Homeland Security Brief - June 2026
This brief highlights significant threats to US homeland security posed by China, Russia, Iran, and North Korea observed in June 2026.
Summary:
Observed Threats - Current activity that poses direct risk to US homeland security
The Five Eyes Intelligence Alliance issued a joint bulletin warning that Chinese intelligence is using LinkedIn to target military and government officials to gain classified information and recruit new sources.
A new report by OpenAI claimed that Chinese actors are using AI tools to generate disinformation to discredit US technology companies and generate inauthentic protests against the construction of AI data centers.
The Department of Justice announced charges against an Iranian-American for allegedly serving as the CEO of a Tehran-based technology firm that transshipped US computer networking equipment to the Iranian military and nuclear program.
Iranian cyber proxy group Handala announced multiple hacks of government and critical infrastructure targets in the US.
Horizon Threats - International activity that may pose future risk to US homeland security
French newspaper Le Monde reported a months-long effort by French authorities to break up a series of illegal Chinese “overseas police stations” in France.
OBSERVED THREATS
Current activity that poses direct risk to US homeland security
1. CHINESE INTELLIGENCE USING LINKEDIN AND FAKE JOB SITES TO TARGET MILITARY AND GOVERNMENT OFFICIALS
On June 3, the Five Eyes Intelligence Alliance issued a joint bulletin warning current and former government and military officials that intelligence officers of the People’s Republic of China (PRC) are using LinkedIn to cultivate relationships and recruit for fake jobs to develop potential sources.
The bulletin describes a five-step process that Chinese intelligence officers, posing as HR managers for think tanks or private consulting firms, use to cultivate and entrap applicants for defense and foreign policy analyst positions:
First contact: Recruiters post job ads on professional networking platforms and online hiring and freelance “gig work” websites like LinkedIn, Indeed, and Upwork. Resumes are ranked based on likelihood of access to sensitive information; recruiters begin their contact strategies.
Interview: When they are required, interviews are held virtually. Recruiters conceal their identity, and may start probing applicants about access to government contacts. Military members may be asked about their roles and unit activities, home base or naval vessel.
Initial testing: Candidates are asked to write a trial report on a topic such as China’s bilateral relations, the Indo-Pacific region, and related defense issues, or international trade.
Subsequent requests and platform shift: Recruits are informed that for additional reports, the client requires more privileged information. At some point in the recruitment process, intelligence officers typically move the conversation to a more “secure” platform, such as encrypted messaging applications.
Payment: Recruits receive anywhere from a few hundred to several thousand dollars per report, and may be offered more money in return for increasingly sensitive information. Payment methods include third-party payment platforms, such as PayPal, Payoneer, Zelle, Skrill, and Wise, as well as Western Union, e-transfer and cryptocurrency. Recruits will often be compensated by an account belonging to an individual they have not met as part of the recruitment process.
Additional Information:
On June 10, a week after the Five Eyes advisory was issued, the Federal Bureau of Investigation (FBI) announced that it had seized and taken down 13 websites operating fraudulent consulting companies used to solicit applications from US security clearance holders for fake positions such as “International Affairs Analyst” and “Security Analyst.” According to the Department of Justice (DOJ), the operators of the sites used multiple schemes to entice applicants and gain their trust:
The websites were typically linked or referenced within the entities’ job postings on hiring platforms. The methods and means used by the conspirators include (1) the use of aliases, fictitious personas, and the stolen identities of actual persons; (2) the use of Artificial Intelligence (AI)-generated photographs; (3) relatively large payments for research reports; (4) the use of Telegram and other encrypted applications; (5) pressure to provide “exclusive” or “insider” information; and (6) the transfer of money from places and accounts located overseas to places and accounts located in the United States.
While unstated in the DOJ press release, the operation bears the hallmarks of Chinese intelligence as the jobs sought information on topics of interest to Beijing.
Using LinkedIn and job sites like Indeed isn't a new tactic for Chinese intelligence services. US law enforcement and counterintelligence agencies have warned for years that Chinese actors use these platforms to target American security clearance holders.
2. CHINESE ACTORS USING AI TO CONDUCT DISINFORMATION CAMPAIGN IN US
A report released by US technology firm OpenAI on June 10 disclosed that the company had identified and disabled numerous accounts of Chinese origin used to generate content for social media campaigns opposing several US government and industry initiatives related to artificial intelligence. The content specifically protested US tariffs and trade restrictions targeting China's tech sector, the construction of data centers in the United States, and suspicions that AI labs were providing US intelligence agencies with user data for domestic surveillance. This material was laundered through inauthentic accounts on social media platforms such as X and made to appear to be the product of grassroots American activists.


The campaign was attributed to an unnamed Chinese technology firm working for a regional government client.
Additional Information:
Skeptical readers might assess that OpenAI is itself trying to deflect public criticism of AI infrastructure projects and data privacy concerns to a limited PRC influence campaign. While there is reason to suspect motivated reasoning behind the reporting, the activities OpenAI has identified fit a broader pattern of Chinese actors attempting to influence US domestic public opinion on issues of key importance to the Chinese Communist Party (CCP) through “astroturfing” operations on social media.1
Between 2019 and 2022, Chinese-linked actors conducted a similar astroturf operation directed at US rare earth mineral ventures. According to Google’s Mandiant Threat Intelligence group, the “DRAGONBRIDGE” campaign used thousands of inauthentic social media accounts “including those posing as residents in Texas to feign concern over environmental and health issues surrounding the plant, including via posts to a public social media group predisposed to be receptive to that content.”

3. TECH CEO ARRESTED FOR SELLING NETWORKING EQUIPMENT TO IRAN’S MILITARY AND NUCLEAR PROGRAM
On June 3, the Department of Justice announced the arrest of a 63-year-old dual US-Iranian citizen, Jamshid Ghomi, for illicit technology trade with Iran in violation of US sanctions. Ghomi created a technology firm based in Tehran called Faraz Pardaz Rayaneh Co. Ltd. (FPR), which from 2011 to 2023 was used to transship US computer networking equipment through a series of fraudulent eBay and PayPal accounts to buyers in Iran via an intermediary in the United Arab Emirates. Customers for FPR notably included the Atomic Energy Organization of Iran and the Iranian Ministry of Defense.
According to the Department of Justice press release:
From 2017 to 2023, FPR supplied U.S.-origin computer networking equipment to the Atomic Energy Organization of Iran (AEOI) – the Iranian government agency responsible for Iran’s nuclear program, including its centrifuge and uranium-enrichment programs. The U.S. State Department sanctioned AEOI in 2020 for playing a leading role in Iran’s nonperformance of its nuclear commitments, including exceeding the limits on its uranium stockpile and enrichment levels. According to the affidavit, AEOI required FPR to register as an approved vendor, which it did in 2021 and 2022.
From 2014 to 2022, FPR supplied U.S.-origin networking, security, and encryption equipment to Iran’s Ministry of Defense and Armed Forces Logistics — the Iranian ministry responsible for research, development, and manufacturing across Iran’s defense enterprise -- and to affiliated military and defense-electronics entities. FPR’s 2017 contract with Iran Computer Industries, signed by Ghomi, expressly identified the buyer as the “Ministry of Defense and Armed Forces Logistics — Iran Computer Industries.”
Ghomi laundered the proceeds of the trade, which averaged over $10M per year, through a series of shell companies in the United Arab Emirates (UAE), Hong Kong, the British Virgin Islands, and Turkey. He used the money to build a $35M mansion in Southern California, which he claimed was funded through “foreign inheritance”.

Additional Information:
The use of UAE front companies is a recurring technique used by Iranian actors to skirt sanctions and transfer money and technology to the Iranian regime.
In January 2021, the DOJ charged two Iranian nationals living in Canada with smuggling US computer technology to Iran through the front companies in the UAE.
In July 2025, the DOJ charged Bahram Mohammad Ostovari, a lawful permanent resident of the US and CEO of a Tehran-based engineering firm, with using two UAE shell companies to route sophisticated computer processors to Iranian government agencies between 2018 and 2025.
On May 29, 2026, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) and the FBI announced numerous actions against members of the “Sepehr Network,” an Iranian procurement group with members in Iran and Europe, for fraudulently representing US small businesses to transship US technology products through Dubai to Iran.
4. IRANIAN PROXIES CLAIM MULTIPLE HACKS
Handala Group Claims to Hack FBI Drones at World Cup
On June 12, SITE Intelligence Group announced that it had observed statements by Iranian cyber proxy Handala that claimed the group had access to real-time data from FBI drones used to secure the World Cup. However, SITE’s analysis found that some of the evidence provided by the group did not substantiate its claims.
Handala Group Claims Hack on California Water System
On June 11-12, the Tehran-linked hacker group Handala claimed it had breached systems tied to California Water Service (Cal Water), a utility serving roughly two million customers across more than 100 California communities, including Bakersfield, Visalia, Chico, Salinas, and Stockton. The group called the hack retaliation for alleged US military strikes on Iranian water infrastructure.
Independent analysis by cyber intelligence firm Dataminr found that the Handala hack of Cal Water compromised the RTKBase GNSS base-station platform for Chico Water District. Once inside Cal Water’s network, the group was able to move laterally into a customer billing system and exfiltrated roughly 5GB of data including customer names, addresses, and account credentials. Cal Water reported that preliminary findings showed no operational disruption to its water and wastewater systems.
Additional Information:
Handala has portrayed itself as a pro-Palestinian “hacktivist” group, but is generally believed to be directly affiliated with the Iranian regime.
Handala has conducted multiple cyber operations targeting the US and allies in recent months. In addition to the operations listed above, Handala has claimed credit for hacking the personal email account of FBI Director Kash Patel, as well as the networks for US medical device company Stryker.
As noted in the Homeland Security Brief for April 2026, municipal water systems appear to be a preferred target for Iranian cyber groups, with documented intrusions dating back to at least the 2023 “CyberAv3ngers” attacks on the Municipal Water Authority of Aliquippa near Pittsburgh.
HORIZON THREATS
International activity that may pose future risk to US homeland security
5. FRANCE SHUTS DOWN NINE ILLEGAL CHINESE “POLICE STATIONS”
On June 18, Le Monde reported that since early 2026, France's counter-intelligence agency, the Directorate-General for Internal Security (DGSI), shut down nine illegal overseas police stations operated by China’s Ministry of Public Security (MPS).
Additional Information:
As previously noted in May’s Homeland Security Brief, the US has pursued enforcement actions against Chinese transnational repression networks including an illegal overseas police station in Manhattan, and most recently a network of PRC operatives working as government officials in Arcadia, California.
This briefing was compiled by Dan White. For more information, corrections, or comments, please contact dan@opforjournal.com
In an international context, Astroturfing is the use of front groups by a foreign entity, particularly fake online personas, to represent domestic public opinion on a particular issue to create the false impression of authentic grass roots support or opposition.



