China’s Great Firewall suffers its biggest leak ever as 500GB of source code and docs spill online — censorship tool has been sold to three different countries

Chinese censorship sprang a major leak on September 11, when researchers confirmed that more than 500GB of internal documents, source code, work logs, and internal communications from the so-called Great Firewall were dumped online, including packaging repos and operational runbooks used to build and maintain China’s national traffic filtering system.

The files appear to originate from Geedge Networks, a company that has long been linked to Fang Binxing — widely described as the “father” of the Great Firewall — and from the MESA lab at the Institute of Information Engineering, a research arm of the Chinese Academy of Sciences.

Contained in the leak are what appear to be full build systems for deep packet inspection platforms, as well as code modules that reference the identification and throttling of specific circumvention tools. Much of the stack is geared toward DPI-based VPN detection, SSL fingerprinting, and full-session logging.

Researchers at the Great Firewall Report, who first verified and indexed the material, say the documents outline the internal architecture of a commercial platform called ‘Tiangou’, which is designed for use by ISPs and border gateways. They describe it as a turnkey “Great Firewall in a box,” with initial deployments reportedly built on HP and Dell servers before shifting to Chinese-sourced hardware in response to sanctions.

A leaked deployment sheet reveals that the system was rolled out across 26 data centers in Myanmar, with live dashboards monitoring 81 million simultaneous TCP connections. The system was reportedly operated by Myanmar’s state-run telecoms company and integrated into core Internet exchange points, thereby enabling mass blocking and selective filtering.

And it doesn’t stop at Myanmar. Partner reporting from WIRED and Amnesty International reveals that Geedge’s DPI infrastructure has been exported to other states — Pakistan, Ethiopia, and Kazakhstan being among the recipients — where it’s often used alongside lawful intercept platforms. In Pakistan, Geedge’s equipment allegedly forms part of a larger system known as WMS 2.0, which is capable of conducting blanket surveillance on mobile networks in real-time.

The scale and specificity of this leak offer a rare glimpse into how China’s censorship check is engineered and commercialized. WIRED’s reporting also describes how the leaked documents show Geedge’s system can intercept unencrypted HTTP sessions.

So far, researchers have only just begun to comb through the source-code archive, which remains under-evaluated mainly. However, analysts argue that the presence of build logs and dev notes could help identify protocol-level weaknesses or operational missteps that censorship circumvention tools may exploit.

The entire archive is now mirrored by Enlace Hacktivista and others, with researchers urging caution for anyone downloading or examining it. Air-gapped VMs or other sandboxed environments are strongly recommended.

Follow Tom's Hardware on Google News, or add us as a preferred source, to get our up-to-date news, analysis, and reviews in your feeds. Make sure to click the Follow button!