There has been a significant breach of one of the world's most sophisticated censorship systems, the Great Firewall, which is considered one of the most tightly controlled systems. This breach has led to the largest data leak to date for China’s Great Firewall.
Geedge Networks, a company directly responsible for developing and operating China’s internet control infrastructure, released a massive amount of data on September 11, 2025, that included 500 gigabytes of internal files and over 100,000 confidential documents.
In the cache, detailed blueprints of the DPI and filtering technologies which underpin Beijing’s digital censorship regime are available.
As a result of these leaked records, it is clear that not only has the tool been exported and sold to at least four authoritarian governments outside of China, but it has also been used to police information flows in China.
It is revealing in a way that no previous insight was available into the inner workings of the Great Firewall, and it raises urgent questions regarding the global spread of surveillance and censorship technologies sponsored by states.
GFW Report's researchers have found that the trove contains dozens of internal records, including proposals, research papers, and operational logs, as well as source code and RPM packages that were used in developing the filtering infrastructure.
In many of the documents, references can be found to projects related to China's Belt and Road Initiative (BRI), suggesting that the censorship technology is not only being considered in China but is often deployed outside the country’s borders as well.
As detailed by the internal notes of Geedge Networks, they also indicate that they have been providing services to provincial governments in regions like Xinjiang, Jiangsu, and Fujian, as well as exporting surveillance systems to foreign companies.
An investigation conducted by Cybernews reveals that the leaked suite of software also includes advanced tools that allow users to analyse traffic, such as Deep Packet Inspection (DPI) for traffic analysis, modules for detecting VPNs, Tor, and other circumvention tools, as well as features for traffic throttling, content monitoring, and potential user tracking, to name just a few.
Even though these capabilities appear extensive, experts warn that the exact functionality of the software is uncertain based on the fact that the source code has not yet been examined fully and that some of the leaked materials are still not entirely accurate. Researchers discovered that inside the leaks, they have found complete build systems for DPI platforms, as well as code modules designed for identifying and thwarting certain circumvention techniques.
The technical material focuses mainly on the detection of VPN networks, SSL fingerprinting, and the logging of full sessions of traffic in order to demonstrate how precisely the system has been designed to monitor and control Internet activity with its precision.
Great Firewall Report, the first group to authenticate this leak, noted in its report that the documents describe the architecture of Tiangou, a commercialised censorship system which was described internally as a "Great Firewall in a box." When international sanctions were imposed in response to Tiangou's earlier versions, the server was reportedly built on HP and Dell servers, but later switched to Chinese-made equipment.
A leaked deployment sheet shows how large the system is: according to the information on the leaked deployment sheet, in Myanmar the platform has been installed across 26 data centers that are directly connected to the nation's internet exchange points, making it possible for authorities to monitor 81 million simultaneous TCP connections, as well as enforce sweeping controls over online communication with their live dashboards.
Moreover, the documents also indicate that Myanmar's state-run telecom company was responsible for operating the installation, highlighting the significance of national carriers in enforcing digital censorship in Myanmar. The evidence also indicates that Geedge's DPI technology has been exported to a number of foreign countries outside Myanmar.
It is reported by WIRED and Amnesty International that deployments have occurred in Pakistan, Ethiopia, and Kazakhstan, and that they are often complemented by lawful intercept systems that can monitor mobile communications in real time.
According to reports, this technology is used to underpin a nationwide monitoring program known as WMS 2.0, which will oversee mobile communications on a massive scale throughout the country.
In addition to the leaked documents, earlier findings from May signal a shift in China's censorship architecture to a "provincial firewall" model that signals a move away from strict centralisation towards a more layered approach to regional control that is based on a more regional approach to censorship.
The decentralisation scheme appears to be aimed at increasing the degree of flexibility and efficiency of monitoring by allowing provincial authorities to tailor censorship and surveillance according to local circumstances, while adhering to the general national directives at the same time. As it turns out, the documents provided by China indicate that, under the Belt and Road Initiative framework, such technologies are being actively exported beyond Chinese borders.
It has been revealed that Geedge Networks, the company at the centre of the leak, has provided comprehensive censorship and surveillance platforms to Internet providers in Myanmar, Pakistan, Kazakhstan, Ethiopia, as well as to unknown countries—effectively replicating the digital authoritarian model that has become so prevalent in China on a worldwide basis.
The revelations about advanced surveillance capabilities for individuals and groups have been particularly troubling.
This paper demonstrates a variety of deep packet inspection systems, VPN/Tor/Psiphon detection systems, traffic shaping systems, and even malware injection systems, all accompanied by sophisticated dashboards that allow governments to monitor users in real time, and this can result in improved security.
As new technologies are developed, such as geofencing and trajectory mapping, individuals can be automatically flagged for entering specific areas, past movement patterns can be reconstructed, and high-risk individuals can be marked as high risk based on their behaviours, including frequent SIM swaps, use of circumvention tools, and interactions with foreign platforms.
In addition to these tools, there are tools for collective monitoring as well. This system can provide governments with unprecedented power to suppress dissent before it reaches the public square by displaying the real-time geographic distribution of monitored groups, detecting unusual gatherings, and identifying potential protests before they occur, which is even more concerning.
In the past few years, China has been waging a campaign of cybersecurity control and online censorship with its Great Firewall, which was designed to regulate virtually all internet activity within the country for years.
In its core is a deep packet inspection engine, which is capable of examining every data packet that passes through a network service provider, cross-referencing it to continuously updated blacklists containing keywords, IP addresses, and protocol signatures, and deciding whether, at any time, the data packet should be permitted, throttled, or blocked.
The system is enhanced by tampering with DNS, blocking IP addresses, filtering keywords, and real-time traffic shaping. Together, these measures form a comprehensive censorship barrier that obstructs access to foreign news outlets, social media platforms, and politically sensitive content, while at the same time logging user activity for government surveillance purposes.
It is because Geedge Networks, led by Fang Binxing, often referred to as the "Father of the Great Firewall," is developing the proprietary hardware, firmware, as well as the Secure Gateway software that drives this censorship engine to serve the needs of the US government.
There has been a substantial contribution made by the MESA Lab at the Institute of Information Engineering, which has contributed algorithms for detecting and resolving circumvention tools such as VPNs and proxy servers, transforming the technology into a fully functional turnkey product ready to deploy.
A researcher at the Great Firewall Report describes this exportable kit as “a great firewall in a box.”
As investigators pieced together the export trail, they discovered a striking correlation between cargo manifests, data centre footprints, and annotations on code that revealed the delivery of this technology to countries with severe restrictions on digital rights, countries already known for their harsh stance on digital freedoms.
Thousands of users in these regions suffer immediate and chilling consequences when such infrastructure arrives: news articles can suddenly disappear from their screens, messaging apps may cease working, or video calls to family members abroad can end mid-conversation without any warning. As a consequence of the firewall's capability of surveillance, civil society has been exposed to greater dangers just for speaking freely, which includes activists, journalists, and ordinary citizens.
In the face of China's layered defences, even the most advanced virtual private networks (VPNs) face mounting challenges. The DPI engine now utilises deep-learning classifiers, which are capable of detecting obfuscation protocols, so that it can throttle or block VPN traffic in real time in order to protect users.
Several VPN providers, including NordVPN and Proton VPN, have introduced stealth protocols specifically designed to counter these measures, but the battle remains on.
As censorship technologies develop, VPN developers are constantly on the lookout for ways to maintain access to a free and open internet, and they must strive to keep up to date with these technologies to ensure they remain a step ahead of them.
China's Great Firewall has been exposed in unprecedented ways through this massive leak, forcing the public to reassess China's policies far beyond its borders.
At its heart lies a troubling reality: these technologies were originally designed to consolidate state power in the domestic sphere, but now are being systematically exported across multiple continents, institutionalising digital authoritarianism.
As a result of the global diffusion of surveillance infrastructure, it is imperative to ensure transparency, stronger safeguards for internet freedom, as well as international cooperation, in order to counter this threat.
This type of turnkey censorship system poses a huge risk to top policymakers, civil society, and technology companies, and we must all work together to deal with it. Not only must we demand accountability from states that deploy them, but we must also strengthen resilient tools that can protect online expression and privacy from them.
This revelation should also serve as a warning to democratic nations that they should work hard to develop and support open-source, censorship-resistant technologies and promote policies that prioritise human rights in digital governance in order to combat the threat of censorship.
As communication is increasingly becoming an integral part of social, political, and economic participation in modern times, it is becoming increasingly apparent that the unchecked spread of such mechanisms threatens to redraw the boundaries of free speech around the globe.
As alarming as the leak may be, it offers us a rare opportunity to map these systems and develop countermeasures - before the digital iron curtain becomes the norm for securing our privacy around the world.
.jpg "Smart Glasses Face Opposition as Gen Z Voices Privacy Concerns")
.jpg)