HKLEAKS was a coordinated online harassment operation that doxxed Hong Kong protesters and allied figures, leveraging multiple platforms and a cross-asset network to intimidate targets while masking operators’ identities. The report argues HKLEAKS was an artificial, well-resourced campaign with probable links to mainland China, rather than a grassroots local initiative.
Keypoints
- HKLEAKS began in August 2019 as a campaign doxxing pro-democracy activists and journalists in Hong Kong, with signs of coordinated, professional operation rather than a spontaneous grassroots effort.
- The operation used strong operational security, including privacy-protected domain registrations and hosting with services like DDoS-Guard to hide operator identities.
-
MITRE Techniques
- [T1583] Acquire Infrastructure – Domains and hosting used by HKLEAKS to distribute doxxing content and survive takedown attempts. Quote: “A total of at least 25 web domains were used, all mirroring identical content.”
- [T1090] Proxy – Anonymization and concealment of operators through privacy-protected registrations and foreign hosting. Quote: “the owners of the domain went to great lengths to hide their own identity and affiliations.”
- [T1071.001] Web Protocols – Dissemination of content via multiple online channels (Twitter, Telegram, Weibo, WeChat, LIHKG). Quote: “doxxing… mainly occurred on the messaging app Telegram, on LIHKG… and via dedicated websites such as hkchronicles.”
- [T1036] Masquerading – Campaign operators presented HKLEAKS as a grassroots movement to mask their true sponsorship and origins. Quote: “What remained consistent was the claim by their operators of being a grassroots organization.”
- [T1090] Proxy (network infrastructure) – Use of a layered network (Blue Ribbon, HKLEAKS, and di ve networks) to obscure command and control and distribution paths. Quote: “HKLEAKS and the Blue Ribbon network consistently interacted with each other, suggesting a shared agenda.”
Indicators of Compromise
- [Domain] HKLEAKS infrastructure – hkleaks.org, hkleaks.pk, hongkongmob.com, 803.hk, hkleaks.ru, and other HKLEAKS-related domains; context: used to host doxxing content and coordinate campaigns
- [Email] Contact addresses – [email protected], [email protected], [email protected], [email protected]; context: listed as operator or contact information for domains
- [Twitter] Handles linking to HKLEAKS or network – @FansClu80167330, @ilovehongkong2, @truthhkcom; context: accounts used to promote doxxing content or coordinates
- [Telegram] Channels – HKLEAKS Telegram channels (24 identified) and coordination across Telegram groups; context: main dissemination and crowd-sourced content promotion
- [Weibo/WeChat] Content dissemination – posts linked to Distress Letter and network promotion; context: cross-border mobilization of audiences
- [Other] Major campaign assets – 803 Fund, HongKongMob links, and state-media promotion channels in mainland China; context: signs of broader coordination