What looked like cushy side gigs for national security insiders turned out to be something else entirely. Federal prosecutors and the FBI on Wednesday pulled the plug on 13 internet domains they say were run by fake consulting firms that tried to recruit current and former U.S. government and military employees for sensitive information. The sites dangled high‑paying “consulting” roles, then leaned on applicants with security clearances to hand over confidential reports and insider data. The sweep lands as national agencies ramp up warnings about this exact style of online recruitment.
According to the U.S. Department of Justice, the domains were tied to sham consulting companies that posted generic analyst and consultant jobs and paid for research reports while hiding behind aliases and AI‑generated profile photos. “Anyone approached online with offers of easy income for vague ‘consulting’ work should treat those overtures with extreme caution,” the department warned, noting that these listings frequently push candidates to shift conversations onto encrypted apps and to provide “exclusive” information.
A rare joint bulletin from the Five Eyes intelligence partnership signaled just how seriously officials are taking this playbook. The alert warned that Chinese military intelligence has been using LinkedIn, Indeed and freelance platforms to identify and cultivate sources with access to privileged information, according to MI5. The advisory, titled “Safeguarding Our Secrets,” says recruiters post seemingly legitimate roles, screen applicants for access to sensitive knowledge, and then push the discussions onto encrypted messaging apps.
How the scheme worked
Court filings say the conspirators, operating since at least November 2023, created at least 13 fake consulting websites and seeded job postings on platforms including Upwork, Expertia AI, Hubstaff Talent, Wellfound and Post Job Free, according to the Department of Justice. The documents allege the groups used stolen identities, AI‑generated photographs, contracts and confidentiality agreements to pressure recruits into delivering reports and “insider” information, while shifting payments and communications offshore and into encrypted channels.
The FBI has placed takeover pages on the seized domains to render them inoperable and to warn anyone who might have been lured in mid‑recruitment.
Legal status and what’s next
The Justice Department says the seizures were executed under seizure warrants supported by an affidavit, and that the court filings describe alleged bribery, identity theft and international money‑laundering. Reporting on the wider trend suggests this action follows a string of similar operations and public advisories aimed at freelance and consulting markets, which security analysts say foreign actors use for intelligence collection, according to The Record. Prosecutors in the District of Columbia handled the operation and urged anyone with information to contact the FBI tipline.
What this means for cleared workers
Authorities caution that even seemingly harmless requests for reports or policy analysis can help build a detailed operational picture. They urge anyone with security clearances to stay skeptical of unsolicited offers that ask for nonpublic materials or direct contacts. For practical guidance, see the Five Eyes/NPSA advice on vetting job adverts and contracts and, if you believe you were targeted, report details to the FBI at 1‑800‑CALL‑FBI or [email protected], or consult the guidance published by MI5.
