In late April 2026, the Italian cybersecurity landscape was shaken by a significant breach targeting Sistemi Informativi, a company wholly owned by IBM Italy that provides IT infrastructure management for key public and private institutions. The incident, first reported by La Repubblica, has raised fresh concerns about the growing reach of Chinese-linked cyber operations in Europe.
Sistemi Informativi is central to Italy’s digital infrastructure, managing systems for public agencies and key industries. Its outage quickly raised alarms among cybersecurity authorities and critical infrastructure operators.
IBM confirmed the security breach through an official statement, acknowledging that it had “identified and contained a cybersecurity incident” and had activated incident response protocols involving both in-house and external specialists. The company said systems are now stable and services restored, but gave no details on the breach’s scope. Its website stayed offline for hours during containment.
While forensic investigations are still ongoing, multiple intelligence sources cited by La Repubblica point to the China-linked cyber espionage group Salt Typhoon. If confirmed, this would mark one of the most ambitious cyberattacks on the backbone of Italy’s public infrastructure in recent years.
Salt Typhoon has been active since at least 2019, but its operations have escalated sharply over the past two years. The group has built a reputation as one of the most capable APTs associated with Chinese state interests, showing advanced operational discipline, a modular toolkit of custom malware, and a strategic focus on telecommunications, defense logistics, and critical infrastructure.
Salt Typhoon’s hallmark is its technical precision. Rather than relying on social engineering or mass phishing, it infiltrates networks through supply-chain vulnerabilities and zero-day exploits. In recent operations documented by researchers, the group leveraged flaws in Citrix and Cisco systems to infiltrate European telecom providers, compromising backbone networks and data relays.
Salt Typhoon breached multiple organizations since early 2025, including Viasat, Canadian telecom firms, the U.S. Army National Guard, and Dutch government networks. Across all these incidents runs a consistent pattern: prolonged data exfiltration, silent observation, and compromise of infrastructure with the potential for command execution at scale.
If Salt Typhoon targeted Sistemi Informativi, the impact could be serious. As a key IT provider for Italian institutions, its systems could expose sensitive data and connections, allowing attackers to map critical parts of the country’s digital infrastructure.
The attack highlights a key weakness: reliance on third-party providers for national systems. Compromising one integrator can open access to many government databases, a tactic often linked to Salt Typhoon.
The Sistemi Informativi breach highlights that IT providers are now critical infrastructure and key targets. Cyber warfare has moved to networks, using exploits and AI-driven attacks. To stay resilient, Italy and Europe need not only stronger defenses but also better coordination between governments, industry, and intelligence.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Salt Typhoon)
Italy is moving to extradite Xu Zewei, the Chinese national arrested in 2025 at the request of U.S. authorities on cyber-espionage charges, Bloomberg reported.
The case stands out because it ties a single suspect, Xu, to cyber operations targeting sensitive research and major systems beyond the U.S. Authorities say he targeted universities and researchers working on COVID-19 vaccines, treatments, and testing between 2020 and 2021. Prosecutors also link him to a China state-backed hacking ecosystem, framing the activity as part of broader, politically motivated cyber operations.
In July 2025, Italian police arrested a Chinese national, Zewei Xu, at Milan’s Malpensa Airport on a U.S. warrant. Xu was arrested at Malpensa Airport on July 3rd after arriving on a flight from China. Authorities accused the man of cyberespionage, U.S. authorities linked him to the China-nexus group Hafnium (aka Silk Typhoon), which carried out attacks against U.S. government, including the US Treasury.
“Zewei Xu is wanted by the FBI for allegedly being part of a team of hackers that allegedly carried out espionage operations, particularly in 2020 on anti-COVID vaccines being produced at the University of Texas.” reported Italian news agency ANSA.
“Interior ministry documents said he is also accused of being part of a “large-scale cyber intrusion campaign orchestrated” by the Chinese government known as ‘Hafnium’, which “targeted thousands of computers around the world” to get information on “various U.S. government policies.”
The suspect’s family claims he is an innocent IT technician. His wife opposes his extradition, saying his Italian visa proves no wrongdoing and that he works as an IT manager at Shanghai GTA Semiconductor Ltd, developing systems and networks.
“Both my husband and I do not agree with extradition to the United States,” his wife told the Postal Police after the man’s arrest. “Him getting an entry visa to Italy should be a confirmation that we have not committed crimes, so I cannot understand the reason for my husband’s arrest.”
Italian police seized the documents and the devices of the suspect as requested by the U.S. authorities.
In broader terms, the Xu Zewei case shows how cyber espionage is increasingly handled through legal and diplomatic channels as well as technical defense. The extradition process is part of the response, but the deeper challenge is preventing these operations from succeeding in the first place. That means better patching, faster detection, stronger identity controls, and closer international coordination across Europe and the United States.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, China)
ESET researchers uncovered a new China-aligned APT group called GopherWhisper, targeting government institutions in Mongolia. The group’s arsenal includes a range of tools mainly written in Go, such as loaders and injectors, which are used to deploy multiple backdoors. This toolkit allows attackers to maintain access and control over compromised systems, showing a structured and evolving cyber-espionage operation.
ESET uncovered GopherWhisper in January 2025 after finding the LaxGopher backdoor on a Mongolian government system. GopherWhisper uses legitimate platforms like Discord, Slack, Outlook, and file.io for command-and-control and data exfiltration. By finding API tokens, researchers accessed many C&C messages, revealing the group’s activity.
“ESET researchers have discovered a previously undocumented China-aligned APT group that we have
named GopherWhisper. The group wields a wide array of tools mostly written in Go, using injectors and
loaders to deploy and execute various backdoors in its arsenal.” reads the report published by ESET. “For C&C communication and exfiltration, GopherWhisper abuses legitimate services. In the observed campaign, the threat actors mainly targeted a government entity in Mongolia.
Further analysis revealed a full toolkit of mainly Go-based malware with no links to known groups, leading to the creation of a new attribution. The group deploys multiple backdoors and tools to gain control, execute commands, and steal data. JabGopher injects LaxGopher into svchost.exe, while LaxGopher communicates via Slack, runs commands, and downloads payloads like CompactGopher, which compresses and exfiltrates files. RatGopher uses Discord for command execution, and SSLORDoor handles file operations over encrypted sockets. Additional tools include FriendDelivery, a loader, and BoxOfFriends, which uses Microsoft 365 Outlook APIs for covert command-and-control communication.
Researchers uncovered GopherWhisper’s operations by extracting thousands of messages from Slack, Discord, and Outlook accounts used for command-and-control. Message timestamps showed activity mainly during UTC+8 working hours, suggesting alignment with the Chinese government. Attackers first used these platforms to test malware, then reused them for active operations without clearing logs. Slack communications mainly handled file and disk commands and included links to GitHub code used for development. Discord channels contained early backdoor code and revealed details about operator machines, including a VMware-based setup. Outlook accounts supported covert communication through draft emails, with timelines linking account creation to malware development.
“In addition to the Slack and Discord communication, we were also able to extract email messages used for communication between the BoxOfFriends backdoor and its C&C via the Microsoft Graph API. There we noticed that the welcome email message from Microsoft, from when the account was created, had never been deleted.” continues the report. “This message confirmed that the account barrantaya.1010@outlook[.]com was created on July 11th, 2024, just 11 days before the creation of the FriendDelivery DLL – the loader used to execute BoxOfFriends – on July 22nd, 2024.”
ESET researchers discovered about 12 infected systems within a Mongolian government entity and believe dozens more victims exist based on Slack and Discord C&C traffic.
“Our investigation into GopherWhisper revealed an APT group that uses a varied toolset of custom loaders, injectors, and backdoors.” concludes the report. “By analyzing the C&C communications obtained from the attacker-operated Slack and Discord channels, and from draft Outlook email messages, we were able to gain additional information about the group’s inner workings and post-compromise activities.”
More details and IoCs are available in the full white paper and GitHub repository.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, China)
The White House says China-linked actors are using industrial-scale distillation to extract American AI breakthroughs, with US action planned.
The post White House Says China-Linked Actors Tried to ‘Steal American AI’ appeared first on TechRepublic.
UK National Cyber Security Centre (NCSC) and global partners warn that China-linked threat actors now rely on large proxy networks built of hacked consumer devices. Groups control routers, cameras, video recorders, and NAS systems to route attacks and mask their identity. This shift replaces smaller, dedicated infrastructure with vast botnets that help them blend into normal traffic and avoid detection.
China-nexus cyber actors use these botnets across the full Cyber Kill Chain, from reconnaissance to data theft. This model gives them a low-cost, flexible, and deniable setup that they can quickly reshape, making static IP blocklists far less effective.
“Covert networks enable China-nexus actors to launch cyber attacks against UK organisations, stealing sensitive data and potentially disrupting critical services.
Because the covert networks are constantly refreshed and share nodes across multiple threat groups, defenders face “IOC extinction” – indicators of compromise disappear as quickly as they are discovered.” reads the advisory. “Consequently, organisations that rely solely on static defences risk being bypassed, while those that adopt adaptive, intelligence driven measures can better mitigate the risk.”
National Cyber Security Centre and partners, including the Cyber League, released guidance to counter covert network threats. They advise organisations of all sizes to map and baseline traffic from edge devices, especially VPN and remote access connections. They also recommend using dynamic threat feed filtering that includes indicators of compromised infrastructure to improve detection and reduce exposure to hidden attack networks.
“Potential victims should implement two-factor authentication for remote access and, where possible, apply zero trust controls, IP allow lists, and machine certificate verification.” continues the advisory. “Larger or high-risk entities should consider active hunting of suspicious SOHO/IOT traffic, geographic profiling, and machine learning based anomaly detection.”
National Cyber Security Centre explains that China-linked covert networks keep evolving, with new and updated infrastructures appearing regularly due to countermeasures, exploits, and technical changes.
“The number of covert networks used by China-nexus cyber actors is large, with new networks regularly developed and deployed.” reads the joint advisory. “The existing covert networks change too, either because of defensive or legal action, or simply as a result of software updates and new exploits being used to target different technologies for incorporation into the network.”
Because these networks change so often, full technical descriptions quickly become outdated and offer limited value for defenders. Still, most share a common structure: an operator enters through an on-ramp or entry node, then routes traffic across multiple compromised devices acting as traversal nodes, before exiting through an exit node that often sits near the target’s region. Understanding this basic flow helps defenders identify where they sit in the chain and improve detection and response strategies against these dynamic proxy-based networks.
NCSC provides tailored guidance to defend against covert networks built from compromised devices. It explains that defending these attacks requires layered strategies based on an organisation’s size and risk level, and it does not eliminate all risk.
All organisations should map internet-facing assets, baseline normal traffic, especially VPN and remote connections, and use dynamic threat feeds that include covert infrastructure indicators. They should also deploy multi-factor authentication and consider tools like the Cyber Action Toolkit and Cyber Essentials.
Higher-risk organisations should strengthen controls with IP allow lists, geographic and behavioural filtering, zero trust models, SSL machine certificates, and reduced internet exposure. They should also explore anomaly detection using machine learning.
The largest or most exposed organisations should actively hunt for signs of covert networks, track known infrastructure using threat intelligence, analyse NetFlow data, and integrate dynamic blocklists and alerts. For critical sectors, the Cyber Assessment Framework supports advanced defensive maturity.
Federal Bureau of Investigation reports describe large China-linked botnets, such as Raptor Train, used for state-aligned cyber activity. In September 2024, researchers from Lumen’s Black Lotus Labs discovered the Raptor Train botnet, composed of small office/home office (SOHO) and IoT devices. The experts believe the botnet is controlled by the China-linked APT group Flax Typhoon (also called Ethereal Panda or RedJuliett). The botnet has been active since at least May 2020, reaching its peak with 60,000 compromised devices in June 2023.
Since May 2020, over 200,000 devices, including SOHO routers, NVR/DVR devices, NAS servers, and IP cameras, have been compromised and added to the Raptor Train botnet, making it one of the largest China-linked IoT botnets discovered.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, China)
Half a million Britons signed up to help cure cancer. Their data ended up for sale on Alibaba.
The UK Biobank charity informed the British government of an incident concerning the medical data belonging to 500,000 British citizens being offered for sale on the Chinese e-commerce website Alibaba.
The National Data Guardian, Dr Nicola Byrne, said in a statement:
“People who generously share their health data to benefit others through medical research rightly expect it to be kept safe and for there to be accountability when things go wrong.”
Officials said the researchers downloaded the data under a legitimate contract, but its appearance on Alibaba shows how “approved” access can still turn into public exposure.
UK Biobank holds more than 15 million biological samples and detailed health records from volunteers recruited between 2006 and 2010, and researchers worldwide use it to study cancer, dementia, diabetes, and other chronic diseases.
UK Biobank normally signs contracts with vetted universities and private companies before it lets them access the data, but investigators traced the Alibaba listings to three research institutions. UK Biobank revoked their access and paused new data access while it strengthens security controls.
At least one listing reportedly contained data on all 500,000 volunteers, and Alibaba and Chinese authorities removed the adverts before anyone could confirm a sale.
The dataset comes from UK Biobank’s long‑running research cohort and includes genetic sequences, blood samples, medical imaging, and detailed lifestyle information used for global health research.
UK Biobank emphasizes that the data was “de‑identified,” meaning it didn’t include names, addresses, or NHS numbers. But it still contained granular demographics, such as gender, age, birth month/year, socioeconomic indicators, lifestyle details, and health measures. We have repeatedly seen that such data can be re‑linked to individuals by cross‑referencing with other public or commercial records.
US intelligence, policy reports, and academic work paint a consistent picture: China treats large, diverse human genomic and health datasets as a strategic resource for both economic and security reasons.
The US National Counterintelligence and Security Center (NCSC) explicitly states that the People’s Republic of China views bulk healthcare and genomic data as a “strategic commodity” to drive its biotech, AI, and precision medicine industries, and has invested billions in national genomics and precision‑medicine initiatives.
Large datasets from non‑Chinese populations are particularly valuable for building AI models and improving the global commercial competitiveness of Chinese pharma and biotech.
From an attacker’s or foreign intelligence perspective, UK Biobank is a “crown jewel” asset: It’s curated, high‑quality, population‑scale, and much more useful than random breach dumps. And because genetic data is immutable (unlike a password, it cannot be replaced), any compromise has very long‑term intelligence usefulness.
Last year, the Guardian reported that one in five successful UK Biobank access applications came from Chinese entities, including BGI, China’s flagship genomics company that was later placed on the US Entity List over concerns about its role in surveillance of minority populations.
China is not just stockpiling DNA for curiosity’s sake. It is building a global genomic map that covers adversaries as well as its own citizens.
There have been major concerns about genetic data ending up in the wrong hands, and for good reason. But I’m not going to say that volunteering your medical data for research is bad. Researchers often put the data to good use to help others.
But there are some good questions to ask before doing so.
If data containing your DNA is in someone else’s hands, you can’t put it back, but you can demand better governance, push institutions to treat genomic data as national‑security‑grade sensitive.
It also requires more skepticism of highly targeted scams. Attackers can use large combined datasets to craft convincing spear‑phishing or health‑related scams, for example, contacting you about a specific condition you or a family member has. Treat unsolicited health or DNA‑related emails, calls, and apps with extra suspicion.
What do cybercriminals know about you?
Use Malwarebytes’ free Digital Footprint scan to see whether your personal information has been exposed online.
Technology minister tells Commons ‘de-identified’ information from UK Biobank advertised for sale on Alibaba
The confidential health records of half a million British volunteers have been offered for sale on Chinese website Alibaba, the UK government has confirmed.
The “de-identified” data, belonging to participants in the UK Biobank project, was found for sale on three separate listings last week. Ian Murray, the technology minister, told the Commons on Thursday that, after working with the Chinese government and Alibaba, the records had now been removed. It is not believed any sales were made.
Continue reading...
© Photograph: Dave Guttridge/UK Biobank/PA
© Photograph: Dave Guttridge/UK Biobank/PA
© Photograph: Dave Guttridge/UK Biobank/PA
In this LABScon 25 presentation, Marc Rogers and Silas Cutler explore the complex, “shadow” supply chain of ultra-cheap Chinese smart home devices, specifically focusing on video doorbells and security cameras widely sold on mainstream online shopping platforms under various rotating brand names like Eken and Tuck.
Marc, who assisted the FCC Enforcement Bureau in its investigations, and Silas reveal how these devices often share identical hardware platforms powered by Allwinner semiconductors, a company heavily subsidized by the Chinese government.
Firmware analysis uncovered hardcoded root passwords and supposed security fixes that amounted to little more than commenting out vulnerable services from startup scripts rather than removing them. Despite appearing to use local cloud services, metadata and video content are frequently routed through servers in Hong Kong and China.
Rogers and Cutler trace a network of shell companies and fictional personas entirely absent from tax and voter records. These entities use non-responsive registered agents and PO boxes specifically set up to refuse legal service, effectively shielding the actual manufacturers from regulatory oversight and making enforcement nearly impossible.
The rapid iteration of hardware versions with no long-term support mirrors distribution patterns more commonly associated with malware campaigns.
While the investigation stops short of attributing direct malice, Rogers and Cutler argue that these devices collectively form a massive, vulnerable IoT surface that can be controlled through simple configuration pushes from overseas. Consumers are drawn in by low prices and subscription features, unaware that their data ultimately resides under foreign control.
Marc Rogers is Co-Founder and Chief Technology Officer for the AI observability startup nbhd.ai. Marc has served as VP of Cybersecurity Strategy for Okta, Head of Security for Cloudflare and Principal Security researcher for Lookout. In his role as technical advisor on USA’s “Mr. Robot” and the BBC’s “The Real Hustle”, he helped create on-screen hacks for both shows.
Silas Cutler is a Principal Security Researcher at Censys, with over a decade of experience tracking threat actors and developing methods for pursuit. Before Censys, he worked as Resident Hacker for Stairwell, Reverse Engineering Lead for Google Chronicle, and as a Senior Security Researcher on CrowdStrike’s Intelligence team.
Submission Deadline: June 19, 2026
LABScon is a unique venue for original research to be shared among peers. The benefit of an invite-only audience of researchers is that there’s no need for long preambles or introductions – speakers are encouraged to dive right into their technical findings.
This presentation was featured live at LABScon 2025, an immersive 3-day conference bringing together the world’s top cybersecurity minds, hosted by SentinelOne’s research arm, SentinelLABS.
Keep up with all the latest on LABScon here.
The challenges of conducting open-source research in China are well-documented. Consistently named one of the most digitally oppressive countries in the world, China blocks some of the world’s largest social media platforms, such as Facebook, Google, and YouTube. Those that are still accessible are mostly Chinese-owned, strictly regulated and monitored in real time by AI systems as well as tens of thousands of “internet police”.
But despite these strict controls, Chinese apps – which boast more than a billion estimated users – remain an information goldmine for investigative journalists covering stories both within and outside China.
Your donations directly contribute to our ability to publish groundbreaking investigations and uncover wrongdoing around the world.
Since most foreign sites are banned, Chinese platforms are the largest resource available to journalists and researchers interested in what’s going on in the world’s second-most populous country. Even when a topic is being censored, patterns in the censorship can themselves serve as investigative leads: a 2020 BuzzFeed News investigation, for example, mapped out detention camps in Xinjiang by examining areas that had been blanked out on China’s Baidu Maps.
With millions of Chinese people living overseas, social media activity by members of the diaspora can also turn into global stories.
Serial rapist Zou Zhenhao, a Chinese PhD student, was jailed in London last year after one of his victims posted a warning on Xiaohongshu, also known as Little Red Book or Rednote, an app popular with young Chinese women living abroad. Another woman Zou had raped reached out to the original poster, who put her in touch with the police – leading to the conviction of a man described by police as possibly one of the worst sexual predators in British history.
Founded in 2013 as a Hong Kong shopping guide, Xiaohongshu has evolved into a lifestyle and e-commerce platform that has been compared with Instagram, Pinterest and Amazon. Last year, it reported about 300 million monthly active users, rivalling some of China’s largest social media platforms.
The app’s 600 million daily searches by the end of 2024 also accounted for half of market leader Baidu’s search volume, demonstrating that it is emerging as a critical search and discovery engine, not just a social platform.
Although primarily a Chinese-language app, Xiaohongshu gained attention in the English-speaking world last year, when millions of American TikTok users flocked to the platform in anticipation of a TikTok ban under US President Donald Trump.
Responding to the surge of international users – sparked by the #TikTokRefugees trend – Xiaohongshu rolled out an AI-powered translation feature, making the app more accessible to non-Chinese audiences. This also meant that journalists without Chinese language skills can more easily communicate on and navigate the platform.
Despite its growing popularity both within and outside China, the app is relatively new and underexplored compared to more well-established platforms such as Weibo.
This guide aims to provide a starting point for those looking to explore Xiaohongshu for open-source investigations, including an overview of its main user demographics, potential topics to explore and strategic search methods specific to the app.
According to Xiaohongshu’s official data, the platform’s demographic profile is mainly young, female and urban. As of 2024, 70 percent of its users were women, with half of all users belonging to Gen Z and living in China’s largest cities.
As previously mentioned, the app has also gained popularity with the Chinese diaspora. Many Chinese nationals living abroad use it as a search engine for local information, posting and searching for content related to their daily lives, from restaurant recommendations and apartment hunting to navigating foreign bureaucracies and finding community resources.
This demographic profile makes Xiaohongshu particularly well-suited for investigating stories about consumer fraud and urban livability issues. For example, Chinese outlets like Jiemian have used Xiaohongshu posts to expose the grey-market ecosystem of paid reviews and fake endorsements tied to the platform’s e-commerce model, while in 2022, International Financial News traced a mother-and-baby store scam that defrauded over 400 parents back to product recommendation posts on the platform.
Given its predominantly female user base, Xiaohongshu has also evolved into one of China’s most important spaces for feminist discourse and women’s issues. Academic researchers have used content on the platform to analyse local discussions on menstrual shaming, sexual harassment, and the controversial “divorce cooling-off period” introduced in 2021. As Rest of World reported, women have increasingly congregated on Xiaohongshu, where they outnumber male users and have found ways to trick the app’s recommendation algorithm so their posts are shown mostly to other women.
Political content and current affairs about China are largely absent from the app – a result of both active censorship and platform design.
All Chinese social media platforms, including Xiaohongshu, operate under strict content moderation requirements from the Cyberspace Administration of China. A leaked 143-page internal document published by China Digital Times in 2022 revealed how Xiaohongshu censors respond to government directives in “real-time”, blocking content related to politically sensitive topics such as criticism of the Chinese Communist Party, labour strikes and student suicides. Xiaohongshu’s commercial focus also makes it less likely that these topics would be discussed on the platform: as Rest of World reported, the platform functions less like Weibo – a public square for current events – and more like “a giant mall, where shoppers tell each other what to buy”.
Coverage of international affairs is also tightly controlled: only state-owned or state-controlled news organisations can obtain licences to publish original news content. However, content about life abroad, particularly stories about the cost of living, healthcare, or social problems in Western countries, circulates more freely on platforms including Xiaohongshu, and provide journalists with insight into how Chinese diaspora communities engage with local political systems.
For example, when the 2025 Miss Finland was accused of making anti-Asian gestures, searching for “芬兰小姐” (Miss Finland) and “投诉” (complaint) on Xiaohongshu revealed a trove of collective action: users shared different complaint pathways, posted templates for filing reports, and documented various outcomes from their complaints.
For such large-scale public events, Xiaohongshu can be both an organising platform and a rich source for tracking how diaspora communities coordinate responses to discrimination, providing journalists with insight into grassroots activism and transnational advocacy networks.
Xiaohongshu is available for download on both Apple’s App Store and Google Play worldwide, or can be accessed via a web browser. In international app stores, the app appears under the name “RedNote,” but this is the same application as Xiaohongshu – content and accounts are shared across both. The key difference is that RedNote users who register with overseas phone numbers are automatically tagged as international users, which affects the content the algorithm surfaces to them.
For users who download the app outside mainland China, Xiaohongshu automatically detects the device language and location. Upon first login, international users are prompted with an option to automatically translate all content into English (or their device language). If enabled, posts and comments will display with translations by default, and the algorithm will prioritise English-language content and posts created by or for international users, such as expat influencers.
For researchers and journalists seeking to observe the platform as Chinese users experience it, consider disabling automatic translation. This allows you to see content as it natively appears and helps you distinguish between posts created for international audiences versus those created for domestic users – a distinction that matters when assessing how representative your sample is for the relevant topic.
The default home feed, or the “Explore” tab, is where the algorithm surfaces content based on your engagement history, location and user profile. The feed uses a grid layout displaying post thumbnails with titles and like counts.
On the top right corner of the screen, the search bar also allows keyword searches across posts, users and topics. Results can be filtered by content type (e.g. notes, videos, users or products) and sorted by relevance or recency.
Xiaohongshu’s search function is relatively basic. You can search by keywords and filter by time and location, but the options are general: time filters include “past day,” “past week,” or “past six months,” while location filters offer “same city” or “nearby”.
For example, searching “Canada” returns posts tagged with that keyword, which you can then sort by recency or proximity.
For breaking news events, try searching location names or names of individuals involved in the incident, filtering for the most recent posts to capture real-time reactions and on-the-ground accounts before they’re censored or deleted.
Xiaohongshu primarily uses algorithms to curate and push content through personalised feeds. For journalists using Xiaohongshu for investigative purposes, it can be useful to actively search for topics of interest to train your algorithm – the more you search and engage with specific content, the more relevant posts the algorithm will surface to you.
However, if you are researching the platform itself – studying what content Xiaohongshu promotes, how censorship operates, or what narratives dominate – you may want to start from a clean slate. In that case, consider periodically turning off personalised recommendations (Settings → Privacy Settings → Personalisation Options), clearing your browsing history, clearing cached data, or using a fresh account to observe what the platform shows to a “neutral” user.
During the influx of “TikTok refugees” in January 2025, Xiaohongshu launched a translation feature for users outside mainland China, enabling the automatic translation of comments and posts.
However, this does not translate search queries. The platform’s search engine is still optimised for Chinese, though there is a “prioritise English” filter for overseas users, and searching in English will return some results.
But the language you search in shapes far more than just your results – it determines which version of the platform you see. When you search in English or use an international account, the algorithm treats you as a foreign user and surfaces content accordingly: influencers explaining why they love living in China, comparisons showing Chinese life favourably against the West.
This isn’t a neutral cross-section of the platform – it is a curated bubble. To access what Chinese users actually discuss among themselves, it would be more effective to search in simplified Chinese and, ideally, use a China-registered account if you have access to one. If you don’t read Chinese, you can also consider using a translation tool (Google Translate, DeepL, or an AI assistant) to convert your search terms into simplified Chinese before entering them.
Despite such tools and the in-app translation feature, it is always useful when researching using Chinese platforms to work with a native speaker familiar with the local context. They can flag when an innocuous-seeming term actually carries hidden meaning, and help identify coded conversations about a censored topic.
On Xiaohongshu specifically, this coded language extends beyond political topics to include anything the platform’s algorithm might flag as “vulgar” or promotional. For example, users substitute fruits and neutral terms for body parts or sexual content to avoid being flagged as inappropriate – the peach emoji for buttocks, or 炒菜 (“cooking”) for explicit material. They may also use abbreviations and emojis for commercial terms to evade anti-marketing filters, such as “vx” (the abbreviation of how WeChat is pronounced in Chinese) or “绿” (“plus green”, apparently referring to WeChat’s green logo) for WeChat, or “米” (rice) or the moneybag emoji for money.
For more sophisticated searching, consider using third-party marketing analytics tools like Xinhong and Qiangu, which can show trending topics, popular posts and engagement metrics, as well as identify key content creators posting about specific subjects.
For example, on Xinhong, when you search for “Canada” in Chinese, it also shows show trending related searches such as “加拿大总理” (Canadian Prime Minister). Clicking through these suggestions leads to recent posts—for example, posts about Mark Carney’s latest statements at Davos, along with user comments and reactions.
While these tools are designed for marketers, they provide journalists with valuable capabilities: tracking how topics evolve, identifying influential voices in specific communities, and discovering related hashtags or discussions that might not surface through basic platform search. These tools often require paid subscriptions but can significantly enhance research efficiency for long-term investigations.
Another valuable feature is Xiaohongshu’s group chat function, where users gather around shared keywords and topics—from city-specific communities to niche interests. These groups are often highly active and provide access to candid community discussions that don’t appear in public posts. To find relevant groups, go to Messages → Group Square, where you can browse categories or search by keyword and request to join.
Monitoring active group chats related to relevant topics, whether that’s a specific city, industry, or issue, can help journalists and researchers stay updated on emerging issues and detect potential story leads before they become widely visible on public feeds.
Chinese social media content can disappear quickly and without warning due to censorship, making immediate preservation critical.
Always take two preservation steps immediately upon discovering relevant content:
First, screenshot the entire post, including the URL, timestamp, username, like/comment counts, and location tags. These metrics establish context and authenticity. Use tools that capture full-page screenshots rather than just visible portions, as posts can be long and comments extensive. Second, archive the web page using services like archive.today or Wayback Machine. Note that these services capture only static content – comments and engagement metrics may not be fully preserved and should be screenshotted separately.
For Xiaohongshu specifically, always preserve the user’s unique ID found in their profile URL when viewed on a browser, which follows the format “user/profile/[unique ID]”. Users can change their display names, but this unique identifier remains constant, allowing you to track accounts over time even after name changes. This is critical for long-term investigations or when monitoring specific sources.
Xiaohongshu operates under the same legal and censorship constraints as all Chinese social media platforms, and researchers should approach it with appropriate caution. Content moderation is extensive: users who post about sensitive subjects risk having their content removed or their accounts suspended, and the platform is required to comply with government data requests. For researchers, this means the information you find represents only what has survived the censorship process.
That said, Xiaohongshu remains a remarkably rich resource for open-source research. Its strength lies precisely in its apolitical, lifestyle-oriented identity: while political discussion is suppressed, candid conversations about everyday life flourish. For journalists willing to invest in learning the platform’s rhythms, building Chinese-language search skills, and understanding its coded vocabularies, Xiaohongshu offers a window into how ordinary Chinese people talk among themselves – an area that remains largely untapped by international media.
Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Patreon channel here. Subscribe to our Newsletter and follow us on Bluesky here, Instagram here, Reddit here and YouTube here.
The post Mining China’s ‘Little Red Book’ for Open Source Gold appeared first on bellingcat.
Entrar