The Chinese internet censorship program, known as the Great Firewall of China, has suffered a major data leak. Over 500GB of internal documents, including the source code, work logs, internal communications, and others, revealed exports of surveillance tech to Myanmar, Pakistan, Ethiopia, and Kazakhstan.
-
A 500GB leak from Geedge Networks, a key developer of China’s Great Firewall, exposes the export of mass surveillance technology.
-
The technology includes advanced systems for monitoring populations, shutting down internet access, and tracking individuals.
-
The firm exported surveillance tech to Myanmar, Pakistan, Ethiopia, and Kazakhstan.
The Great Firewall of China (GFW) is an umbrella term for a series of internet censorship systems in China, capable of detecting and blocking even encrypted VPN traffic.
The leak originates from a core technical force: the Geedge Networks company (its chief scientist, Fang Binxing, is known as the “father of the Great Firewall”) and the MESA Lab at the Institute of Information Engineering, Chinese Academy of Sciences.
A massive volume of highly sensitive data includes Jira (bug tracker), Confluence (wiki), GitLab (source code), and other documents.
On September 9th, 2025, an anonymous source leaked the highly sensitive data to Enlace Hacktivista, an independent, wiki-based platform that hosts and distributes hacked and leaked datasets.
Even before the data was made publicly available, a coalition of civil society and media organizations had analyzed it to reveal a Silk Road of surveillance. The company exported censorship systems and surveillance technology to Myanmar, Ethiopia, Kazakhstan, and Pakistan under the “Belt and Road” framework.
The leak reveals details on GFW’s research, development, and operations. The screenshots' timestamps suggest the data is from last year.
“The significance and far-reaching implications of this leak are substantial,” said analysts from the GFW Report (gfw.report), an internet censorship monitoring platform.
The Great Firewall of China (GFW) today experienced the largest internal document leak in its history. More than 500GB of source code, work logs, and internal communications have been exposed, revealing details about the development and operation of the GFW.
undefined gfw.report (@gfw_report) September 13, 2025
The leak originated… pic.twitter.com/DADdDtKZ7w
What has been discovered in the leak?
Media organizations, including the Globe and Mail from Canada, Der Standard from Austria, Follow the Money, researchers from InterSecLab, Amnesty International, Justice For Myanmar, the Tor Project, and Paper Trail Media, have been analyzing the 100,000 leaked documents for months.
They all confirmed that Chinese surveillance and censorship tech is for sale.
Researchers found that Geedge Networks markets itself as a conventional cybersecurity firm providing standard network management hardware and software. However, these systems empower governments to monitor entire populations, shut down the internet, and specifically target, track, and censor individuals.
Updated Pakistani firewall
The leak unveiled that Geedge replaced the previous Pakistani firewall, using advanced technology. Pakistan authorities have obtained the technology from foreign companies through a covert global supply chain and used it to spy on millions, Amnesty International said in a report.
It mentions two highly advanced systems: the new firewall called the Web Monitoring System [WMS 2.0], and the Lawful Intercept Management System (LIMS).
China-based Geedge Networks provided the technology. Niagara Networks in the US and Thales in France supplied the firewall’s hardware and other software components. Meanwhile, LIMS used technology from the German company Utimaco through an Emirati company called Datafusion.
“Amnesty International believes that the technology provided by Geedge Networks is a commercialized version of China’s ‘Great Firewall,’ a comprehensive state censorship tool developed and deployed in China and now exported to other countries as well,” the report reads.
It helped the military junta in Myanmar
Another report from Justice For Myanmar, a covert group of activists advocating for justice and accountability for people in the country, found proof of significant collaboration between the illegal Myanmar military junta and Geedge Networks in implementing a commercial version of China’s Great Firewall.
The leak suggests that 13 telecommunication companies, internet gateways, and 26 data centers participated in implementing “surveillance and censorship technology” in the country.
“Geedge’s transfer of a commercialized version of China’s ‘Great Firewall’ gives the junta
unrestricted access to the online activities of 33.4 million internet users in Myanmar,” reads the report called the “Silk Road of Surveillance.”
Another Geedge customer was the Ethiopian government, which often shut down the internet under the banner of national security and preventing the spread of disinformation and hate speech. The leak includes tables listing data centers and detailing major changes made to the configurations with each of them.
Kazakhstan, meanwhile, appears to be the first Geedge’s customer. The relationship began after Kassym-Jomart Tokayev, who began his career as a diplomat in China in the Soviet embassy in Beijing, was elected president in 2019. Leaked images exposed lists of IP addresses belonging to a national center and 17 other cities running three separate Geedge products.
The report mentions another “unknown” country that contacted the Chinese company to help establish sophisticated internet censorship and surveillance systems.
Highly advanced interoperable tech
Geedge Networks solutions can detect the use of many different VPNs and other circumvention tools, such as Tor and Psiphon. Clients can request many features and capabilities, including
DDoS-for-hire services, the ability to construct relationship graphs, flag users who
change SIM cards or call international numbers frequently, and create geofences for specific users, as the InterSecLab’s report details.
InterSecLab’s research mentions the “Cyber Narrator” tool, which is like the all-seeing eye – the carrier-grade Security Information and Event Management (SIEM) and Online Analytical Processing (OLAP) solution. This is the main user interface for clients. The tool is capable of tracking network traffic at the individual customer level and can identify the location of mobile subscribers in real time.
Another tool for aggregating analytics and mass surveillance is called TSG Galaxy. This data warehouse solution can collect and aggregate a significant amount of data about all internet users and data sent over the internet.
The flagship Geedge product, Tiangou Secure Gateway (TSG), functions as a carrier-grade or national firewall and traffic management solution. Its capabilities are similar to those of China's Great Firewall. Some of its capabilities include Deep Packet Inspection, identifying and blocking VPNs and circumvention tools, throttling traffic, monitoring, tracking, labeling, and blocking individual internet users, and infecting users with malware.
“Through the export of these technologies, China is not only extending its global influence but also laying the foundation for a federated system of internet governance,” InterSecLab said.
“Our findings raise concerns about the commoditization of surveillance and information control technologies.”
The leaked documents provide evidence of an emerging provincial firewall model in China, supplementing the National Great Firewall. Geedge Networks was working with several regional governments to build provincial firewalls with additional censorship rules differing from region to region.
The leak includes photos of business trips, including likely server rooms during TSG deployment.
The Chinese vendor also designed the products to be resilient to targeted sanctions – they’re interoperable with a wide range of hardware. However, Geedge Networks also offers its hardware solutions. Its TSGX device utilizes hardware from Chinese server manufacturer Nettrix.
Investigations into the source-code portions of the leaked files are still ongoing.
FAQ
What is the Great Firewall of China?
The Great Firewall of China (GFW) is an umbrella term for a series of internet censorship systems and policies in China. The system detects and blocks various forms of internet traffic, including encrypted VPN traffic, to control information access within the country.
What is involved in the leak?
This is the largest leak exposing the Great Firewall of China so far. The data originates from Geedge Networks Ltd., a private Chinese company founded in 2018 with ties to the government, and MESA Lab, which is the processing architecture group of the Second Research Division at the Chinese Academy of Sciences.
Established in 2012, MESA is a key technical force behind the development of the Great Firewall, while Geedge commercializes and exports this censorship technology internationally.
The leak totals approximately 600 GB of data, including internal documents, communications, project management data, and source code repositories.
Fang Binxing, who is known as the “Father of the Great Firewall,” leads Geedge Networks as Chief Scientist with CTO Zheng Chao, who was also a co-founder of MESA Lab.
What did the leak reveal?
Leaked internal documents reveal that Geedge works directly with governments and Internet service providers (ISPs) to install surveillance and monitoring products. These products offer features such as tracking user locations and network access history, as well as blocking services and circumvention systems.
Which countries are using Geedge's censorship technology?
The leak confirmed international deployments in Kazakhstan since 2019, Ethiopia since 2021, Pakistan since 2023, and Myanmar since 2024. An additional unknown country is also mentioned only by the codename A24.
Job postings published by Geedge also mention Malaysia, Bahrain, Algeria, and India as potential deployment locations. The company claims to serve over 40 global operators, suggesting the actual scope may be much broader than what the leaked documents reveal.
In China, Geedge operates regional firewalls as part of a shift from centralized to distributed provincial censorship systems. A pilot project in Xinjiang appears to be serving as a template that can be replicated and adapted in other provinces.
What comprises Geedge’s surveillance suite?
The flagship product, serving as a multi-purpose firewall and monitoring device, integrating hardware and software, is the Tiangou Secure Gateway, or TSG. It provides deep packet inspection capabilities, detects and blocks VPN and circumvention tools, performs traffic shaping and throttling, enables real-time user tracking and monitoring, can inject malware into user traffic, and even has DDoS attack capabilities.
TSG Galaxy is a data storage and analysis pipeline for all collected internet traffic, functioning as a massive data warehouse designed for internet-scale surveillance.
Cyber Narrator is a user-friendly dashboard allowing non-technical government personnel to monitor internet activity and query surveillance data.
Network Zodiac (Nezha) monitors and manages all other system components, similar to Grafana.
The Sanity Directory (SAN) system handles user attribution, linking network traffic to real identities through integration with ISP authentication systems.
How does the system identify and block VPNs?
Geedge subscribes to various VPN services to study their network behavior. It operates a mobile device farm with multiple VPN applications under controlled conditions.
The company uses static analysis of decompiled source code, server lists, and dynamic analysis of network traffic while the VPN apps are running to identify blockable VPN patterns. Geedge boasts of “solving” nine major commercial VPN providers.
How does the system link internet activity to real people?
The systems use IP address assignment logs, subscriber authentication records, and mobile network signaling data. For example, in Pakistan it uses SIM card registration data linked to biometric information in countries like Pakistan. To track users, SAN (one of Geedge’s systems) integrates with ISPs' existing signaling and certification, authorization, and billing protocols, such as RADIUS, 3GPP, and CGNAT.
What offensive capabilities does Geedge offer?
The system is equipped with online injection capabilities, which allow it to modify real-time HTTP sessions and inject malware into various file formats, including Android APKs, Windows executables, macOS disk images, Linux RPM packages, and office documents. It can also inject JavaScript, HTML, and CSS code and modify images, archives, and various other documents.
The DLL Active Defence system functions as a DDoS platform similar to those available on the dark web. It can hijack users' computers and include them in botnets to launch coordinated attacks.
The system can perform man-in-the-middle attacks against TLS-encrypted traffic. For this to work, root certificates on user devices are needed, which require user cooperation or device compromise.
Do governments have full control over their data?
No. The leak suggests that TSG Galaxy data is accessible to Geedge employees in China. Data snapshots are sometimes shared with MESA Lab students for research purposes. Geedge employees also have remote access to customer networks, which suggest that sensitive surveillance data from foreign governments is accessible to China.
Why do Western companies participate in this?
Foreign companies either become unwitting participants in the censorship infrastructure or they prioritize commercial interests in a complex global supply chain for technology that can be dual-use.
How can people access the leaked documents?
The leaked materials are available through Enlace Hacktivista, with detailed usage instructions provided by David Fifield on the Net4People forum. Researchers strongly recommend using appropriate operational security measures and assuming that the files may contain malicious content. Only analyze them in isolated offline environments.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked