Meet Paperwall, as Citizen Lab calls the sprawling Chinese influence operation it uncovered in its latest report. It can export narratives in a capillary and targeted manner by disseminating them through fake websites posing as local news outlets. There are at least 123 Paperwall websites in several languages, tied to locations in at least thirty countries across four continents. All differ (slightly) in contents and graphics, but all operate the same way – and, at times, engage in coordinated campaigns to push Chinese disinformation and discredit dissidents abroad.
It all started in Italy. Il Foglio first uncovered six Italian-language Paperwall websites in October 2023, tracing their origin to the Shenzhen building of Chinese tech titan Tencent (which the CIA has linked to China’s Ministry of State Security). A month later, the South Korean National Cyber Security Center identified eighteen Korean equivalents. That piqued the interest of Alberto Fittarelli, a senior researcher at Citizen Lab.
- Starting from the Italian websites’ IP addresses, the expert managed to uncover a wider network of 123 domains operating in parallel and employing the same modus operandi.
Hiding the trickle in the deluge… All Paperwall websites pose as local newspapers, with locally-inspired names like “Rome Journal,” “Eiffel Post,” “BritishFT,” “Cordova Press,” and “Incheon Focus”. They publish daily content in the target language, usually scraping it from legitimate news outlets (without attribution), as well as articles from Chinese State media such as CGTN and the Global Times (with attribution) and commercial press releases (much of it is related to crypto).
- Along with the Beijing-aligned content, Paperwall websites occasionally repost direct attacks on dissidents of the Chinese regime, as well as pure disinformation content and conspiracy theories, usually with an anti-United States slant.
… and adding the sting in the tail. “Unaware users see real news, copy-pasted from authentic sites, without a reported source. The seeds of disinformation are sown in between. Crucially, these remain in English on all Paperwall sites, regardless of the country,” explained Mr Fittarelli to Decode39. Examples include a conspiracy theory about the US government conducting human experiments on the Thai-Myanmar border, as well as ad hominem attacks of foreign-based critics of the Beijing regime.
- That happened with Chinese-born virologist Li Meng Yan, known for accusing the Chinese government of hiding the artificial origins of Covid-19. The international scientific community has disproved her theories, but this did not stop Paperwall sites from conducting a fake public pressure campaign to discredit her and prevent her from being awarded a position at the University of Pennsylvania.
- Other supposedly independent sites pick up these kinds of attacks, and the risk, as Mr Fittarelli explains, is that they end up in genuine newspapers. “The moment this happens, the case becomes relevant, and the goal is achieved.”
International – and growing. Citizen Lab identified Paperwall websites in most European Union countries, but the campaign is truly global. There are several fake outlets in Turkey (“Cappadocia Post,” “Anadolu Ha”), Brazil (“Financeiro Post,” “Brazil Industry”), South Korea (“Seoul PR,” “Daegu Journal”), Japan (“Nikko News,” “Fujiyama Times”) and even in Russia (“Find Moscow,” “Rostov Life”) as well as others in Mexico, Argentina, the United States and Ecuador.
Tracing the source. The Korean cybersecurity authority traced all the sites to a Chinese public relations company called Haimai (short for Shenzhen Haimaiyunxiang Media Co. Ltd., or 深圳市海卖云享传媒有限公司). This Shenzhen-based public relations company, established in 2019, advertises the sale of “promotional positioning services in different countries and languages.” The Citizen Lab team found several links between Haimai’s digital infrastructure and Paperwall sites, including the same advertising ID.
There’s precedent… Mr Fittarelli’s team also found connections to past influence operations. For instance, backlinks on 98 of the 123 Paperwall domains link directly to the Times Newswire site – ostensibly a Chinese news outlet, flagged in 2023 by Mandiant (a Google-owned cybersecurity company). Times Newswire was responsible for spreading content through a network of subdomains of legitimate US news websites, fuelling a campaign – dubbed HaiEnergy – which targeted, among others, former House Speaker Nancy Pelosi.
- Mandiant attributed the campaign to Haixun, another China-based public relations agency, but noted that it lacks the technical evidence to link it to Times Newswire conclusively.
- Similarly, Citizen Lab cannot confirm that the same actors behind Times Newswire operate Paperwall. However, digital traces link the two entities, and one leads back to the same Tencent Building from which the Paperwall sites originated.
- Some pieces of content are also similar: Times Newswire published, and then deleted, a series of ad hominem attacks against Li Hongzhi, founder and leader of the Falun Gong religious movement, banned by Chinese authorities in 1999 and subject to persecution ever since.
… and there are parables. Operation Paperwall does not signal a leap forward in the form and substance of Chinese propaganda, the researcher explained. However, it’s still cause for concern. One only needs to recall Secondary Infektion, a six-year-long Russian information operation exposed by Graphika and Meta in 2019. It was based on an immense network of low-profile social media accounts, which spread low-intensity propaganda (including electoral interference and attacks against Kremlin dissidents) in seven languages and 300 different platforms, with no particular success – until it amplified the dissemination of documents exfiltrated from the British government.
What makes Paperwall unique. The operation’s impact appears to be limited, and traffic towards those websites is “not huge,” noted Mr Fittarelli. Also, Citizen Lab was unable to identify instances of successful Paperwall ad hominem campaigns. “However, the operation keeps growing, adding new sites constantly, and each wave typically targets a different country. We had to stop at the end of December 2023 to write the report, but I can’t rule out that other websites have appeared in the meantime,” said the researcher.
- The novelty of Paperwall’s approach is registering several websites at a time and then maintaining them over time so that the fake websites can become increasingly authentic in the eyes of unsuspecting users.
- “This is not an escalation but a change in tactics: HaiEnergy was using an existing digital infrastructure, Paperwall is creating a new one,” as Mr Fittarelli points out.
The murky line between private and public. The Chinese government relying on private entities for its influence operations abroad (especially to identify and harass dissidents) is nothing new, as the US Global Engagement Center has demonstrated. Assuming that firms like Haimai really are private PR agencies, the researcher supposes they may provide specific know-how and techniques to disseminate content abroad in addition to plausible deniability.
- Haimai itself advertises access to the Paperwall network as a service; not explicitly, but by making vague references to the placement of content on “major media outlets” in target countries.
Disinformation-as-a-service? Similar to the world of ransomware attacks, there is a “mixture of intentions and purposes” between the political and the financial aspects of such an operation. This makes it hard to properly define such entities and react as appropriate, the expert points out. But the danger is undeniable, as highlighted in an earlier Citizen Lab report on a never-ending doxxing campaign that has been discrediting pro-democracy protesters in Hong Kong since 2019.
- That paper also explores possible solutions for decision-makers. “We must have this conversation. These firms’ plausible deniability mustn’t impair the study of countermeasures,” he told us.
- That’s one for politicians: since we cannot establish that the Chinese government is definitely behind Paperwall, should we just assume that such a format allows the sponsors of disinformation to walk away?
Image generated with DALL-E