Chinese firm tied to Uyghur rights abuses now training Tibet police on hacking techniques

A Chinese state-owned company that was previously sanctioned by the U.S. for facilitating human rights abuses against Uyghurs is now training police officers in Tibet on hacking techniques and digital forensics, according to a watchdog organization.

SDIC Intelligence Xiamen Information Co Ltd, a digital forensics company better known as Meiya Pico, won a contract in mid-2023 to build two labs at the Tibet Police College: one on offensive and defensive cyber techniques and the other on electronic evidence collection and analysis. Details of the approximately $1.32 million contract were analyzed and released on Wednesday by Turquoise Roof, a research network focused on Tibet. 

The contracts include “servers for the cyber range, network switches, intrusion simulation software, forensic workstations and] evidence storage systems,” the researchers said. 

Founded in 1999 as an independent company, Meiya Pico is now state-owned, and as of 2019 it reportedly had a 45% market share of China’s digital forensics market. Its products have raised controversy globally for their invasiveness, including a spyware app called MFSocket that police have allegedly installed on phones throughout the country during inspections of smartphones. 

The app can reportedly harvest a phone’s data, like call logs, messages and GPS locations. The company also supplies hardware that police use for scanning devices.

While Meiya Pico’s involvement in Tibet may not come as a surprise, the contracts indicate a streamlining of surveillance operations, said Turquoise Roof cofounder Greg Walton. As a massive leak of documents in 2024 from the Chinese cybersecurity firm i-Soon showed, the government typically contracts with private firms to carry out hacking operations. 

“Meiya Pico’s new training lab in Lhasa cuts out the middleman: directly handing local police advanced surveillance capabilities to target Tibetan dissidents at home and abroad,” Walton told Recorded Future News. 

Given that Meiya Pico has conducted cyber training in dozens of countries throughout the world and exports its tools to countries like Russia, Walton said people should be concerned about “how targeted surveillance tools tested on Tibetans today become the cyber threats of tomorrow.” 

According to the company, it has conducted training courses in 30 countries as part of China’s Belt and Road Initiative.

In December 2021, the U.S. Treasury identified Meiya Pico as one of eight entities “support[ing] the biometric surveillance and tracking of ethnic and religious minorities in China.” Two years before, the Commerce Department blacklisted the company for its Xinjiang surveillance activity. 

A report released this week by Human Rights Watch documented the tightening surveillance tactics used to monitor Tibetans both inside and outside the country. At least 60 people have been arrested for alleged offenses related to internet or phone use since 2021. Infractions can include having material related to Buddhism on a device, communicating with the outside world, and promoting Tibetan language and culture on social media.

Earlier this month, the U.K.’s National Cyber Security Centre (NCSC) and other international intelligence agencies said hackers are deploying spyware to snoop on Uyghur, Tibetan and Taiwanese individuals and civil society organizations. 

“We are seeing a rise in digital threats designed to silence, monitor, and intimidate communities across borders,” NCSC Director of Operations Paul Chichester said in a statement.