22 April 2022
ISD has identified a small network of 33 Twitter accounts that appear to have been hijacked and used to spread pro-CCP (Chinese Communist Party) narratives. The network includes the verified account of the French MP Bernard Reynès and the account of Liliana Pérez Pazo, a local politician in Spain.
Our investigation found that this network, which has been parroting pro-CCP talking points about the United States, likely belongs to Spamouflage, a spam operation originally identified by Graphika in 2019.
Over the past 18 months, the network has remained focused on one consistent objective: attacking and spreading conspiracies about the United States government. This has included alleging that the US instigated the January 2022 protests in Kazakhstan and recently even blaming the US for Russia’s invasion of Ukraine. In line with our efforts to both understand the strategic evolution of pro-CCP information operations and to detect efforts to interfere in the French elections, ISD has analysed the content being shared from the network since the moment of the hijacking in October 2020.
➜ ISD has identified a network of 33 accounts that were seemingly hijacked at different times between October 2020 and October 2021 and have since been spreading pro-CCP content in French.
➜ Two of the accounts in the network belong to politicians: Bernard Reynès, a member of the National Assembly of France, and Liliana Pérez Pazo, a local politician in Madrid and spokesperson for the Spanish political party Ciudadanos until 2019.
➜ Reynès’ account, which currently has over 9,100 followers, has been retweeting pro-CCP content from the moment of it being hijacked in October 2020. It initially retweeted content from an account that has since been suspended, then shifted to retweeting content posted by Pazo’s account, which appeared to have been hijacked midway through 2021.
➜ Unlike the other accounts in the network, the Reynès account has also been retweeting other content from French media outlets and French politicians. These retweets include content from the right-wing news network CNEWS, attacks on Macron, support for the French far-right politician Eric Zemmour, and vaccine misinformation.
➜ Despite this being a seeming attempt to impersonate Reynès, the account has consistently been active on Twitter during the Beijing workday, which is overnight in France.
➜ An analysis of Reynès’ account also identified signs that its followership had been artificially manipulated around the time that it was hijacked.
French Language Pro-CCP Network
ISD identified a small network of seemingly hijacked accounts which have been spreading and amplifying pro-CCP content in French. The core account of this network (@lilianapazo) is that of Liliana Pérez Pazo, a local politician in Madrid and a spokesperson of the Spanish liberal political party Ciudadanos until 2019. After being hijacked, the account used a Chinese name and a stock profile picture. It appears to have been hijacked around 2 July 2021, posting two tweets on this day which celebrated the centenary of the CCP. These two tweets caught the attention of other Twitter users for being out of character, with two different accounts replying to suggest that @lilianpazo’s account must have been hacked by “Communists”.
Between July and December 2021, @lilianapazo tweeted pro-CCP English and Chinese-language video content with French written commentary. @lilianapazo’s tweets during this period were shared by two separate sets of accounts, all of which seem to have also been hijacked.
➜ Set 1: Between July to October 2021, there were 11 users that retweeted @lilianapazo more than once.
➜ Set 2: From late October to December 2021, a different set of 22 other users – including the account belonging to Bernard Reynès – were retweeting @lilianapazo in a seemingly coordinated way, often with retweets just a few seconds apart.
These 33 accounts appear to have previously been tweeting in a number of languages, including German, Russian, Danish, Italian, Polish, Spanish and Portuguese. The pre-existing tweets (which are seemingly consistent with the previous holders of the accounts) were not deleted and reveal that the accounts are likely to have been hijacked at different times. However, from the point they were compromised, each account exclusively tweeted pro-CCP content.
The network of accounts that were retweeting @lilianapazo appear to have been taken down recently; however, the accounts of Liliana Pérez Pazo and of Bernard Reynes are still active. In March 2022, both accounts of Liliana Pérez Pazo and the verified account of Bernard Reynès stopped tweeting altogether. The profile picture of Liliana Pérez Pazo’s account was removed, and the list of accounts followed by the two users was lost. A month later, in April 2022, the account of Bernard Reynès lost its blue verified badge on Twitter. However, at the time of writing, the pro-CCP content on their profiles is still live.
The verified Twitter account of Bernard Reynès, a member of the National Assembly of France, has been posting pro-CCP content on Twitter for over a year. Reynès is a member of the National Assembly of France, representing the Bouches-du-Rhône department, and is a member of Les Republicains party. He had not previously shown signs of supporting or propagating Chinese government narratives on social media.
In correspondence with ISD, Bernard Reynès’ team confirmed that they suspected his original Twitter account was hijacked in October 2020, and that since that time Twitter had failed to take action (for example by removing the account) despite repeated requests. A new account using Reynès’ name was created in November 2020 and has tweeted about the lack of reaction from Twitter on two occasions – first on 6 November 2020 and again on 18 November 2020.
Reynès’ team have confirmed to ISD that this second account does belong to the politician, and that it was created to inform his followers that his original account had been taken over. The team also stated that they approached Twitter once again in December 2021 to request that the original hijacked account be removed. However, the account is still active at the time of writing.
From the time the account was taken over, Reynès’ account has predominantly engaged with another Twitter account: @cigerlijea. This account had a Chinese name 野火 (wildfire) and it is currently suspended. However, an analysis of its activity on Twitter reveals that it was active from 6 January 2021 until 21 October 2021, and it received engagement from the same network that later amplified @lilianapazo. The replies to tweets from @cigerlijea that are still visible on Twitter are all in French and mostly echo CCP viewpoints, including support for a “return of Taiwan to China” and discussions on policing in Hong Kong.
All of the content posted by @lilianapazo and retweeted by Bernard Reynès since October 2021 are videos. These tend to correspond with the news cycle and adhere to the CCP line on current affairs. Although the text included in the tweet is always in French, the videos themselves are usually in Mandarin or in English with both English and Mandarin subtitles. These videos generally garner around 2.3k views.
The same videos with the same accompanying text translated into different languages were also found to be spread by other accounts on Twitter, Facebook, and YouTube and appear to belong to the Spamouflage network. The hallmark content of this pro-CCP operation has been videos with American English subtitles and an accented voiceover in English.
During the run up to and in the aftermath of Russia’s invasion of Ukraine on 24 February 2022, the videos posted by @lilianapazo and retweeted by Bernard Reynès predominantly focused on the escalation of the conflict, blaming the US and NATO for the increasing tensions. A video posted on 24 February 2022 states: “NATO led by the United States has once again exposed its ugly hegemonism, in order to achieve the purpose of eastward expansion it has repeatedly provoked the escalation of the situation in Russia and Ukraine by all means.”
In the immediate aftermath of the invasion, a new video offered its own interpretations of the events which echoed Russia’s wording, stating: “Recently the tense situation in Russia and Ukraine has suddenly changed. Russian president Vladimir Putin launched a special military operation after recognizing the two ‘republics’ established by civilian armed forces in eastern Ukraine.” The video goes on to blame “the US led NATO” for ignoring Russia’s core security demands and repeatedly violating the “agreement with Russia”.
The following videos criticised the US for having accused China of not having done enough to prevent the war and drew parallels between Taiwan and Ukraine. A video posted on 2 March accused the US of having “stoked the flames on the Russia-Ukraine issue causing today’s tension” and of extending “its black hand to Taiwan” by sending a delegation of former national security officials. The video states that, “it is already clear what America has in their mind. The conflict between Russia and Ukraine, the United States has taken advantage of Ukraine this time by ‘visit’ the main purpose is to curb the development of China.”
On 3 March, another video accused the US and Europe of having caused the war by pushing Russia into a corner, stating that the US will benefit from the conflict while the American, Russian and Ukrainian populations will pay the price for it.
Kazakhstan & “Colour Revolutions”
One of the recurrent narratives being pushed by these accounts throughout January 2022 concerned protests in Kazakhstan. Starting on the 10 January 2022, the Liliana Pazo account shared a series of videos accusing the US of being behind the riots in Kazakhstan. A video posted on the 10th, accompanied by the comment (in French) “the black hand promotes riots and turmoil, face the truth and reject it”, argues that the riots are “a long-time plan of color revolution” planned by Western forces.
Another three videos posted in the following days also follow this narrative, arguing that “the violence in Kazakhstan is American” and stating that there is “conclusive evidence that the United States instigated a color revolution”. Note that US spelling is used consistently throughout these tweets, which could be an indication of the target audience. Instigating these so-called “colour revolutions” – domestic dissent movements propped up by foreign adversaries – has been a popular allegation levelled at the US by both Russian and Chinese information operations over the past two years.
A few days later, and following the US Department of Justice’s announcement of a new unit to fight domestic terrorism, a video posted on 13 January accused the US of being a “real hypocrite” and of being responsible for terrorist actions abroad, specifically mentioning the protests in Kazakhstan as an example.
Aside from retweeting the videos posted by @lilianapazo, another retweet from Reynès features a Sputnik article stating “CSTO Chief Accuses ‘Well-Organised’ Terror Groups of Kazakhstan Unrest”. The tweet was originally posted by an account with the handle @MMA_DDMM and received 3 retweets and 22 likes. An analysis of this account reveals that it had been dormant since 28 October 2019 and all of its previous activity was in German.
Following the retweet of the Sputnik article with the comment in English, all the subsequent tweets by this account have been exclusively in Mandarin. The long silence and the discrepancy in the language of the tweet with the previous tweets suggests that this account could also have been hijacked. All the accounts that liked the post were found to have been created in batches between 14 and 17 January 2022 and have exclusively engaged in liking tweets. This activity suggests that the accounts belong to a unique entity such as a company or individual that is seemingly paid to create engagement on Twitter.
Attacking the United States
Numerous videos posted by these accounts attempt to undermine and attack the United States on the basis of domestic policy and community relations. A comment in French on an English language video posted on 9 January stated that “a year after the Capitol Hill riots American-style democracy is increasingly getting more sick”. The video argues that the divide between rich and poor people is getting deeper and that President Biden’s promise to become the President of “all Americans” has failed to materialise.
Other videos criticise the White House’s failure to contain the spread of the Omicron variant and control the COVID-19 pandemic; dismiss accusations of human rights abuses in Xinjiang; and accuse Europe and the US of “harbouring anti-China chaos in Hong Kong”. These narratives are consistent with pro-CCP information operations previously identified and documented by ISD and Graphika.
An analysis of the activity of the account of Reynès from 2010 to date reveals a stark contrast between its genuine activity from 2010 to 2020 and the activity from the moment of the hijacking in 2020 to date. Namely, from October 2020, the account has predominantly engaged in retweets rather than in posting original content.
Although the content currently retweeted by Reynès might initially seem in line with the politician’s previous content and topics of interest, a comparison of the most retweeted accounts by Reynès’ account from 2010 to September 2020 (prior to the hijacking) and from October 2020 to 8 March 2022 reveals a striking difference. In particular, the activity following the account takeover includes repeated engagement with the right-wing media outlet CNEWS, which was dubbed a “Fox-Style News Network” by the New York Times for giving a platform to far-right figures and controversial ideas. Reynès had never previously engaged with this account in a decade of Twitter activity from 2010 to 2020.
Retweets from Reynès from October 2020 include 51 mentions of the far-right politician Eric Zemmour. Most of the tweets feature videos of Zemmour and were originally published by CNEWS. This support for Zemmour is also in line with the rest of the pro-CCP content, given that the politician has expressed views favourable to China and has been critical of Europe and the United States for their ‘anti-China stances’. Other retweets, also mostly originating from CNEWS, cast doubts on the efficacy of COVID-19 vaccines and criticisms of “absurd restrictions” in France.
A comparison of the timestamps on posts from Reynès’ account from 2010 to date reveals that most of the activity from the account since October 2020 (on the left below) has taken place between midnight and 2am UK time, which corresponds to 1-3am in France and 8-10am Beijing time. Before this time, Reynès’ Twitter activity was distributed relatively evenly throughout the French workday.
ISD has also identified signs that the followership of the Bernard Reynès account has been artificially manipulated. Analysis reveals that the account has been both gaining and losing followers in batches at very specific periods in time. For example, he gained 2,843 followers between 19 and 26 October 2020 (the same week in which his activity on Twitter resumed and the account was likely hijacked) and lost 3,314 followers between 4 and 11 January 2021. Although this activity does not necessarily confirm inorganic activity, it is abnormal compared with follow/unfollow patterns for accounts belonging to public figures.
An analysis of the creation date of these followers, which is used to ascertain whether these new followers may be inauthentic, also revealed spikes in particular periods. The major spikes are all in 2021: 25 March, with 44 accounts created on this day; 19 January (41 accounts); and 8 November (32 accounts). Of the 117 accounts created during these three spikes, 89 of them have never tweeted, and 95 of them have less than five followers. This finding suggests that these accounts could have been intentionally created to act as an amplification network.
It is entirely possible that these accounts were swept up in a set that were purchased and/or repurposed rather than targeted for hijacking on account of their political influence. However, if intentional, the hijacking and impersonation of a verified profile would constitute a new and more sophisticated strategy for pro-CCP operations on Twitter. Although no definitive attribution can be made about the actors behind the account, and nor can we be sure of the motivations of its current activity, analysis reveals that the content posted from Reynès’s account corresponds with material spread by other accounts in the Spamouflage network.
Regardless of intent, the activity outlined here violates several of Twitter’s policies, including those designed to protect users, and in particular political candidates and other public figures, from impersonation and manipulation. With the French elections a few days away, Twitter’s failure to act in this situation raises urgent questions about the platform’s ability to prevent influence operations by foreign actors.