600 GB of Alleged Great Firewall of China Data Published in Largest Leak Yet

Hackers leaked 600 GB of data linked to the Great Firewall of China, exposing documents, code, and operations. Full details available on the GFW Report.

On Thursday, September 11, 2025, what is being described as the largest leak linked to the Great Firewall of China surfaced online, with nearly 600 GB of material allegedly containing source code, internal communications, work logs, and technical documentation from groups said to be involved in building and maintaining the system.

The data was leaked by Enlace Hacktivista, previously linked to the Cellebrite data leak. The collective claims that the documents were traced to Geedge Networks and the MESA Lab at the Chinese Academy of Sciences’ Institute of Information Engineering. Both have long been central to the Firewall’s research and development, with Geedge led by Fang Binxing, often called the “Father of the Great Firewall.”

According to the files, their reach spreads outside China’s borders, supplying censorship and surveillance technology to governments in Myanmar, Pakistan, Ethiopia, Kazakhstan, and others linked to the Belt and Road Initiative.

The published material is available for download through both BitTorrent and direct links. The package includes a massive mirror/repo.tar file weighing 500 GB, basically an archive of the RPM (Red Hat Package Manager) packaging server, alongside compressed document sets from Geedge and MESA. In total, the files contain tens of thousands of pages and repositories, offering a rare window into the infrastructure behind the Firewall.

What makes this data leak different from usual ones is the depth of detail. As analysed by Hackread.com, it is not a single whistleblower’s memo or a few emails, but a massive collection of raw operational data that traces years of development and collaboration. Analysts from Net4People and independent researchers are also putting together how these files describe the Firewall’s evolution, expansion, and export.

The file tree tells its own story

Even before digging deeper into the source code, the structure of the leaked archive gives clear insight into things. For example, geedge_docs.tar.zst and mesalab_docs.tar.zst contain thousands of internal reports, project descriptions, and technical proposals. File names like CTF-AWD.docx, BRI.docx, and CPEC.docx suggest connections to Belt and Road Initiative projects and international collaborations.

Project management records, such as geedge_jira.tar.zst, highlight day-to-day coordination between researchers and engineers, while communication drafts, like chat.docx and multiple schedule documents, show the granular planning that went into censorship operations. Even routine administrative files such as 打印.docx (Print) and reimbursement-related proofs indicate how deeply routine and bureaucratic this apparatus has become.

The mirror directory itself, with its exhaustive filelist.txt, is an archive of software packages supporting Firewall operations. It shows that the Firewall is not just a political project but also a technical one, maintained through packaging servers and code repositories, much like any large-scale corporate software system.

The background included in the leak provides a detailed timeline of MESA’s formation and growth. Established in 2012 at the Institute of Information Engineering, MESA grew quickly through talent programs, research grants, and government contracts. By 2016, it was handling projects worth more than 35 million yuan annually and contributing to national-level awards in cybersecurity.

When Geedge Networks was founded in 2018 in Hainan, Fang Binxing served as its chief scientist, bringing with him a cadre of MESA researchers and students. The company soon became a key private partner to Chinese authorities, supporting censorship operations not only domestically but also as an exporter of surveillance solutions abroad.

Experts may need months to analyse the source code, but the documents already back up what many observers have been claiming for years. The Great Firewall is not a fixed system; it is a growing network shaped by government contracts, research institutes, and private companies.

The hacktivists behind this leak warn that downloading and examining these files should only be done in isolated environments. Given the sensitivity of the content, there is always the risk that malware or tracking elements could be embedded in the archives. Still, for researchers and rights groups, the trove offers an opportunity to understand how the Firewall operates and how its influence spreads.

Analysts at Net4People and GFW Report plan to share more findings as they go through the source code. For now, the leak offers an unusual look at how the system operates, and it will take time to understand the full weight of what has been exposed.

Full details, including technical material and download links, are available at the GFW Report.