PAPERWALL is a large network of anonymous Chinese websites that pose as local news outlets to push pro-Beijing content to audiences worldwide, leveraging Times Newswire as a seed source and embedding political material within largely benign-looking content. The operation is attributed to Shenzhen Haimaiyunxiang Media Co., Ltd. (Haimai) and shows how private firms are increasingly used to conduct digital influence campaigns. #PAPERWALL #Haimai
Keypoints
- A network of at least 123 websites, operating from within China, masquerades as local outlets in 30 countries to spread pro-Beijing content (PAPERWALL).
- PAPERWALL is distinct from HaiEnergy but shares content sourcing from Times Newswire, which it hides within large amounts of general content.
- A central feature is the ephemerality of aggressive political articles, which are routinely removed from the sites after publication.
- Attribution links PAPERWALL to Shenzhen Haimaiyunxiang Media Co., Ltd. (Haimai) based on digital infrastructure links between Haimai assets and the network.
- The campaign relies on private firms and paid editorial services, illustrating the growing role of disinformation-for-hire in Chinese influence operations.
- The network targets 30 countries with language-localized domains, using local-sounding names and WordPress/Tencent Cloud infrastructure to appear legitimate.
MITRE Techniques
- [T1583] Acquire Infrastructure – PAPERWALL domains and Times Newswire content were hosted on Tencent Cloud infrastructure; “the current hosting infrastructure for the six Italian-language domains linked back to Tencent… Tencent Cloud.”
- [T1070.004] File Deletion – Ephemeral content: “articles attacking Beijing’s critics are routinely removed from these websites.”
- [T1036] Masquerading – Websites masquerade as local news outlets; “to appear as legitimate local news outlets, PAPERWALL websites typically utilized local references as part of their names.”
- [T1566] Phishing for Information (influence/messaging) – Not explicitly, but the operation seeds targeted political narratives to shape public perception; “ad hominem attacks” and targeted campaigns function as manipulated messaging to influence audiences.
Indicators of Compromise
- [Domain] PAPERWALL-related domains – napolimoney.com, italiafinanziarie.com, romajournal.org, milanomodaweekly.com, veneziapost.com, updatenews.info, wdpp.org, and 68 more domains
- [Domain] Times Newswire-linked domains – timesnewswire.com and related sites used as seed content
- [IP] Tencent Cloud hosting IPs used by PAPERWALL domains – 162.62.225.65, 43.157.63.199, 43.163.221.160
- [IP] AWS hosting IP observed for initial domains – 3.12.149.243
- [IP] Times Newswire DNS resolution (for timesnewswire.com) – 43.153.106.236
- [AdSense ID] ca-pub-5378976189690174 found on updatenews.info and wdpp.org, linking to Haimai assets