How to Protect Yourself From State-Linked Harassment: A Practical Guide Informed by the Alysa Liu Case

If you suspect you or your family could be targeted by a foreign government—because you’re outspoken, high-profile, or tied to a diaspora community—start with a layered plan. Lock down your digital accounts with strong passphrases and hardware-based two-factor authentication, use a password manager, and freeze your credit. For any suspicious outreach (calls, emails, DMs, in-person visits), document it carefully and notify local law enforcement and the FBI. Don’t engage directly; instead, preserve evidence, inform trusted contacts, and consult counsel if your safety or livelihood is at risk.

If you’re traveling to or appearing at events where a foreign government’s interests are at stake—such as competitions, conferences, or rallies—minimize your digital footprint. Use a “clean” travel phone and laptop, disable biometrics, turn off Bluetooth and Wi‑Fi when not in use, and coordinate with event security. Assume any unsolicited “official” outreach could be a social-engineering attempt until independently verified.

Why this guide—and what the Alysa Liu case illustrates

Reports and federal charges in recent years have described how state-linked actors seek to monitor, intimidate, or manipulate people living in the United States. One widely discussed example involved US figure skater Alysa Liu and her father, who were alerted by federal authorities that a purported operative tied to China had sought to surveil or obtain information about them, alongside monitoring of other US residents seen as dissidents. While the specifics of any one case differ, the pattern is recognizable: social engineering, impersonation, and persistent, low-level contact that aims to gather data, shape behavior, or sow fear.

This guide translates those lessons into practical steps anyone at elevated risk can follow—athletes, students, journalists, activists, researchers, community leaders, and families with ties to countries known to engage in “transnational repression.” It focuses on decisions you can make today, the trade-offs to consider, and what to do if you spot red flags.

Who this is for

• High-profile individuals (athletes, artists, founders, influencers) with international followings
• Diaspora community members, including students and scholars, who speak publicly on political issues
• Journalists, researchers, and NGO staff covering human rights, governance, or security
• Local community organizers and event hosts engaging with sensitive topics
• Families of the above, whose contact details or routines may be easier to probe

If you’re unsure whether you’re at risk, start with the steps in the next section; they’re broadly useful even if the threat turns out to be mundane.

Quick-start checklist: What to do this week

• Switch critical logins (email, cloud, bank, social) to unique passphrases in a reputable password manager
• Enable phishing-resistant 2FA (hardware security keys) on email and social media; turn off SMS codes where possible
• Freeze your credit with all three US bureaus; set bank/credit alerts for new payees and large transfers
• Create a simple incident log: date, time, contact method, screenshots, phone numbers, URLs, license plates
• Ask two trusted contacts to be “verification partners” for any unexpected “official” outreach you receive
• Review your public footprint: remove home address from people-search sites; switch to a PO box or virtual mailbox
• Update devices; uninstall unused apps; restrict app permissions; disable lock-screen previews
• For upcoming travel: plan a clean phone/laptop, disable biometrics, and prearrange event security contacts

How transnational repression typically operates

State-linked harassment doesn’t always look like spy movies. Common patterns include:

• Social engineering: Impersonating officials, coaches, journalists, or event organizers to elicit personal data, travel plans, passport details, or to arrange in-person meetings
• Persistent low-level contacts: Frequent “check-ins,” friend requests, or DMs that normalize communication, probe boundaries, and map your network
• Proxies and cutouts: Private investigators, community intermediaries, student groups, or online freelancers asked to “collect info,” “verify addresses,” or “deliver a message”
• Digital intrusions: Spear-phishing emails, malicious attachments, or links purporting to be event logistics, invitations, or tax forms
• Physical observation: Unexplained visitors, photography outside homes or practices, tailing by car, or “deliveries” asked to be signed for
• Pressure on family abroad: Messages implying risks to relatives if you don’t cooperate
• Smears and doxxing: Anonymous accounts circulating claims, addresses, or edited media to intimidate or isolate targets

None of these, alone, prove state involvement. But the combination—especially impersonation of officials plus pressure on relatives—warrants swift documentation and reporting.

Build a layered defense: The playbook

1) Fortify your accounts

• Passwords and managers: Use a reputable password manager to generate and store unique passphrases (at least 16 characters) for email, cloud storage, banking, social media, and your mobile carrier account
• Hardware-based 2FA: Prefer FIDO2/WebAuthn security keys for logins that support them; keep two keys and store one securely offsite
• Recovery hygiene: Remove backup email addresses you no longer control; update recovery phone numbers; create app-specific passwords only where required
• SIM-swap resistance: Add a unique PIN/passphrase to your mobile account; avoid publicizing your main phone number; consider a separate number just for 2FA

Trade-offs: Hardware keys drastically reduce phishing risk but add setup complexity and require spares. Password managers add a single point of dependency; mitigate with a strong master passphrase and recovery options.

2) Safer communications

• Verification ritual: For any “official” outreach, independently verify via a phone number or email you source yourself (not what the message provides)
• Messaging tools: Use end-to-end encrypted services for sensitive chats, and verify safety numbers/keys for high-stakes contacts
• Minimal metadata: Assume who you contact and when may be observed by third parties; avoid sharing itineraries or addresses in large group chats
• Phishing defense: Don’t open unexpected attachments; use cloud viewers; when in doubt, call the sender on a known number

Trade-offs: Encrypted messengers protect content but not necessarily metadata. Not all contacts can or will switch apps; meet them where they are but tighten verification.

3) Device and network hardening

• Updates: Keep OS, browsers, and key apps current; enable automatic updates where practical
• Browser security: Use a mainstream browser with strong sandboxing; disable unnecessary extensions; consider a separate profile for sensitive work
• USB and peripherals: Avoid unknown chargers/cables; use charge-only adapters; disable automatic device mounting
• Wi‑Fi and Bluetooth: Turn off in public spaces when not needed; avoid auto-join; prefer personal hotspots over public Wi‑Fi
• Antivirus/EDR: On desktop and Android, use a reputable endpoint tool; on iOS, prioritize OS updates and built-in protections

Trade-offs: Security software can add friction or false positives; keep it lean and favor vendors with transparent practices.

4) Travel security for events and competitions

• Clean devices: Bring a minimal, freshly set-up phone/laptop with only essential apps and data; log out and wipe upon return
• Biometrics off: Use a long passcode; disable Face/Touch ID to reduce compelled unlock risks
• Connectivity: Consider a local SIM/eSIM you can discard; keep radios off when not needed; assume hotel networks are monitored
• Rooms and venues: Use door wedges; store sensitive items in your possession; be cautious with in-room “maintenance” visits
• Media and officials: Prearrange security points-of-contact; never share passport or itinerary details via unsolicited calls or messages

Trade-offs: Clean devices reduce compromise risk but are less convenient. Local SIMs increase privacy from your home carrier but add cost and setup time.

5) Physical and home safety

• Address privacy: Use a PO box or virtual mailbox for mail and registrations; opt out of people-search sites where possible
• Delivery hygiene: Consolidate deliveries to secure locations; don’t sign for packages you weren’t expecting
• Cameras and lighting: Consider outward-facing cameras and motion lighting; be mindful of neighbors’ privacy and local laws
• Routine variation: Vary routes/times; establish safe meetup spots with friends/family

Trade-offs: Cameras deter some behaviors and provide evidence, but they also record your comings and goings; configure with privacy in mind.

6) Financial and identity safeguards

• Credit freeze: Freeze with all major bureaus; set fraud alerts; monitor reports annually
• Banking alerts: Enable notifications for new devices, payees, large transfers, and login attempts
• Document security: Store scans of IDs in an encrypted vault; shred sensitive mail; limit what you carry when traveling

7) Evidence and reporting

• Incident log: Keep contemporaneous notes with dates/times, contact details, screenshots, and any witnesses. Back up securely
• Reporting: In the US, contact your local police non-emergency line and the FBI tip line for suspected foreign-state harassment. If on campus, involve campus security and international-student offices
• Legal counsel: If interactions escalate—threats, extortion, or employment interference—consult an attorney experienced in harassment and privacy. They can coordinate preservation letters and advise on restraining orders where applicable

8) Community readiness

• Buddy system: Pair up for travel and events; share itineraries with a small, trusted circle
• Event playbooks: Organizers should publish clear verification channels for speakers/athletes; centralize logistics through a single secure portal
• Media posture: Prepare a short statement template and a request-for-comment workflow so you’re not caught off-guard by sudden publicity

Tools to consider (with trade-offs)

• Password manager
  • Look for: strong cross-platform support, encrypted sharing, emergency access
  • Pros: Unique credentials at scale; reduces reuse risk
  • Cons: Single point of dependency; requires a strong master passphrase
• Hardware security keys (FIDO2/WebAuthn)
  • Look for: multi-protocol support, NFC/USB-C, backup keys
  • Pros: Best defense against phishing and account takeovers
  • Cons: Setup friction; some services still don’t support keys
• Secure messaging apps
  • Look for: end-to-end encryption by default, safety number verification, disappearing messages, robust reporting tools
  • Pros: Strong content confidentiality
  • Cons: Contacts may resist switching; metadata may persist
• Travel phone and laptop
  • Look for: affordable, easy to wipe, minimal apps
  • Pros: Lower stakes if seized or compromised
  • Cons: Less convenient; potential app incompatibilities abroad
• Endpoint protection (desktop/mobile)
  • Look for: reputable vendors, minimal data collection, strong detection rates
  • Pros: Blocks common malware and risky sites
  • Cons: False positives; system overhead
• Home security kit
  • Look for: local storage options, granular privacy controls, clear retention settings
  • Pros: Deterrence and evidence
  • Cons: Ongoing subscription costs; privacy considerations
• Virtual mailbox/PO box and data-broker removal
  • Look for: services that handle major brokers; verify deletion
  • Pros: Reduces doxxing risk
  • Cons: Ongoing maintenance; not total removal
• OSINT/alerting
  • Look for: news/social alerts on your name, organization, and common misspellings
  • Pros: Early warning of smears or impersonation
  • Cons: Noise; requires curation

What’s changing in the US (and why it matters)

• More enforcement: In recent years, the US Department of Justice has brought multiple cases alleging efforts by foreign state-linked actors to harass or surveil people inside the US. While outcomes vary, the signal is clear: agencies encourage reporting and take patterns seriously
• Platform reporting: Major social and communications platforms now provide reporting flows for impersonation, targeted harassment, and coordinated inauthentic behavior. Verified channels help, but verification alone isn’t a guarantee—verification rituals still matter
• Institutional readiness: Universities, sports bodies, and event organizers increasingly publish security guidance and offer points of contact for threats, impersonation, and stalking. Use them—especially before travel

The result: You have more allies and formal channels than even a few years ago. But the first move—documenting and reporting—still has to come from you.

Red flags: When to act immediately

• You receive a call, text, or DM claiming to be from an official body and asking for passport numbers, Social Security numbers, or travel itineraries
• Someone insists on an urgent in-person meeting in a non-public place without verifiable credentials
• You notice unfamiliar vehicles repeatedly near your home or practice location; you’re photographed by the same person multiple times
• A stranger references private details that aren’t publicly available, especially about family members
• You get unexpected “deliveries” that require a signature or contain USB drives or SIM cards

What to do right away:

• End contact; don’t argue or explain
• Screenshot/photograph everything; note details and times
• Alert a trusted contact; avoid traveling alone for the next 24–48 hours
• File reports with local police and the FBI; notify relevant institutional security (team, school, employer)

Key takeaways

• Verification beats intuition: Treat every “official” outreach as suspicious until independently confirmed
• Hardware keys are worth the hassle: They dramatically cut phishing and account takeovers
• Clean travel devices are the gold standard: They minimize what you can lose if something goes wrong
• Documentation is your friend: Meticulous logs help law enforcement connect dots you can’t see
• You’re not alone: Law enforcement, institutions, and platforms have become more responsive—use them

Frequently asked questions

Q: How do I know if harassment is state-linked or just a random scam?
A: You usually won’t know at first. Focus on behavior: impersonation of officials, interest in your travel or IDs, pressure referencing family abroad, or repeated probing over time. Document and report; let investigators determine attribution.

Q: Should I confront someone I suspect is surveilling me?
A: No. Don’t escalate. Prioritize safety: leave the area, note details (appearance, vehicle, direction), and report to authorities. Confrontations can increase risk and compromise evidence.

Q: Are VPNs enough to keep me safe online?
A: VPNs can reduce exposure on untrusted networks but don’t stop phishing, account takeovers, or device compromise. Start with strong account security, updates, and cautious behavior. Use VPNs as a complement, not a cure-all.

Q: What if my relatives abroad are being pressured?
A: Document what you learn, avoid discussing sensitive topics on insecure channels, and consult legal counsel in your country. Share concerns with law enforcement; they may have protocols for these situations.

Q: Is it safe to bring my regular phone to high-risk countries?
A: It’s safer to bring a clean device with minimal data and apps, use a strong passcode (no biometrics), and assume devices may be inspected. Wipe the device after return and rotate critical passwords.

Q: Can my sports team or university actually help?
A: Yes. Many institutions have security teams familiar with these threats and can coordinate with law enforcement, adjust travel logistics, and provide verification channels for legitimate communications.

—

This guide is for general information and does not constitute legal advice. If you believe you’re in immediate danger, call emergency services.

Source & original reading

• WIRED: https://www.wired.com/story/the-weird-twisting-tale-of-how-china-spied-on-alysa-liu-and-her-dad/