FDD Uncovers Likely Chinese Intelligence Operation That Began More Than 3 Years Ago

A firm calling itself Foresight and Strategy Consulting Ltd. posted an ad on May 15 looking for a remote analyst with “a minimum of 3 years of professional experience in policy research, preferably within international organizations [or] government agencies.”¹ The firm and the job are bogus. They are likely part of a Chinese intelligence operation looking to recruit new assets.

The Foundation for Defense of Democracies (FDD) uncovered the operation while investigating a similar group of fake consulting firms we dubbed the Smiao Network.² While the websites in the Smiao Network were registered in 2024, the sites in this newly detected network — which we call the Foresight Network — date back to 2021, indicating the operation has persisted for more than three years. There are multiple known cases of Chinese intelligence conducting virtual espionage campaigns.³ Often, these involve nonexistent companies that post job listings both on their own websites as well as on external recruiting sites and online platforms such as Craigslist.

The Foresight Network may have capitalized on the global shift to remote work during the COVID-19 pandemic. When the recent wave of federal layoffs and forced retirements created a fresh pool of targets, the years-old operation quickly posted new listings on Craigslist.⁴ While there is no way for FDD to discern from the posts themselves if the operation has been successful, the fact that it remains active indicates there has likely been some return on the investment made in running it.

Publicly available records of online activity demonstrate that the three main websites in the network share key infrastructure, including a dedicated email server. All three were registered in China in a 90-day period beginning in December 2021. The sites were built with the same design tools and use nearly identical language. One of the three main sites claims to represent a Taiwanese firm. The inauthentic nature of these websites is not difficult to spot. One of the firms has a supposed CEO named “John Doe.” There are no entries for these firms in major Asian corporate directories. And the language on these sites is stilted and full of grammatical mistakes.

The persistence of Chinese virtual espionage shows that the U.S. government needs to strengthen its counter-intelligence efforts and work more closely with social media platforms to identify hostile intelligence operations.

Shared Internet Infrastructure Reveals the Network

The operation spans a central network of three fake companies that share common infrastructure, behaviors, and web domain registration patterns. This trio of companies includes Foresight and Strategy, International Affairs Review (affairsreview[.]com), and the Institute of International Studies (iointernationalstudies[.]com). Two additional companies have websites that are no longer online — namely, Asia Pacific Political Review (appr[.]info) and Global Strategic Outlook (Globalstrategicoutlook[.]com) — but vestiges of their online presence suggest they are connected to the network.

DNS records — which essentially function as the internet’s phonebook by translating domain names into IP addresses so browsers can find websites — suggest that this operation has been active for at least three years.  The records show that the websites of the three main companies in the network have multiple email-related subdomains that share the same dedicated server at IP address 146[.]19.213.219. According to threat intelligence platform Validin, this server exclusively hosts subdomains tied to these three companies’ websites. (See Figure 1.)

Subdomains essentially divide websites into specialized sections.⁵ For example, Google hosts its image search on images.google[.]com, whereas its root domain is google[.]com. One of the fake Chinese firms, International Affairs Review, has the subdomain mail.affairsreview[.]com under the root domain affairsreview[.]com.

The fact that the email subdomains for foresightandstrategy[.]com, affairsreview[.]com, and iointernationalstudies[.]com all share a dedicated email server strongly suggests that a single entity controls and manages them. A single person or a closely connected group typically operates dedicated servers.

Evidence of Websites’ Registration in China

Additionally, WHOIS records — which show who owns a domain and when it was registered — indicate that all three websites list China as the registrant’s country⁶ and that all three sites launched within a three-month timeframe. Affairsreview[.]com was first, on December 9, 2021; iointernationalstudies[.]com was second, on December 23, 2021; and foresightandstrategy[.]com was third, on February 8, 2022.

Figure 1: Screenshot from Validin showing subdomains associated with the email infrastructure of foresightandstrategy[.]com, affairsreview[.]com, and iointernationalstudies[.]com. These are specialized sections of each website dedicated to sending and receiving emails on behalf of the website. Note that all domains are hosted on the same dedicated server at 146[.]19.213.219, as seen at top left.

Appr[.]info — one of the two websites no longer active — reveals an additional technical feature demonstrating it was created in China. Although appr[.]info is now offline and appears to have no public archives, email records known as MX records show that a Chinese email provider, Yunyou, handled the site’s email traffic starting May 4, 2022.⁷ MX records tell email servers where to deliver messages for a website. FDD retrieved these MX records using the cyber threat intelligence platform Silent Push. Additionally, WHOIS records for appr[.]info list the registrant’s country as China starting in August 2023.⁸

Figure 2: Screenshot from Silent Push displaying MX records associated with appr[.]info. These records show that appr[.]info used the Chinese email provider Yunyou[.]top.

The three websites still online share additional traits: They were built with WordPress and use the Divi theme.⁹ The Institute of International Studies and Foresight and Strategy share identical “Recruit” sections, using the same text for job descriptions and qualifications.¹⁰ Additionally, all three sites display QR codes on their webpages that serve no functional purpose other than redirecting back to their homepage, a distinctive fingerprint that suggests a common web developer.

The three main sites in the network also share attributes with the two sites now offline. Nearly identical wording appears in job listings on the Foresight and Strategy website, which is still online, and in a May 2022 job listing from Asia Pacific Political Review.¹¹ Additionally, both appr[.]info and Foresight and Strategy claim to be based in Taiwan and have nearly identical company descriptions, strengthening their apparent connection.¹²

Gobalstrategicoutlook[.]com, registered through a Chinese registrar on November 16, 2021, claimed to be based in Hong Kong.¹³ The website is now offline, with no apparent public archives, but associated job postings from Gobalstrategicoutlook[.]com from January 2022 share identical text with the Institute of International Studies and Foresight and Strategy’s recruitment efforts — including references to COVID-19 remote work conditions.¹⁴

Signs of Inauthenticity Across the Network

It is easy to tell the sites in the network are not what they claim to be. Iointernationalstudies[.]com, for example, uses headshots stolen from elsewhere online in the profiles of its three partners.¹⁵ The file names for these images begin with “law-firm” even though the company claims to be a geopolitical consultancy.¹⁶ Reverse image searches trace the photos back to multiple WordPress templates sold by a third-party vendor, suggesting they were lifted directly from template demos.¹⁷ The Institute of International Studies has a partner named “James Doe,” while Foresight and Strategy similarly lists its CEO as “John Doe.” Foresight and Strategy also contains numerous grammatical mistakes and stilted phrasing, indicating it was likely created by a non-native English speaker.

The claimed locations of several companies do not align with their actual domain registration data. Both appr[.]info and foresightandstrategy[.]com claim to be based in Taiwan, yet WHOIS records show both were registered in mainland China, as mentioned above. It would be unusual — though not unthinkable — for a legitimate Taiwanese company to register its domain through a Chinese registrar.

The companies claiming to operate in Taiwan or Hong Kong do not appear in corporate registries such as AsiaVerify or FindBiz. Searches conducted in English and both Simplified and Traditional Chinese return no results for Foresight and Strategy, Asia Pacific Political Review, or Global Strategic Outlook. (See Figure 2.) This strongly suggests that these entities never legally existed. While International Affairs Review and the Institute of International Studies appear in the OpenCorporates database, several indicators suggest that the records likely correspond to different entities with similar names and unrelated business activities.

Figure 3: Screenshot of search results for Foresight and Strategy on AsiaVerify.

All of the websites that are still online also contain plagiarized content. Iointernationalstudies[.]com copies its “About Us” section from the International Institute for Strategic Studies and lifts its services page and at least one image file from Dragonfly Intelligence.¹⁸ Foresightandstrategy[.]com similarly copies text from the legitimate company Foresight Consulting.¹⁹ Globalstrategicoutlook[.]com’s job listing and company description sections also contain plagiarized text from legitimate firms such as Newbridge Consulting LLC and MAM Corporate Solutions.²⁰

Similar Recruiting Behaviors Exhibited by All Domains

All domains in the network share similar recruiting behaviors. Foresightandstretegy[.]com and iointernationalstudies[.]com, for example, share identical recruitment sections for policy analyst roles, emphasizing remote work. Foresightandstrategy[.]com, appr[.]info, and globalstrategicoutlook[.]com all post job listings on third-party platforms such as Craigslist, JobsThatAreLeft, Devex, and Wellfound.²¹ A recent job posting also suggests that one company — Foresight and Strategy — was actively recruiting as recently as June 2025.²²

Figure 4: Screenshot of a February 2025 Craigslist job posting by Foresight and Strategy.

At least one firm appears to have used Guru, which is a platform for hiring freelance workers. A job listing for appr[.]info used the contact address hannah.s@appr[.]info, which is also tied to a Guru freelance profile, according to search results from OSINT Industries, an open-source intelligence platform.²³ Other Chinese virtual espionage operations have also used freelancing platforms. For example, an operative working on behalf of Chinese intelligence used a freelancing platform to recruit a U.S. Army intelligence analyst, according to the Department of Justice.²⁴ The use of a freelancing platform is one more shared behavior connecting the network described in this memo and previous Chinese virtual espionage campaigns.

Figure 5: Screenshot of OSINT Industries search results showing a Guru account associated with hannah.s@appr[.]info.

Similar Website With Unclear Connection to the Network

Another apparently fake firm, globalaffairsreview[.]com, shares many qualities with affairsreview[.]com, including nearly identical copy and menu items, but its connection to the Foresight Network is unclear.²⁵ Both globalaffairsreview[.]com and affairsreview[.]com also share an identical image at the top of their homepages, with another image lower down that is nearly identical. Each lists the same seemingly fabricated executives in their “About Us” sections.²⁶ Like other sites in the network, they share the quirky design feature of having a QR at the bottom of the site that links back to each site’s respective homepage.

Globalaffairsreview[.]com’s source code reveals an author based in Beijing. FDD identified a web developer with that name associated with the Chinese company Beijing Dacheng Hengtong Network Technology Co., Ltd.²⁷ Additionally, historical WHOIS records show that a man associated with a company named Beijing Dacheng Network registered a separate domain in 2016 with the same email listed in Globalaffairsreview[.]com’s source code.²⁸

Figure 6: Screenshot of the source code for globalaffairsreview[.]com showing the author name and associated email, which FDD has redacted.

Figure 7: Historical WHOIS records showing a man with the same name seen in the source code of globalaffairsreview[.]com registered a domain with the company Beijing Dacheng Network and with the same email seen in the source code of globalaffairsreview[.]com.

Despite the similarities between the websites, it is important to note that Globalaffairsreview[.]com has a completely different technology stack from affairsreview[.]com. Affairsreview[.]com uses WordPress, while globalaffairsreview[.]com appears to be a custom-built site. This suggests that affairsreview[.]com is a manual reconstruction of globalaffairsreview[.]com, especially considering that Divi is a visual, no-code web building tool for WordPress. They also do not appear to share web hosting servers or other infrastructure.

While there is precedent for fake firms from China plagiarizing unrelated legitimate websites, the idea that an operative would plagiarize another apparently fake firm launched only three months earlier seems less plausible.²⁹ This timeline, along with shared imagery and content, suggests the two sites may be part of a coordinated effort.

The U.S. Should Build Public-Private Partnerships To Counter Chinese Virtual Espionage

The deceptive presentation and Chinese infrastructure of the Foresight Network — along with behaviors that align with historical Chinese virtual espionage campaigns — all support FDD’s assessment that the network likely seeks to gather information on behalf of Beijing. FDD cannot assess, however, whether this operation successfully made contact with any former U.S. government employees, let alone whether it hired them or elicited sensitive information of use to Beijing.

The U.S. government should map the online platforms that adversaries continue to exploit for recruitment efforts, such as Craigslist, LinkedIn, Guru, Devex, and similar sites. Intelligence operations aim to maximize reach by posting across many platforms.³⁰ The government should work with these platforms to identify suspicious behavior, block job listings associated with foreign intelligence operations, and build a shared understanding of common tactics, techniques, and procedures used in virtual espionage operations. If the law permits, the government might also consider scraping public data from these online platforms to automatically detect posts that exhibit suspicious behaviors, such as those outlined in this paper.

Today, many intelligence operations rely on digital platforms to recruit human sources. Chinese actors, in particular, have been targeting military personnel and high-value targets through social media since 2015.³¹ This trend shows why U.S. agencies should fuse cyberthreat investigations with counterintelligence efforts. Investigating technical systems that support websites — such as web-hosting servers, email servers, and domain registration records — can help the U.S. government identify virtual espionage campaigns.

Federal agencies should also establish intelligence-sharing exchanges with AI platforms to detect and counter the next generation of intelligence operations. While there is no indication that this particular operation used AI, a June report by OpenAI confirms that state-aligned actors are beginning to use generative AI tools to automate persona creation and increase the credibility of fake consulting firms and recruitment efforts.³² Proactive information sharing between the government and private AI companies will be crucial for detecting malicious behavior.

Chinese intelligence operations continue to exploit fake firms and professional platforms to conduct virtual espionage, posing a direct threat to U.S. national security. As AI increases the speed, scale, and quality of these operations, the U.S. government must take proactive measures to detect and disrupt virtual espionage operations during their early stages — not years after they have been launched.