OTTAWA – In April 2025, Mehmet Tohti received what appeared to be a routine message on WhatsApp. The sender claimed to be a well-known Uyghur film director and ethnomusicologist — someone Tohti, a leading Uyghur-Canadian rights advocate based in Ottawa, had every reason to trust. The director wanted to send him something official by email. Could Tohti share his address?

Tohti knew better than most what it meant to be a target of Beijing.

For years he had received threatening phone calls from China alleging that his family members were dead. In January 2023, a Chinese police officer confirmed it was true. He had also reported to Canada’s Security Intelligence Service that he believed he was being physically surveilled. He had learned to be vigilant. But the WhatsApp message seemed genuine. He shared his email address.

The email that followed wasn’t from the director at all. It came from an unfamiliar address, and it invited Tohti to preview a forthcoming documentary film. The link appeared to lead to a legitimate independent film distributor — Tohti checked, and the company was real. He clicked.

Instead of a film, he was taken to a webpage asking for his Google login credentials. Suspicious, he closed the page immediately. Then a second email arrived, mimicking a Google security alert warning him of a suspicious login attempt. The alert was written in Traditional Chinese — a language Tohti neither reads nor uses.

He contacted the Citizen Lab, the University of Toronto-based digital security research group that has spent two decades tracking state-sponsored cyber espionage.

What the Citizen Lab found confirmed his fears on a sweeping scale.

Their investigation uncovered more than 100 malicious domains targeting dozens of diaspora leaders worldwide and the journalists who report on Beijing’s increasingly invasive campaigns to silence critics abroad — a methodical campaign of digital harassment, credential theft, and surveillance attributed with high confidence to actors operating in the interests of the Chinese government, consistent with operations run by the Ministry of State Security and affiliated intelligence services under Xi Jinping’s doctrine of “comprehensive national security.”

Reflecting on what researchers uncovered, Tohti told The Bureau the attacks represented something larger than any single intrusion — their consequences extending far beyond the activists and community leaders who have chosen to speak out against Beijing’s projection of its security state into democratic societies. These technical operations, he argued, strike at something more fundamental: the freedom of communication and social trust that give open democracies their essential advantage over authoritarian systems.

“Their ultimate objective is not only to steal personal data and sensitive information, but to undermine the very foundations of individuals and organizations — causing disruption, dysfunction, and, in some cases, physical and property damage,” Tohti said. “Beyond the immediate harm, these attacks are eroding trust in our daily communications. They foster an environment of suspicion, where even routine interactions are questioned. This growing mistrust carries long-term societal consequences that extend far beyond the digital realm.”

A Campaign With Two Names — and One Purpose

The Citizen Lab’s report identifies two overlapping clusters of hacking activity, codenamed GLITTER CARP and SEQUIN CARP. Though distinct in their specific targets and methods, both serve the same strategic purpose: to monitor, intimidate, and ultimately silence overseas critics of Xi’s government.