From China With "Love" - Exposing the HKLeaks Propaganda Campaign - An OSINT Analysis

I've recently came across to a currently active information warfare operation propaganda campaign courtesy of China that somehow aims to successfully identify protesters using a variety of "leak" based Web sites.

In this analysis I'll provide actionable intelligence on the whereabouts of the individuals behind these campaigns and offer an in-depth technical discussion on their online whereabouts.

Based on a variety of publicly accessible sources including the use of  WhoisXML API's WHOIS database I've managed to find the following domains which are known to have been involved in the campaign including one personally identifiable email address which could lead to possible cyber campaign attribution campaigns.

Sample domains known to have been involved in the HKLeaks information warfare propaganda campaign:

hxxp://hkleaks.pk

hxxp://hkleaks.ru

hxxp://hkleaks.pk

hxxp://hkleaks.tj

hxxp://hkleaks.ml - Email: spiker@elude.in

hxxp://hkleaks.af

hxxp://hkleaks.cc

hxxp://hkleaks.pw

hxxp://hkleaks.kz

hxxp://hkleaks.kg

Sample email address accounts known to have been involved in the campaign:

hkleaks@yandex.com

hongkongmob@163.com

Hongkongmob@protonmail.com

hongkongmob@yandex.com

Sample responding IPs known to have been involved in the campaign:

185.178.208.132

185.178.208.152

96.126.123.244

194.58.112.174

45.33.18.44

45.33.23.183

72.14.178.174

186.2.163.203

45.33.20.235

72.14.185.43

173.255.194.134

45.79.19.196

186.2.163.140

45.56.79.23

186.2.163.60

186.2.163.7

45.33.2.79

186.2.163.210

198.58.118.167

185.53.177.31

45.33.30.197

186.2.163.216

Sample related photos from the HKLeaks information warfare online propaganda campaign:

Stay tuned!