A substantial leak of over 500GB of internal documents, source code, work logs, and communications related to China’s Great Firewall has been confirmed by researchers. The data dump, which surfaced online on September 11, exposes the inner workings of China’s national traffic filtering system.
The leaked files are believed to originate from Geedge Networks, a company with ties to Fang Binxing, often referred to as the “father” of the Great Firewall, and the MESA lab at the Institute of Information Engineering, a research division of the Chinese Academy of Sciences. The leak reveals what appears to be complete build systems for deep packet inspection (DPI) platforms, as well as code modules designed to identify and throttle specific circumvention tools. According to researchers at the Great Firewall Report, a significant portion of the technology focuses on DPI-based VPN detection, SSL fingerprinting, and full-session logging.
The documents detail the internal architecture of a commercial platform called “Tiangou,” marketed as a turnkey “Great Firewall in a box” for Internet Service Providers (ISPs) and border gateways. Early deployments of Tiangou reportedly utilized HP and Dell servers before transitioning to Chinese-sourced hardware due to sanctions. A leaked deployment sheet indicates that the system was implemented across 26 data centers in Myanmar, with live dashboards monitoring 81 million simultaneous TCP connections. The system was operated by Myanmar’s state-run telecoms company and integrated into core Internet exchange points, enabling mass blocking and selective filtering.
The implications of this leak extend beyond China’s borders. Reports from WIRED and Amnesty International suggest that Geedge’s DPI infrastructure has been exported to other countries, including Pakistan, Ethiopia, and Kazakhstan, often used in conjunction with lawful intercept platforms. In Pakistan, Geedge’s equipment is allegedly part of a larger system known as WMS 2.0, which is capable of blanket surveillance on mobile networks in real-time.
The leak provides a rare glimpse into the engineering and commercialization of China’s censorship apparatus. The leaked documents also reveal that Geedge’s system can intercept unencrypted HTTP sessions. Researchers are now analyzing the source-code archive, with the presence of build logs and developer notes potentially revealing protocol-level weaknesses or operational missteps that censorship circumvention tools could exploit.
The entire archive is currently mirrored by Enlace Hacktivista and others. Downloading or examining the archive should only be done in air-gapped VMs or other sandboxed environments due to potential security risks.
The exposure of this information could have significant ramifications for internet censorship and surveillance practices globally.
