Fired US govt workers, Uncle Xi wants you! – to apply for this fake consulting gig
(2025/05/17)
- Reference: 1747438330
- News link: https://www.theregister.co.uk/2025/05/16/attn_fired_us_govt_workers/
- Source link:
Chinese government snoops - hiding behind the guise of fake consulting companies - are actively trying to recruit the thousands upon thousands of US federal employees who have been fired since President Trump took office.
Cyber and information warfare experts at the Foundation for Defense of Democracies (FDD) uncovered five companies they say are part of a larger Chinese intelligence operation that posted ads on LinkedIn, Craigslist, and other smaller job boards and websites targeting former government employees on the hunt for new gigs.
One Craigslist ad pitched: "Job Opportunities for Recently Laid-Off US Government Employees."
[1]
It says: "We understand that career transitions can be challenging, and we are here to help make the process as smooth as possible. If you have recently been impacted by a government downsizing, we encourage you to reach out and see how your experience can contribute to our dynamic organization."
[2]
[3]
Washington DC-based FDD, which on Friday posted a [4]report about the Chinese campaign, doesn't know if the hiring scam worked. The report's author, senior analyst Max Lesser, declined to comment on any communications he had with former government workers who responded to the job listings.
He did note that the [5]mass layoffs since February have increased the risk that former federal employees could leak sensitive information, intentionally or not, leaving the US more exposed to foreign intelligence threats.
[6]
"Federal workers impacted by recent mass layoffs understandably are placed in extremely difficult situations, especially considering that federal positions historically have granted workers strong job security," Lesser told The Register .
"Even if a former federal employee does not intend to give sensitive information to the Chinese government, they may be deceived by the front companies - which variously pose as geopolitical risk consulting firms in the US, Singapore, and Japan — into thinking that they are simply working a consulting gig, rather than engaging with a hostile foreign actor."
If you have recently been impacted by a government downsizing, we encourage you to reach out and see how your experience can contribute to our dynamic organization
The five companies purport to be either an internet services firm or consulting and headhunting outfits based in the US, Singapore, and Japan. They are said to be:
Smiao Intelligence — smiao[.]com[.]cn
Dustrategy — dustrategy[.]com
RiverMerge Strategies — rivermergestrategies[.]com
Tsubasa Insight — tsubasainsight[.]com
Wavemax Innov — wavemaxinnov[.]com
Smiao Intelligence appears to be a legit company based in China. However, Lesser notes in the report that "one or more individuals associated with Smiao created the other four companies in the network, which are not authentic businesses."
FDD began its investigation upon spotting RiverMerge Strategies on LinkedIn while searching for geopolitical risk consultant positions.
As of press time, both RiverMerge Strategies' LinkedIn page and website were offline. According to FDD, the firm had claimed to specialize in geopolitical risk consulting and listed offices in Colorado and Singapore. The biz's website, however, listed a phone number beginning with "400," a Chinese prefix, and was the same as another website affiliated with Smiao.
[7]
"All of these factors suggest that RiverMerge Strategies' website was created and controlled by a Chinese entity — more specifically, Smiao," the report writes.
How to spot a fake
Dustrategy's LinkedIn page has been removed, and the purported headhunting firm's very bare-bones website doesn't include a headquarters location. The only contact information is a 1-800 phone number. According to FDD, as of April 27, the source code for dustrategy[.]com included developer comments with simplified Chinese characters.
"The strongest indicator that Dustrategy is not an authentic business is that Dustrategy[.]com partially clones Kforce[.]com, which appears to be the website for a legitimate staffing company," according to the report.
Tsubasa Insight, which claims to be a policy consulting firm "helping you design success in both US and Japan!" also appears to clone a website belonging to a legit Japanese life sciences consulting firm. Meanwhile, its web hosting and email infrastructure show that it was likely created in China, FDD says.
[8]Judge puts two-week pause on Trump's mass government layoffs
[9]Ex-NSA grandee says Trump's staff cuts will 'devastate' America's national security
[10]Scammers are deepfaking voices of senior US government officials, warns FBI
[11]Trump 'waved a white flag to Chinese hackers' as Homeland Security axed cyber advisory boards
And Wavemax Innov, which claims to be a Singapore-based nonprofit and "research organization that develops solutions to public policy challenges," also clones a real company's website — in this case, a New Jersey roofing company, roofexpertsnj[.]com. It also uses the same China-based hosting and niche email provider seen as the other likely inauthentic firms in the network.
Between December 7, 2024, and March 14, 2025, all five companies' domains were hosted by China's Tencent on the same server at IP address 43[.]134.121.240. Plus, four of the companies use a little-known Chinese email service provider, chengmail[.]com, which FDD says is rarely used - and especially unusual for firms claiming to operate outside of China while recruiting former US federal employees.
"Perhaps to mask their connections to China, rivermergestrategies[.]com and tsubasainsight[.]com switched their email provider to privateemail[.]com in June and September 2024, respectively," the report says.
None of the companies whose websites were still online responded to The Register 's inquiries. ®
Get our [12]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aCgJyFOHEtX_xYHVt_aHqgAAAJM&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aCgJyFOHEtX_xYHVt_aHqgAAAJM&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aCgJyFOHEtX_xYHVt_aHqgAAAJM&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[4] https://www.fdd.org/analysis/2025/05/16/fdd-uncovers-likely-chinese-intelligence-operation-targeting-recently-laid-off-u-s-government-employees/
[5] https://www.theregister.com/2025/05/13/trump_government_layoffs_frozen/
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aCgJyFOHEtX_xYHVt_aHqgAAAJM&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aCgJyFOHEtX_xYHVt_aHqgAAAJM&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[8] https://www.theregister.com/2025/05/13/trump_government_layoffs_frozen/
[9] https://www.theregister.com/2025/03/05/us_government_job_cuts_nsa/
[10] https://www.theregister.com/2025/05/16/fbi_deepfake_us_government_warning/
[11] https://www.theregister.com/2025/01/22/dhs_axes_cyber_advisory_boards/
[12] https://whitepapers.theregister.com/
Cyber and information warfare experts at the Foundation for Defense of Democracies (FDD) uncovered five companies they say are part of a larger Chinese intelligence operation that posted ads on LinkedIn, Craigslist, and other smaller job boards and websites targeting former government employees on the hunt for new gigs.
One Craigslist ad pitched: "Job Opportunities for Recently Laid-Off US Government Employees."
[1]
It says: "We understand that career transitions can be challenging, and we are here to help make the process as smooth as possible. If you have recently been impacted by a government downsizing, we encourage you to reach out and see how your experience can contribute to our dynamic organization."
[2]
[3]
Washington DC-based FDD, which on Friday posted a [4]report about the Chinese campaign, doesn't know if the hiring scam worked. The report's author, senior analyst Max Lesser, declined to comment on any communications he had with former government workers who responded to the job listings.
He did note that the [5]mass layoffs since February have increased the risk that former federal employees could leak sensitive information, intentionally or not, leaving the US more exposed to foreign intelligence threats.
[6]
"Federal workers impacted by recent mass layoffs understandably are placed in extremely difficult situations, especially considering that federal positions historically have granted workers strong job security," Lesser told The Register .
"Even if a former federal employee does not intend to give sensitive information to the Chinese government, they may be deceived by the front companies - which variously pose as geopolitical risk consulting firms in the US, Singapore, and Japan — into thinking that they are simply working a consulting gig, rather than engaging with a hostile foreign actor."
If you have recently been impacted by a government downsizing, we encourage you to reach out and see how your experience can contribute to our dynamic organization
The five companies purport to be either an internet services firm or consulting and headhunting outfits based in the US, Singapore, and Japan. They are said to be:
Smiao Intelligence — smiao[.]com[.]cn
Dustrategy — dustrategy[.]com
RiverMerge Strategies — rivermergestrategies[.]com
Tsubasa Insight — tsubasainsight[.]com
Wavemax Innov — wavemaxinnov[.]com
Smiao Intelligence appears to be a legit company based in China. However, Lesser notes in the report that "one or more individuals associated with Smiao created the other four companies in the network, which are not authentic businesses."
FDD began its investigation upon spotting RiverMerge Strategies on LinkedIn while searching for geopolitical risk consultant positions.
As of press time, both RiverMerge Strategies' LinkedIn page and website were offline. According to FDD, the firm had claimed to specialize in geopolitical risk consulting and listed offices in Colorado and Singapore. The biz's website, however, listed a phone number beginning with "400," a Chinese prefix, and was the same as another website affiliated with Smiao.
[7]
"All of these factors suggest that RiverMerge Strategies' website was created and controlled by a Chinese entity — more specifically, Smiao," the report writes.
How to spot a fake
Dustrategy's LinkedIn page has been removed, and the purported headhunting firm's very bare-bones website doesn't include a headquarters location. The only contact information is a 1-800 phone number. According to FDD, as of April 27, the source code for dustrategy[.]com included developer comments with simplified Chinese characters.
"The strongest indicator that Dustrategy is not an authentic business is that Dustrategy[.]com partially clones Kforce[.]com, which appears to be the website for a legitimate staffing company," according to the report.
Tsubasa Insight, which claims to be a policy consulting firm "helping you design success in both US and Japan!" also appears to clone a website belonging to a legit Japanese life sciences consulting firm. Meanwhile, its web hosting and email infrastructure show that it was likely created in China, FDD says.
[8]Judge puts two-week pause on Trump's mass government layoffs
[9]Ex-NSA grandee says Trump's staff cuts will 'devastate' America's national security
[10]Scammers are deepfaking voices of senior US government officials, warns FBI
[11]Trump 'waved a white flag to Chinese hackers' as Homeland Security axed cyber advisory boards
And Wavemax Innov, which claims to be a Singapore-based nonprofit and "research organization that develops solutions to public policy challenges," also clones a real company's website — in this case, a New Jersey roofing company, roofexpertsnj[.]com. It also uses the same China-based hosting and niche email provider seen as the other likely inauthentic firms in the network.
Between December 7, 2024, and March 14, 2025, all five companies' domains were hosted by China's Tencent on the same server at IP address 43[.]134.121.240. Plus, four of the companies use a little-known Chinese email service provider, chengmail[.]com, which FDD says is rarely used - and especially unusual for firms claiming to operate outside of China while recruiting former US federal employees.
"Perhaps to mask their connections to China, rivermergestrategies[.]com and tsubasainsight[.]com switched their email provider to privateemail[.]com in June and September 2024, respectively," the report says.
None of the companies whose websites were still online responded to The Register 's inquiries. ®
Get our [12]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aCgJyFOHEtX_xYHVt_aHqgAAAJM&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aCgJyFOHEtX_xYHVt_aHqgAAAJM&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aCgJyFOHEtX_xYHVt_aHqgAAAJM&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[4] https://www.fdd.org/analysis/2025/05/16/fdd-uncovers-likely-chinese-intelligence-operation-targeting-recently-laid-off-u-s-government-employees/
[5] https://www.theregister.com/2025/05/13/trump_government_layoffs_frozen/
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aCgJyFOHEtX_xYHVt_aHqgAAAJM&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aCgJyFOHEtX_xYHVt_aHqgAAAJM&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[8] https://www.theregister.com/2025/05/13/trump_government_layoffs_frozen/
[9] https://www.theregister.com/2025/03/05/us_government_job_cuts_nsa/
[10] https://www.theregister.com/2025/05/16/fbi_deepfake_us_government_warning/
[11] https://www.theregister.com/2025/01/22/dhs_axes_cyber_advisory_boards/
[12] https://whitepapers.theregister.com/
Chickens come home...
I sincerely hope the CCP learned enough to spearphish the entire current US cabinet, and by now have access to all their social media and email accounts. And Elon, of course.