Chinese hackers are targeting local users with watering hole attacks capable of bypassing Tor and VPN defences, according to a researcher at AlienVault.
Jaime Blasco reported uncovering the wave of attacks after Indiana University PhD student Sumayah Alrwais notified the firm through RSA Labs.
"[We've seen] a series of watering hole attacks that have been targeting NGO, Uyghur and Islamic websites since at least October 2013, with the most recent attack discovered a few days ago," read the report.
The attacks reportedly use several popular Chinese language websites associated with NGOs, Uyghur communities and Islamic associations to spy on privacy-focused web users.
Watering hole attacks infect computers with malicious code by hijacking trusted websites often visited by the victim and transforming them into malware-distribution tools.
Blasco explained that the use of JSONP allows the attackers to siphon off large amounts of data, including gender, birth date, real name and user ID, despite the victims' use of a VPN or Tor.
He added that the attacks are heavily targeted and do not exploit direct vulnerabilities in Tor.
"It is really important to understand the differences between anonymity and privacy. For instance, if you are using Tor or a VPN service that encrypts your communications, it is going to give you a certain level of privacy, but your anonymity is still at risk," he said.
"Anonymity is the idea of being 'non-identifiable' or 'un-trackable', but it is hard to remain anonymous if you are using services where you have revealed personal information and you browse other sites that can exploit vulnerabilities to access your personal information."
The news follows widespread concerns about efforts by law enforcement and government agencies to track VPN and Tor users.
Professor Sambuddah Chakravarty, from the Indraprastha Institute of Information Technology in Delhi, reported in November 2014 that nearly 80 percent of Tor users were vulnerable to network analysis attacks. The Tor Project has constantly denied this claim.
The US and UK governments have both argued that encrypted services such as Tor and VPNs hamper law enforcement and intelligence agencies' ability to track terrorist and criminal groups and are considering legislation curtailing their use.
Dr Kuan Hon criticises GDPR consent emails that will only eviscerate marketing databases and 'media misinformation'
Apple squashes Steam Link app on 'business conflicts' grounds
Philip Hammond wants to forget rules that the UK agreed with the EU to ban non-European companies from the satellites
Instapaper to 'go dark' in Europe until it can work out GDPR compliance