A massive leak of approximately 600 GB of data associated with China’s Great Firewall has emerged, revealing internal documents, code, and operational details. Comprehensive information is accessible on the GFW Report.
On Thursday, September 11, 2025, the largest data breach tied to the Great Firewall of China surfaced online. The leaked archive contains what is believed to be source code, internal communications, project logs, and technical documentation from various entities involved in the system’s development and maintenance.
The breach was carried out by Enlace Hacktivista, a group previously associated with the Cellebrite data leak. They assert that the leaked materials can be traced back to Geedge Networks and the MESA Lab, which is part of the Chinese Academy of Sciences’ Institute of Information Engineering. Both entities play a significant role in the research and development of the Firewall, with Geedge led by Fang Binxing, widely recognized as the “Father of the Great Firewall.”
The leaked documents suggest that the Firewall’s influence extends beyond China’s borders, providing censorship and surveillance technology to various governments including Myanmar, Pakistan, and Ethiopia—nations associated with the Belt and Road Initiative.
How the leak surfaced
The leaked data is available for download via BitTorrent and direct links. The primary file, a substantial mirror/repo.tar weighing 500 GB, is essentially an archive of the RPM (Red Hat Package Manager) packaging server. Alongside this are compressed document repositories from Geedge and MESA, totaling tens of thousands of pages and repositories that present unique insights into the underlying infrastructure of the Firewall.
This leak stands out due to its depth and granularity, as noted by Hackread.com. Rather than a few emails or a single whistleblower’s notes, it offers an extensive collection of operational data reflecting years of collaboration and development. Analysts from Net4People and independent researchers are currently working to interpret how these files illustrate the Firewall’s evolution, its expansion, and its international outreach.
The file tree tells its own story
The structural organization of the leaked files already provides significant insights. For example, the archives geedge_docs.tar.zst and mesalab_docs.tar.zst harbor thousands of internal reports and project proposals. File names such as CTF-AWD.docx and BRI.docx indicate connections to projects under the Belt and Road Initiative, hinting at international cooperation.
Project management files, such as geedge_jira.tar.zst, reveal ongoing coordination among researchers and engineers, while documents like chat.docx, among others, showcase the meticulous planning embedded in censorship operations. Even routine administrative documents, such as 打印.docx (Print), underscore how bureaucratic this system has become.
The meticulous structure of the mirror directory, complete with a comprehensive filelist.txt, indicates an elaborate system of software packages that underpin Firewall operations. This suggests that the Firewall is not merely a political project, but a technologically intricate endeavor, managed in a manner akin to large-scale corporate software operations.
Tracing the roots of MESA and Geedge
The background within the leaked documents outlines significant details about MESA’s formation and growth trajectory. Established in 2012, MESA expanded rapidly through talent acquisition, research grants, and government contracts. By 2016, it was managing projects valued at over 35 million yuan annually and achieving national accolades for its contributions to cybersecurity.
Geedge Networks was founded in 2018 in Hainan, with Fang Binxing as chief scientist, bringing along many researchers from MESA. As a result, Geedge became a crucial partner to Chinese authorities, not only facilitating domestic censorship efforts but also exporting surveillance technologies internationally.
A Serious Data Leak
Experts anticipate that it will take months to thoroughly analyze the source code, but the documents already substantiate claims regarding the evolving nature of the Great Firewall. The system is not static; rather, it is a growing network influenced by collaborations among government agencies, research institutions, and private enterprises.
The hacktivists who released this information caution that accessing and analyzing these files should be done in isolated environments due to the sensitivity of the materials. There remains a risk of malware or tracking elements being embedded within the archives. Nevertheless, for researchers and advocacy groups, this leak offers a rare opportunity to understand the intricacies of the Firewall’s operations and its global implications.
Analysts from Net4People and GFW Report plan to release more insights as they delve into the source code. For the time being, the leak provides an unprecedented perspective on the operational framework of the Firewall, necessitating a careful exploration to grasp the full extent of what has been disclosed.
Detailed technical information and download links are available on the GFW Report.
