Facebook on Wednesday announced new actions to disrupt a network of China-based hackers leveraging the platform to compromise targets in the Uyghur community.
The group, known to security researchers as “Earth Empusa,” “Evil Eye” or “Poison Carp” targeted around 500 people on Facebook, including individuals living abroad in the United States, Turkey, Syria, Australia and Canada. Through fake accounts on Facebook, the hackers posed as activists, journalists and other sympathetic figures in order to send their targets to compromised websites beyond Facebook.
Facebook’s security and cyberespionage teams began seeing the activity in 2020 and opted to disclose the threat publicly to maximize the impact on the hacking group, which has proven sensitive to public disclosures in the past.
Though Facebook says social engineering efforts on the platform are “a piece of the puzzle,” most of the hacking group’s efforts take place elsewhere online. They focus on attempts to gain access to targets’ devices with watering hole attacks and lookalike domains, including a fake Android app store offering prayer apps and Uyghur-themed keyboard downloads.
When downloaded, those fake apps infected devices using two strains of Android trojan malware, ActionSpy and PluginPhantom. On iOS devices, the hackers leveraged malware known as Insomnia.
While the hackers targeted a small number of users relative to what the company sees in disinformation operations, Facebook stressed that a small, well-chosen group of targets can result in huge impacts. “You can imagine surveillance, you can imagine a range of secondary consequences” Facebook Head of Security Policy Nathaniel Gleicher said.
The Uyghurs are a predominantly Muslim ethnic minority in China that continues to face brutal repression from the Chinese government, including being forced into labor camps in the country’s Xinjiang province.
Disrupt 2026: The tech ecosystem, all in one room
Your next round. Your next hire. Your next breakout opportunity. Find it at TechCrunch Disrupt 2026, where 10,000+ founders, investors, and tech leaders gather for three days of 250+ tactical sessions, powerful introductions, and market-defining innovation. Register now to save up to $400.
Save up to $300 or 30% to TechCrunch Founder Summit
1,000+ founders and investors come together at TechCrunch Founder Summit 2026 for a full day focused on growth, execution, and real-world scaling. Learn from founders and investors who have shaped the industry. Connect with peers navigating similar growth stages. Walk away with tactics you can apply immediately
Offer ends March 13.
Facebook declined to link what it observed to the Chinese government, saying that it defers to the broader security community to make those determinations when it lacks the technical indicators to do so itself. Researchers believe that adjacent hacking campaigns are Beijing’s efforts to extend its surveillance of communities it already subjugates within China’s bounds.
Why ‘blaming the intern’ won’t save startups from cybersecurity liability
