In early November 2025, Knownsec, one of China’s largest cybersecurity firms with direct government ties, experienced a catastrophic data breach that exposed over 12,000 classified documents.
The incident revealed the scale and sophistication of state-sponsored cyber operations. This included detailed information about cyber weapons, internal hacking tools, and a comprehensive global surveillance target list. This breach marks a significant turning point in
understanding the technical capabilities and geopolitical scope of organized state-level cyber espionage operations.
The compromised files contained far more than routine business data. Hackers successfully extracted technical documentation detailing collaborations between Knownsec and various Chinese government departments, the complete source code for proprietary internal tools, and spreadsheets listing 80 overseas targets that were allegedly already compromised. The leaked materials initially surfaced on GitHub before rapid removal, though copies had already circulated extensively within the cybersecurity research community.
Founded in 2007 and backed by Tencent in 2015, Knownsec operated over 900 employees across multiple Chinese offices. This positioned the company as a critical node in China’s cyber infrastructure. Mrxn security analysts identified that the leaked documents reveal a comprehensive arsenal of offensive cyber capabilities. The company maintained sophisticated libraries of Remote Access Trojans capable of compromising Windows, Linux, macOS, iOS, and Android systems. Particularly concerning were Android-specific tools designed to extract message histories from Chinese chat applications and Telegram, enabling widespread communications interception.
The most revealing aspect of this breach concerns the geographic scope and data volume of compromised targets. International locations named in the leaked spreadsheets include Japan, Vietnam, India, Indonesia, Nigeria, and the United Kingdom.
The documents detailed stolen data sets of staggering proportions: 95 gigabytes of immigration records from India, 3 terabytes of call records from South Korean telecommunications company LG U Plus, and 459 gigabytes of road planning data from Taiwan. These figures demonstrate systematic long-term access to critical infrastructure and sensitive government information across multiple nations.
Beyond software tools, the leaked documents revealed hardware-based attack mechanisms. This included a specially designed malicious power bank capable of covertly uploading data from connected victims’ devices. This technical sophistication indicates resourced, sustained operations targeting high-value intelligence collection.
The Chinese government subsequently denied knowledge of the breach. Foreign Ministry spokesperson Mao Ning claimed unfamiliarity with the incident while reiterating official opposition to cyberattacks. However, this response notably avoided denying state support for cybersecurity firms conducting intelligence activities, suggesting such operations are viewed as legitimate national security functions.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
