A spy wants to connect with you on LinkedIn.
,
There is nothing immediately suspicious about Camille Lons’ LinkedIn page. The politics and security researcher’s profile picture is of his speech. It has a professional network of around 400 people. He has a detailed career history and biography. Lons also shared a link to a recent podcast appearance — “always enjoying these conversations” — and liked posts from Middle East diplomats.
So when Lownes contacted freelance journalist Anahita Semedanova last fall, her job offer seemed genuine. They exchanged messages on LinkedIn before Loans asked to share more details of a project via email. “I just shot an email to your inbox,” she wrote.
What Semedanova didn’t know at the time was that the person texting her wasn’t Loans at all. Sedinova, who works for Iran International, a Persian-language news outlet that has been harassed and threatened by Iranian government officials, was targeted by a state-backed actor. The account was a hoax that researchers linked to the Iranian hacking group Charming Catan. (The real Camille Lownes is a politics and security researcher, and a LinkedIn profile with verified contact details has existed since 2014. The real Lownes did not respond to WIRED’s requests for comment.)
When the fake account emailed Cymedinova, her suspicions were raised by a PDF that said the US State Department had provided $500,000 for a research project. “When I saw the budget, it was so surreal,” Semedinova says.
But the attackers persisted and asked the journalist to join a Zoom call to discuss the proposal further, as well as send some links to review. Semedinova, now on high alert, says she told a staff member at Iran International IT about the procedure and stopped responding. “It was very clear that they wanted to hack my computer,” she says. Amin Sabiti, founder of CertfaLab, a security organization that researches threats from Iran, analyzed the fake profile’s behavior and correspondence with Simedinova and said the incident was similar to the adorable kitten’s other LinkedIn practices. closely mimics the
The Lons incident, which has not been previously reported, is at the most complex end of LinkedIn’s problem with fake accounts. Advanced state-backed groups from Iran, North Korea, Russia and China regularly leverage LinkedIn to connect with targets in an attempt to steal information through phishing schemes or using malware. The episode highlights LinkedIn’s ongoing battle against “unauthentic behavior,” which includes everything from annoying spam to suspicious spying.
Missing links
LinkedIn is an invaluable tool for researching, networking, and finding work. But the amount of personal information people share on LinkedIn — from work history and locations and languages spoken to professional connections — makes it ideal for state-sponsored espionage and strange marketing schemes. Fake accounts are often used to hawk cryptocurrency, lure people into redirect schemes, and steal identities.
Sabiti, who has been analyzing adorable kitten profiles on LinkedIn since 2019, says the group has a clear strategy for the platform. “Before they start a conversation, they know who they’re contacting, they know the full details,” Sabiti says. In one example, the attackers hosted a Zoom call with someone they were targeting and used static images of the scientist they were impersonating.
The fake Lons LinkedIn profile, created in May 2022, listed the real Lons’ work and education dates and used the same photo from his real Twitter and LinkedIn accounts. Much of the biographical text on the fake page was also copied from the profiles of the real Loons. Sabiti says the group ultimately wants to gain access to people’s Gmail or Twitter accounts to collect private information. “They can gather intelligence,” Sabiti says. “And then they use it for other goals.”
