authenticity. Specifically, it partially clones the website of a Japanese consulting firm in the life sciences sector. (See Appendix E.) In addition, no records appear in the AsiaVerify database for a company called Tsubasa Insight in Japan despite the website providing a street address. (See Appendix I.)
A job listing for Tsubasa Insight seeking a candidate with experience in government, politics, or policy to conduct geopolitical risk analysis appeared on the professional networking site Teal HQ.56 Google search results show that job advertisements for a “policy analyst” at Tsubasa Insight also appeared on the job recruiting site ZipRecruiter and professional networking site beBee. (See Appendix J.) These listings show that Tsubasa insight targeted the same types of professionals as RiverMerge Strategies and Dustrategy did.
Wavemax Innov
Wavemax Innov’s website, wavemaxinnov[.]com, describes the company as a Singapore-based “research organization that develops solutions to public policy challenges” and a “nonprofit institution.”57 The registrant information is not publicly visible in the WHOIS record.58 At the same time, the company uses the same China-based web hosting and email service as other firms in the network, suggesting a Chinese entity created it.
There are several indications that the company is not authentic. WaveMax Innov’s website, wavemaxinnov[.]com, appears to clone the website of a New Jersey roofing company, roofexpertsnj[.]com. (See Appendix E.) AsiaVerify does not identify any companies registered in Singapore with the names “Wavemax” or “Wavemax Innov.” (See Appendix I.) The website includes a broken button with the LinkedIn logo, suggesting the site was created poorly and in haste. WaveMax Innov also pulled text from the website of RAND, an American think tank and research institute, describing WaveMax as “widely respected for operating independent of political and commercial pressures.”59
Wavemax Innov stands out for explicitly targeting former government officials affected by mass layoffs. (See Figure 4.)60
Figure 4: Craigslist post associated with wavemaxinnov[.]com
Policy Recommendations
Washington can take four steps to address the heightened risk of recruitment by Chinese intelligence amid a sharp increase in the number of federal employees looking for new jobs.
First, the government should continue to raise awareness of the threat. For example, the FBI has a webpage focused on the risk of China and other foreign intelligence services using social media to target clearance holders specifically.61 On April 9, 2025, multiple U.S. counterintelligence agencies put out a joint statement warning of China’s online targeting of current and former U.S. government employees, suggesting several mitigation measures for employees and employers.62 While this recent notice is helpful, this is not likely to have a major impact on its own unless the U.S. government takes more active measures, such as regularly briefing private industry and current and former federal employees on the issue. U.S. government representatives can also join podcasts and mainstream news channels to discuss the issue.
Second, Washington should create inauthentic accounts, commonly known as “sock puppets,” that fit the profiles of former government officials or clearance holders. Posted on a range of social media sites, these sock puppets can help U.S. counterintelligence bait foreign intelligence operatives into coming out of the shadows to make contact. When creating sock puppets, the government should proactively notify the relevant social media platforms so that they do not inadvertently interfere by taking down these accounts. Former FBI agent Timothy Pappa has previously advocated a similar technique to lure cybercriminals.63
Air Force officer Caleb S. Lisenbee II made a related proposal that the government should allow the targets of recruitment by foreign intelligence services “to receive and retain the money offered by adversaries” in exchange for passing along false information that would mislead the adversary.64
Third, the United States should urge LinkedIn and other professional networking sites to monitor suspicious activity indicative of foreign intelligence operations more aggressively. Companies could apply particular scrutiny to job postings that seek former government employees and clearance holders. LinkedIn should also implement know-your-customer (KYC) practices that require people creating company pages to provide basic information verifying the company’s legitimacy. If LinkedIn does not enhance its KYC practices across the board for businesses, it should at least implement stronger KYC practices for businesses seeking to recruit clearance holders or former government employees.
As FDD’s research shows, however, the problem extends far beyond LinkedIn, to other, smaller professional networking sites — such as ZipRecruiter, beBee, and Teal HQ — and even the job boards of sites that are not explicitly professional networking sites, such as Craiglist. The U.S. government should comprehensively map out the different online platforms that adversaries have historically leveraged or may leverage in the future for targeting operations to guide their engagement.
Lastly, Congress should provide oversight to ensure that the U.S. government and the private sector are dealing with the issue effectively. For example, the Senate Select Committee on Intelligence and the House Permanent Select Committee on Intelligence can hold hearings. Congress can also mandate in the Intelligence Authorization Act a public reporting requirement for the intelligence community to detail attempts by foreign adversaries to use professional networking sites and other online platforms to target U.S. personnel.
Conclusion
Chinese intelligence operatives have long leveraged the internet and the openness of American society to recruit individuals with both government and industry backgrounds. This threat is heightened at a time when thousands of former and current federal workers are seeking new employment. If the public and private sectors do not act quickly to address these vulnerabilities, China and other U.S. adversaries will continue preying on former public servants who may not be aware of the threat and face pressure to find new jobs quickly.
Table of Contents for Appendix
- Appendix A: Table of Indicators
- Appendix B: Chengmail vs. Tencent Exmail
- Appendix C: Visualization of Shared Technical Signatures and Behavioral Patterns
- Appendix D: Shared SSL Certificates
- Appendix E: Evidence of Website Cloning
- Appendix F: RiverMerge Strategies LinkedIn Job Postings
- Appendix G: RiverMerge Strategies Company Logo and ‘Client’ Logos
- Appendix H: ZeroGPT Analysis of RiverMerge Strategies Insights
- Appendix I: AsiaVerify Search Results for Tsubasa Insight and WaveMax Innov
- Appendix J: Google Search Results for Tsubasa Insight Showing Historical Job Listings
- Appendix K: Network of Related Domains
- Appendix L: Archives of Domains in Related Network
Appendix A: Table of Indicators
Type |
Indicator |
Associated Companies in Network |
| IP Address | 43[.]134.121.240 | RiverMerge Strategies, Dustrategy, Tsubasa Insight, Wavemax Innov, Smiao Intelligence |
| Domain | rivermergestrategies[.]com | RiverMerge Strategies |
| LinkedIn Profile | linkedin[.]com/company/rivermerge-strategies | RiverMerge Strategies |
| X Profile | x[.]com/rivermergegroup | RiverMerge Strategies |
| Phone number | (+1) 202-247-8003 | RiverMerge Strategies |
| Phone Number | 400-885-8983 | RiverMerge Strategies, SIXUN (same parent company as Smiao Intelligence) |
| Email Address | contact@rivermergestrategies[.]com | RiverMerge Strategies |
| Physical Address | 1942 Broadway St, Boulder, CO 80302 | RiverMerge Strategies |
| Physical Address | 503 Stirling Rd, Singapore 148959 | RiverMerge Strategies |
| IP Address | 47[.]250.155.134 | RiverMerge Strategies |
| Domain | Dustrategy[.]com | Dustrategy |
| Phone Number | 1-802-266-1501 | Dustrategy |
| Email Address | [email protected] | Dustrategy |
| LinkedIn Profile | linkedin[.]com/company/dustrategy-llc/ | Dustrategy |
| Domain (HTTPS Version) | https://tsubasainsight[.]com/ | Tsubasa Insight |
| Domain (HTTP Version) | http://www.tsubasainsight[.]com/ | Tsubasa Insight |
| Physical Address | 5-15-1 Shibuya, Shibuya-ku,Tokyo, Japan 150-000 | Tsubasa Insight |
| Email Address | job@tsubasainsight[.]com | Tsubasa Insight |
| Domain (HTTPS Version) | https://wavemaxinnov[.]com/ | Wavemax Innov |
| Domain (HTTP Version) | http://wavemaxinnov[.]com/ | Wavemax Innov |
| Physical Address | 6 Marina Green (S) 019799, Singapore | Wavemax Innov |
| Email Address | hr.kim@wavemaxinnov[.]com | Wavemax Innov |
| Domain (HTTPS Version) | https://smiao.com[.]cn/ | Smiao Intelligence |
| Domain (HTTP Version) | http://smiao.com[.]cn/ | Smiao Intelligence |
| Phone Number | 010-57155315 | Smiao Intelligence |
| Phone Number | 400-899-8587 | Smiao Intelligence |
| Email Address | office@smiao[.]cc | Smiao Intelligence |
| Domain | Siss.org[.]cn | SIXUN (same parent company as Smaio Intelligence) |
Appendix B: Chengmail vs. Tencent Exmail
Chengmail appears to be a niche enterprise email service provider in China. To demonstrate this, FDD used SimilarWeb, a leading web traffic analysis tool, to compare the daily and monthly average for visits to the webmail interfaces of Chengmail and Tencent Exmail, a major Chinese enterprise email service.
Figure 5: Monthly average visits for Chengmail and Exmail’s webmail interfaces, as of April 20, 2025
Figure 6: Daily average visits for Chengmail and Exmail’s webmail interfaces, as of April 20, 2025
Appendix C: Visualization of Shared Technical Signatures and Behavioral Patterns
The graphic below represents shared technical signatures and behavioral patterns among the five websites in the network identified by FDD. These shared features strongly suggest that a single entity created and controlled the websites in the network.
Figure 7: Shared technical signatures and behavioral patterns of websites in network identified by FDD
Appendix D: Shared SSL Certificates
Four domains in the network share SSL certificates. The SSL certificate for dustrategy[.]com has historically been on the HTTPS versions of wavemaxinnov[.]com, tsubasainsight[.]com, and smiao.com[.]cn. FDD confirmed this manually and took the screenshots seen below on March 11, 2025. Smiao.com[.]cn is no longer online as of March 25, but the HTTPS versions of wavemaxinnov[.]com and tsubasainsight[.]com still share the same SSL certificate with dustrategy[.]com as of April 22.
Figure 8: SSL certificate for www.dustrategy[.]com
Figure 9: Error message for wavemaxinnov[.]com showing it shares an SSL certificate with www.dustrategy[.]com
Figure 10: Error message for tsubasainsight[.]com showing it shares an SSL certificate with www.dustrategy[.]com
Figure 11: Error message for smiao.com[.]com showing it shares an SSL certificate with www.dustrategy[.]com
Appendix E: Evidence of Website Cloning
Three of the suspect consulting websites in the network discovered by FDD partially clone the websites for legitimate companies. Specifically, Dustrategy’s website (dustrategy[.]com) partially clones Kfroce’s (kforce[.]com); Tsubasa Insight’s website (tsubasainsight[.]com) partially clones Amenichi Consulting’s (amenichi[.]com); and WaveMax Innov’s website (wavemaxinnov[.]com) partially clones RoofExpertsNJ’s (roofexpertsnj[.]com).
Visually comparing webpages across these websites provides the most immediate evidence of cloning. The suspect websites and the legitimate websites they clone have nearly identical layout and design features and often have overlapping text and images. See, for example, archived versions of the homepages and “about” pages for Tsubasa Insight and Amenichi Consulting.65
To quantify the similarity of the websites, FDD ran a script on April 24, 2025, that counts what fraction of one webpage’s code can be found in the same sequence inside another webpage. This script demonstrates that the creators of the suspect websites copy-and-pasted the source code from the legitimate websites.
While Dustrategy’s site consists of only three functional webpages, Kforce’s includes over 500. Despite this disparity, about 90 percent of the source code for Dustrategy’s homepage appears in the source code for Kforce’s homepage. Similarly, about 90 percent of the source code for Dustrategy’s “submit resume” page appears in Kforce’s corresponding page. This demonstrates that the creators of Dustrategy copy-and-pasted significant portions of the source code from associated pages on Kforce’s website. However, despite having similar design and layout, the “about” pages of both websites display little similarity in their source code. Dustrategy[.]com also uses several of Kforce[.]com’s assets, such as a branded video taken directly from the Kforce[.]com website.66 Dustrategy[.]com also has a Google Analytics tracking ID and Salesforce Pardot tag, both of which were previously associated with Kforce[.]com.67
The websites for Tsubasa Insight and Amenichi Consulting both have five webpages with similarly named URL paths (e.g., “about-us” and “contact-us”). Fifty-nine to 86 percent of the source code from each of Tsubasa Insight’s webpages appears verbatim in Amenichi Consulting’s. In addition, Tsubasa Insight’s source code includes numerous direct references to Amenichi Consulting’s entity name and website, providing further evidence of a hasty copy-and-paste job.
WaveMax Innov copy-and-pasted significant portions of the source code from the website of RoofExpertsNJ. WaveMax Innov only has four functional webpages, compared with the 23 webpages on RoofExpertsNJ. However, 51 to 75 percent of the source code from WaveMax Innov’s four functional webpages appears in the associated webpages from RoofExpertsNJ’s website. Despite WaveMax Innov describing itself as a consulting company, WaveMax Innov’s source code contains numerous internal references to roofing that are not visible in the version of the webpage that appears in the browser. The homepage, however, does include one reference to “Damage Roofing Repair” in the “About Us” section.
Appendix F: RiverMerge Strategies LinkedIn Job Postings
FDD was unable to successfully archive the LinkedIn job advertisements for RiverMerge Strategies using the Internet Archive, but below are the screenshots of the advertisements, accessed on February 13, 2025. This section also provides the screenshot of a Google search result showing an additional LinkedIn job listing for RiverMerge Strategies that FDD accessed on April 23, 2025.
Figures 12-15: Job listing for RiverMerge Strategies Seeking Geopolitical Consulting Advisor
Figures 16-17: Job listing for RiverMerge Strategies seeking human resources specialist
Figure 18: LinkedIn post showing RiverMerge Strategies previously sought an investigative reporter
Figure 19: LinkedIn post showing RiverMerge Strategies previously sought an investigative research analyst for human rights
Appendix G: RiverMerge Strategies Company Logo and ‘Client’ Logos
RiverMerge Strategies’ website lists logos as examples of alleged “clients” that appear to be concept logos pulled from the work of online graphic designers and not the trademark of real companies.68 Additionally, RiverMerge Strategies’ own logo appears to be a generic graphic used by dozens of companies online.69
Figure 20: Clients listed on rivermergestrategies[.]com
Figure 21: Logo for ‘Aurora’ on Pinterest
Figure 22: Logo for ‘Oriale’ on Pinterest
Figure 23: Logo for ‘Synergy’ on Dribbble
Figures 24-26: RiverMerge Strategies logo compared to the logos of LegUp Ventures and Jongerius & Partner
Appendix H: ZeroGPT Analysis of RiverMerge Strategies Insights
FDD used ZeroGPT, an AI-generated text detection tool, to demonstrate that several of the geopolitical “insights” posted on rivermergestrategies[.]com are highly likely to be AI-generated.70 One example is provided below.
Figure 27: ZeroGPT analysis of RiverMerge Strategies insight titled ‘Recent Developments in Arms Sales’
Appendix I: AsiaVerify Search Results for Tsubasa Insight and WaveMax Innov
Search results on AsiaVerify for Tsubasa Insight and Wavemax Innov yield no results, suggesting that companies with these names are not registered in either Japan — where Tsubasa Insight’s website claims it is located — or Singapore, where WaveMax Innov’s website says it is located.
Figure 28: No record found for ‘Tsubasa Insight’ in Singapore on AsiaVerify
Figure 29: No record found for ‘Wavemax Innov’ in Singapore on AsiaVerify
Appendix J: Google Search Results for Tsubasa Insight Showing Historical Job Listings
Below are the Google search results showing that job advertisements for a “policy analyst” at Tsubasa Insight appeared on the websites ZipRecruiter and beBee.
Figure 30: Google search result preview showing job listing for Policy Analyst at Tsubasa Insight on ZipRecruiter
Figure 31: Google search result preview showing job listing for Policy Analyst at Tsubasa Insight on ZipRecruiter
Appendix K: Network of Related Domains
FDD discovered a network of additional domains related to the network outlined in this paper. The initial investigative lead was an orphaned plaintext webpage on dustrategy[.]com.71 The top of this webpage references the domain jobjunctionelite[.]com. Two dedicated hosting environments have historically served jobjunctionelite[.]com, one at 43[.]133.192.130 and the other at 43[.]134.187.105.
43.133.192[.]130 has historically hosted 28 domains, including two subdomains of smiao.com[.]cn, which is the domain associated with Smiao Intelligence. These subdomains are dati.smiao.com[.]cn and zt.smiao.com[.]cn. This suggests that the other domains historically served by 43.133.192[.]130 were likely created by Smiao Intelligence. 43.134.187[.]105 hosts nine domains, seven of which also appear on 43.133.192[.]130. The other two domains render to the default welcome page for Windows IIS servers,72 which is likely the result of a misconfiguration.73
Within this network of 30 unique domains across the two servers, 19 describe themselves as consulting or headhunting firms based in Singapore, Hong Kong, or Beijing. These 19 websites include four websites that are still online as of March 7, namely, viewsphere[.]net, eliteintellectsnetwork[.]com, bonanzainfinity[.]com, and icconsulting[.]net.74 The rest of the 15 consulting and headhunting firm websites all appear to be nearly identical copies of viewsphere[.]net, eliteintellectsnetwork[.]com, or bonanzainfinity[.]com. These 15 websites are no longer online, but FDD found several of them on the Internet Archive and accessed the homepage text of the others using the Yandex cache. (See Appendix J.)
All four primary consulting and headhunting websites seek to recruit consultants. Three of these websites do not appear to seek consultants with a specific professional focus.75 One of these websites, however, icconsulting[.]net, specifically seeks to recruit former government officials.76 The website explicitly states that it is located in Beijing — unlike RiverMerge Strategies, Dustrategy, Wavemax Innov, and Tsubasa Insight, which attempt to obfuscate their connection with China. Icconsulting[.]net also seeks a “Part-time HR Assistant” who is “familiar with the operating process of main recruitment websites of the United States and European countries” to “post recruitment information on major recruitment websites or media outlets in the United States.”77
Other websites in this network do not describe themselves as consulting or headhunting firms. For example, one website, youme[.]ink, is a cloned version of the website of a British video game company, Trailmix Games, and another website, yeegoo[.]global, advertises an “employment management platform” specifically geared toward hiring overseas employees.78 Another website in the network, grandview-strategies[.]com, is no longer online, and FDD could not access an archived version or a saved copy in the Yandex cache.
Notably, one of the domains that appears on 43.133.192[.]130, mail.yiqijia[.]vip, is a subdomain of the website yiqijia[.]vip,79 which advertises business services ranging from patent registration and bookkeeping to information security. Yiqijia[.]vip lists the same phone number as rivermergestrategies[.]com (i.e., 400-885-8983).80 This is also the same phone number as the one listed on siss.org[.]cn, the website that appears in the corporate registration from Asia Verify for Beijing Simiao Intelligent Information Technology Co., Ltd. (北京思妙智能信息科技有限公司), which is the parent company listed on Smiao Intelligence’s website.81
Another connection between the primary network discussed in this report and the additional network detailed in this section involves the historical use of the same favicon, a small image associated with a website that typically appears in a website’s browser tab, as well as search engine results and bookmarks associated with the website.82 Rivermergestrategies[.]com and dustrategy[.]com, two domains from the primary network discussed in this report, had two identical favicons. One of these favicons was historically shared across nine websites in the additional network discussed in this section, as per Silent Push.83
Figures 32-33: Favicon impersonation results for rivermergestrategies[.]com from Silent Push.
Appendix L: Archives of Domains in Related Network
The table below includes archived copies of websites related to Smiao Intelligence by common hosting infrastructure, shared favicons, and other features. (See Appendix K.) FDD was unable to archive all the websites before they went offline. For websites that are offline, however, FDD was generally able to access a saved copy of the text of the website’s homepage using Yandex’s cache.
Download