'Bulletproof' China-backed site attacks HK democracy activists

Esther Chan, Rachel BLUNDY
1 / 3

Hong Kong's pro-democracy protesters often wear masks on the streets, while a secretive website is seeking to reveal private details of leading activists and journalists

Hong Kong's pro-democracy protesters often wear masks on the streets, while a secretive website is seeking to reveal private details of leading activists and journalists (AFP Photo/Mohd RASFAN)

Using Russia-based servers and promoted by powerful groups linked to China's ruling Communist Party, a sophisticated anonymous website is targeting Hong Kong pro-democracy figures -- and there is almost no way to stop it.

From high-profile activists to journalists and lawmakers, about 200 people seen as supporting Hong Kong's protest movement have been "doxxed" -- had their personal details posted online -- by the site, HK Leaks, since it emerged in August.

"I received hundreds of threatening calls," a female reporter at Apple Daily, a pro-democracy newspaper, told AFP.

"They would call me a bitch, and a prostitute, and tell me to watch out or they would kill me."

Disclosing certain personal details, including phone numbers, without consent is illegal in Hong Kong.

Privacy Commissioner Stephen Wong said on September 17 he had ordered HK Leaks to take down all posts.

But the site remains online: on its front page, a photo of black-clad protesters with a Chinese-language banner saying: "We want to know who these people are and why they are messing up Hong Kong!"

Personal details -- names, home addresses, personal telephone numbers -- of hundreds of people are posted alongside details of their "misdeeds".

More than two million people follow Facebook pages that have shared HK Leaks posts, according to data from social media monitoring platform CrowdTangle.

And the site itself has received more than 175,000 unique page views, according to SiteWorthTraffic.

"I felt really helpless when I realised the site couldn't be blocked," said the reporter, who suspended her telephone number in a bid to escape the abuse.

Apple Daily obtained a court order in a bid to prevent further doxxing attacks, but her personal details remain on HK Leaks.

-- 'Bulletproof' site --

The problem, experts say, is that HK Leaks is a sophisticated operation specifically designed to evade prosecution.

It is registered anonymously on a Russian server, uses so-called bulletproof anonymous hosting -- also favoured by controversial white supremacist-linked sites such as 8chan -- and has shifted domain three times since August alone.

In early August, the site was live as hkleaks.org, before migrating to hkleaks.ru which became defunct late October, replaced by three other similar domain names, with the same content on each, according to an AFP investigation.

Its listed contact email is registered on Yandex, a Russian internet services company.

"This site seems to be really well set up to reveal as little as possible and it doesn't use lots of external services, like buttons, statistics trackers, various scripts that would leak information," said Maarten Schenk, co-founder of the fact-check site Lead Stories.

It would require a court order to get the domain registrar to hand over any details, Schenk said, warning that the people behind HK Leaks could have paid in bitcoin and be untraceable anyway.

"Whoever is running this site is good at what they do," he told AFP.

HK Leaks uses DDOS-Guard, a Russia-based hosting provider, and "the IP address that is shown for the website is not that of the website itself but of the DDOS-Guard company," cybersecurity expert Brian Honan told AFP.

The site is also registered under the name of a DDOS-Guard employee, which is "part of the device which enables owners of websites to hide their identity," he added.

- 'Hideous' people -

Some pro-democracy protesters have also doxxed Hong Kong's police, which last week obtained a court injunction giving them further protections against personal details being leaked.

Hong Kong's Privacy Commissioner for Personal Data has logged around 2,000 cases of doxxing -- roughly half affecting police -- since protests began in June, according to a spokesman for his office.

However the doxxing of police has been in a less co-ordinated fashion and without any specific or sophisticated website.

Meanwhile, HK Leaks has been promoted by groups linked to China's Communist Party.

These include the Chinese Communist Youth League, which has promoted the doxxing site on their official Weibo accounts.

"Netizens have produced a website called HK Leaks... These hideous people have been categorised according to surname. Let's remove their masks, take action!" a September 18 post on one of the league's account says.

The state-run broadcaster, CCTV, posted the same message on its official Weibo account, where it received more than 75,000 likes.

The nationalist Global Times newspaper, a Communist Party mouthpiece, posted a similar message on its Weibo account, and added a hashtag #listofunmaskedHongKongmob which has been viewed more than 230 million times.

HK Leaks has also been promoted by a network of Twitter bot accounts identified by AFP -- some created shortly before the website was set up in August 2019, others old, idle accounts that were revived around the same time.

Many of the tweets used emoji in their hashtags or were strategically edited to avoid being flagged -- behaviours also seen on accounts removed by Twitter this summer for involvement in a coordinated state-backed disinformation campaign.

Some doxxing victims have accused mainland Chinese authorities of involvement.

One pro-democracy protester told AFP he gave a "fake address I've never given to anyone" to Chinese police during a five-hour grilling at the border when returning to Hong Kong after a business trip in mainland China in August.

"The same fake address shows up on HK Leaks," he said.