The Digital Silk Road of Surveillance: How China Exports Its Great Firewall
A leak of internal data from within the Great Firewall ecosystem has revealed the export of censorship and surveillance technologies far beyond the borders of the PRC. On September 9, 2025, an anonymous whistleblower delivered a 500 GB dataset to Enlace Hacktivista, an independent wiki community specializing in publishing hacked and leaked materials. The trove includes source code, operational logs, internal correspondence, and documents from Jira, Confluence, GitLab, and other systems. The materials point to deployments of Geedge Networks’ solutions in Myanmar, Pakistan, Ethiopia, and Kazakhstan—deployments not limited to private contracts, but extending to nationwide infrastructures capable of throttling access to the internet, tracking individuals, and blocking circumvention tools, even against encrypted traffic.
The leak is linked to the core technical teams of Geedge Networks and the MESA laboratory of the Institute of Information Engineering at the Chinese Academy of Sciences. The dumps contain research, development, and operational documentation of censorship systems, with timestamps on screenshots showing that much of the data is from 2024. Even before the public release, a coalition of human rights and media organizations analyzed the contents and described what they called a “Silk Road of Surveillance,” tying the export of censorship complexes to Beijing’s Belt and Road Initiative.
Roughly 100,000 files were examined over several months by The Globe and Mail (Canada), Der Standard (Austria), Follow the Money, InterSecLab researchers, Amnesty International, Justice For Myanmar, the Tor Project, and Paper Trail Media. All confirmed the commercial availability of Chinese censorship and surveillance systems. Their findings suggest that Geedge Networks presents itself as a conventional vendor of networking hardware and software, while in reality supplying turnkey infrastructures designed to monitor entire populations, shut down the internet, and selectively track, tag, and suppress individuals.
According to Amnesty International, Pakistan replaced its previous national filter with Geedge’s more advanced architecture. The report highlights two core subsystems: the Web Monitoring System (WMS 2.0) and the Lawful Intercept Management System (LIMS). Geedge provided the technological backbone, while U.S.-based Niagara Networks and France’s Thales supplied firewall platforms and software, and Germany’s Utimaco—via the Emirati company Datafusion—provided LIMS technology. Amnesty concluded that Geedge is effectively selling a commercialized version of the Great Firewall, first deployed domestically in China and now exported to third countries via concealed supply chains to enable mass surveillance of millions.
In Myanmar, Justice For Myanmar found evidence of extensive cooperation between the illegitimate military regime and Geedge in deploying a commercial analogue of the Chinese firewall. Thirteen telecom operators, 26 internet gateways, and multiple data centers were implicated, giving authorities unrestricted access to the online activity of 33.4 million users.
In Ethiopia, where the government has repeatedly shut down the internet under the pretext of national security or combating “hate speech” and disinformation, the leak includes tables of data centers and detailed records of major configuration changes.
Kazakhstan appears to have been Geedge’s first foreign client: cooperation began after Kassym-Jomart Tokayev’s election in 2019. The leaked images list IP addresses of the national network center and 17 cities where Geedge products were deployed in parallel. Another “undisclosed” country is also mentioned as having requested the rollout of an advanced censorship and surveillance system.
Geedge systems are built to detect and neutralize circumvention tools. At client request, they also provide expanded features: network graphing of relationships, identification of users who frequently swap SIM cards or make overseas calls, creation of geofences for tracking individuals, and even DDoS-for-Hire services. The central operator interface, Cyber Narrator, functions as a SIEM/OLAP environment, granting visibility into subscriber-level traffic and enabling real-time geolocation of mobile users.
For large-scale metadata aggregation, the TSG Galaxy platform consolidates records of all internet sessions. The flagship Tiangou Secure Gateway (TSG) acts as a backbone or national-level filtering and traffic management gateway, offering capabilities comparable to the Great Firewall: deep packet inspection, detection and blocking of circumvention tools, artificial throttling, user monitoring and tagging, account blocking, and even injection of malicious code on the subscriber side.
The leak also reveals the development of provincial-level firewalls within China to supplement the national framework. According to the documents, Geedge cooperated with regional administrations to implement local censorship rules varying by province. The data includes photos of official site visits and server rooms during TSG deployments. The architecture is deliberately resilient to targeted sanctions: its software components are designed to run on a wide array of hardware, though Geedge also offers its own platforms—the TSGX device, built on Nettrix server hardware.
Analysis of the source code fragments is ongoing. According to the GFW Report team, the scale and implications of this leak are both significant and long-lasting—not only for understanding the real architecture of Chinese censorship but also for tracking its cross-border expansion.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
