We Only Have to be Lucky Once: The Threat of “Contactless Recruitment”

According to a 1 March 2025 CNN article, foreign intelligence services (FIS) in Russia and China are attempting to “recruit disgruntled federal employees.” The threat of current or former intelligence community insiders accepting recruitment to clandestinely work for foreign intelligence services represents a concerning problem.

The scope of the counterintelligence problem

While there are 195 countries in the world, only one of them accounts for fully 50% of the Federal Bureau of Investigation’s (FBI) counterintelligence investigations – the Peoples Republic of China. In 2022, then-FBI Director Christopher Wray said that two new counterintelligence cases on China are opened every day.

Risk versus gain

Thanks to the internet and social media, FIS have the unprecedented ability to spot, approach, assess, develop, and recruit persons of interest. And why not? There are a variety of advantages to this approach, and minimal risks to FIS officers, who in most cases never have to set foot outside their country to conduct these online operations. In other words, leveraging the internet and social media to recruit sources is a “high gain/low risk” activity.

Adapting a commercial methodology for nefarious purposes

In the business world, the phrase contactless recruitment refers to the process of identifying, screening, interviewing, and hiring candidates without having a single in-person meeting. The process includes examination of an applicant’s social media profiles, video interviews, AI-driven assessments, and digital onboarding. This process saves time and money for both the prospective employer and the prospective employee. In the intelligence world, contactless recruitment involves similar methodology but adds nefarious intent. In the case of China, contactless recruitment of targeted individuals takes advantage of Big Data that China has acquired over the years from a succession of high-profile network intrusions. Over the past decade, a number of Advanced Persistent Threats (APT) associated with China’s “Specialized Military Network Warfare Forces” (军队专业网络战力量) have hacked into a variety of U.S. databases. By aggregating and analyzing their stolen information, Chinese intelligence is able to identify potentially recruitable individuals, approach them online using a pseudonym and notional, non-threatening commercial cover company (such as a “think tank”), and then develop them to the point where they can be recruited.

How a succession of database hacks enabled this methodology

In 2015, China hacked into the Office of Personnel Management (OPM), breaching the records of an estimated 21 million people. OPM was the government entity responsible for holding security clearance records of people holding Department of Defense-related security clearances. “Those exposed included 19.7 million who applied for the clearances - current, former, and prospective federal employees and contractors - plus 1.8 million non-applicants, mostly spouses or co-habitants of applicants, the agency said.”

In 2017, four members of the PLA were charged with hacking into Equifax, one of the largest cybercrimes in history – exposing names, birth dates, physical addresses, social security, and credit card numbers for around 200,000 individuals. In August of 2023, there were reports that Chinese hackers had hacked into LinkedIn accounts as part of a “widespread hijacking campaign.”

Chinese hackers have also gained access to databases at medical insurance companies, Facebook, and other corporate entities. While each network penetration is alarming on an individual level, let’s consider the potential consequences of having access to all that aggregated information. Let’s say, for arguments sake, that all this purloined data gets parsed and examined for the purpose of identifying former government officials who have (or had) security clearances and access to classified information. Using artificial intelligence and Big Data, information can be cross-referenced to present profiles of vulnerable individuals who not only have the desired knowledge and access to information and people, but also the perceived motivation to cooperate with a foreign intelligence service (FIS).

A good way to start identifying potential recruitment prospects would be a search on LinkedIn, to identify individuals who claim on their profile to hold a security clearance, to work (or once worked) for an intelligence organization, or who provide other information that a FIS would find enticing. “A 2023 report by the Defense Counterintelligence and Security Agency reveals that social networking ranks among the most common contact methods for adversary intelligence services, particularly those originating from East Asia and the Pacific,” said Caleb Lisenbee II, the author of an article on how FIS uses LinkedIn to target individuals working for the Department of Defense.

Leveraging AI and Big Data to create a composite picture

AI and Big Data enable savvy FIS users to cross-reference purloined database information and create a composite picture of a prospective target. Once possessing a name of interest, FIS can check the purloined OPM data to verify whether that individual holds, or held, a security clearance. By searching for that person on Facebook, FIS can get a feel for that person from a social perspective: Who are their friends? What are their hobbies and interests? What is their political orientation? If FIS has Equifax data on that person, they can assess that individual’s financial status. Is the target financially secure, or do they show signs of having financial difficulty? Combining all this information creates a highly useful profile of a prospective recruit – before FIS ever makes online contact with the person.

A few case studies

Rather than attempt the risky and time-consuming approach of staging an initial face-to-face contact, FIS can simply create a fake (but convincing) online profile and initiate contact using innocuous, non-threatening language and an offer that is carefully crafted to exploit the target’s identified vulnerabilities and motivations. Sometimes it takes a bit of time and cultivation to develop a target; sometimes it doesn’t. Former CIA officer Kevin Mallory was approached by Chinese intelligence on LinkedIn. As a 2019 CBS News article explained, “Mallory was a prime target for recruitment. He was out of work, three months behind on his mortgage, and thousands of dollars in debt.” Like Mallory, former Defense Intelligence Agency officer Ron Rockwell Hansen, a fluent speaker of both Russian and Mandarin Chinese who held a Top Secret security clearance, also had financial difficulties, “with debts of several hundred thousand dollars.” Hansen was approached and recruited by Chinese intelligence in 2014. He was arrested on 2 June 2018 as he prepared to board a flight to China “while in possession of SECRET military information.” In another case, the Department of Justice reported that Chinese intelligence had engaged in a five-year-long correspondence with Dickson Yeo, a Singaporean arrested in 2020.

How great is the threat?

CIA Director John Ratcliffe is said to be unconcerned by the possibility that intelligence community officers released under DOGE (Department of Government Efficiency) could become spies. The problem, though, is that countries like China and Russia already have a low-cost, low-risk methodology for identifying and approaching those individuals. Even if FIS only manage to recruit one spy for every 1,000 individuals, or even 10,000 individuals, they identify and contact, that’s still incredibly significant. As an IRA terrorist captured after the failed 1984 attempt to kill Margaret Thatcher told a British policeman, “You have to be lucky every time. We only have to be lucky once.”