FBI Investigates Suspected Intrusion Affecting Wiretap and Surveillance Management Systems
The FBI confirmed it detected and remediated “suspicious activities” on its networks and said it is using “all technical capabilities” to respond, but provided no additional details on scope, impact, or attribution. Reporting citing an anonymous source indicated the activity may have affected a digital system used to manage and conduct surveillance, including workflows tied to foreign intelligence surveillance warrants, wiretaps, and pen registers (used to trace communications metadata such as IP addresses and dialed numbers).
Public reporting did not establish who was responsible or when the activity occurred, and it was unclear whether the incident is connected to prior compromises of U.S. lawful-intercept and surveillance-related infrastructure (including earlier reporting about Salt Typhoon activity targeting U.S. wiretapping systems). The incident follows a pattern of repeated targeting of U.S. government networks; the FBI has previously disclosed other intrusions and security events affecting parts of its environment, underscoring ongoing operational risk to sensitive investigative and surveillance support systems even when public details remain limited.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
10 events from the most recent confirmed update back to the earliest known activity.
Report says breach exposed surveillance targets' phone numbers
On 2026-04-03, reporting said the compromised FBI surveillance system may have exposed phone numbers and related pen register and trap-and-trace metadata tied to surveillance targets. The report said such metadata could help a foreign adversary identify who the United States was monitoring and map associates' networks.
Justice Department formally designates FBI breach a major incident
On 2026-03-23, the Justice Department formally classified the China-linked compromise of the FBI surveillance system as a 'major incident' under federal law, signaling significant national security risk. The determination was followed by congressional notification and reflected the seriousness of the breach affecting sensitive surveillance-related data.
FBI classifies surveillance-system hack as a major cyber incident
By 2026-03-10, reporting said the FBI had designated the suspected Chinese intrusion into its surveillance data system a 'major cyber incident.' The designation signaled the bureau viewed the breach as especially serious and raised concern that sensitive information stored on FBI systems may have been accessed.
Report says investigators suspect China-linked hackers
On 2026-03-10, reporting said investigators suspected hackers affiliated with the Chinese government, though the FBI had not publicly confirmed attribution or a link to Salt Typhoon.
Investigation expands with interagency support and supply-chain lead
By 2026-03-10, reporting indicated the White House, DHS, and NSA had joined the investigation, and investigators were examining a possible intrusion path through a vendor's internet service provider, suggesting a third-party or supply-chain vector.
Senior DOJ and FBI officials are mobilized over legal and security risks
By 2026-03-05, senior FBI and Justice Department officials responsible for national security and civil liberties were engaged in the response because of the system's sensitivity and possible implications for active investigations.
News reports reveal FBI probe of wiretap and FISA warrant system
On 2026-03-05, multiple outlets reported that the FBI was investigating suspicious cyber activity affecting a digital platform used to manage court-authorized wiretaps and foreign intelligence surveillance warrants.
FBI notifies Congress about the surveillance-system incident
As the bureau assessed the potential impact, it notified members of Congress that a sensitive FBI system containing law-enforcement data and personally identifiable information was under investigation.
FBI contains suspicious activity and opens incident response
After identifying the activity, the FBI said it addressed the suspicious network activity using all available technical capabilities and launched an investigation to determine scope, origin, and whether any data was accessed.
FBI detects abnormal log activity on surveillance data system
On 2026-02-17, the FBI began investigating abnormal log activity affecting an unclassified but law-enforcement-sensitive internal system tied to wiretaps, pen registers, trap-and-trace data, and FISA warrant management.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
15 references tracked. Mallory keeps watching after this page renders.
Suspected Chinese breach of FBI system exposed surveillance targets’ phone numbers - Nextgov/FCW
nextgov.com
Open sourceFBI Declares Surveillance System Breach a ‘Major Incident’
techrepublic.com
Open sourceFBI declares suspected Chinese hack of US surveillance system a ‘major cyber incident’ - POLITICO
politico.com
Open sourceHackers may have breached FBI wiretap network via supply chain | Malwarebytes
malwarebytes.com
Open sourceFBI investigating hack on its wiretap and surveillance systems: report | TechCrunch
techcrunch.com
Open sourceFBI investigating ‘suspicious’ cyber activities on critical surveillance network | CNN Politics
edition.cnn.com
Open sourceFBI investigating 'suspicious' cyber activity on system holding sensitive surveillance information - ABC News
abcnews.com
Open sourceFBI declares suspected Chinese hack of US surveillance system a ‘major cyber incident - Infosec.Pub
infosec.pub
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
China-Linked Breach Hit FBI Surveillance Network and Exposed Sensitive Case Data
The FBI confirmed that **suspicious cyber activity** targeted one of its internal surveillance networks, and officials later classified the intrusion as a **"major incident"** under FISMA because of the potential national security impact. Reporting indicates the affected environment included systems tied to the FBI’s Virgin Islands operations, where attackers accessed highly sensitive law-enforcement information, including **pen register** and **trap-and-trace** returns as well as personally identifiable information connected to active investigations. The bureau said it detected unusual activity in February, informed lawmakers in early March, and publicly acknowledged that the activity had been contained while the investigation continued. Multiple reports said investigators linked the operation to **China**, and that the attackers appear to have reached FBI systems through a commercial internet service provider’s vendor infrastructure rather than by directly breaching the bureau first. The incident prompted a broader U.S. government response, with the White House convening officials from the FBI, NSA, and CISA and the Justice Department establishing a working group to strengthen resilience and incident response. The breach was reported as separate from another cyber matter involving the FBI director’s personal email, underscoring that the bureau was confronting several cyber threats at the same time.
May 25, 2026
FBI Warns Salt Typhoon Telecom Intrusions Remain an Ongoing Risk
A senior FBI cyber intelligence official warned that **Salt Typhoon**, a China-linked cyber espionage group tied to the widespread compromise of telecommunications infrastructure disclosed in 2024, remains an active and broad threat to U.S. public- and private-sector organizations. Speaking at *CyberTalks* in Washington, D.C., FBI Deputy Assistant Director Michael Machtinger said organizations that engaged early with the FBI and agencies such as **CISA** were more successful at mitigating the impact of the intrusions, and he emphasized that the campaign largely exploited **basic security weaknesses** rather than relying primarily on zero-days. Machtinger also assessed that Salt Typhoon is likely retaining stolen data “**in perpetuity**” for future surveillance and exploitation, noting uncertainty about how the PRC intends to use the information but expressing confidence it could enable follow-on operations. Reporting highlighted that the group accessed **dozens of telecom providers globally** in a multi-year effort and, in the U.S., targeted sensitive communications by accessing **“lawful intercept”** systems used for court-ordered wiretaps; it remains unconfirmed whether the actors have been fully removed from affected American networks. The FBI official further stated that Salt Typhoon “for certain” stole information from **well over a million Americans directly**, reinforcing the long-term counterintelligence and privacy risk posed by persistent access and large-scale data theft from telecom environments.
Mar 21, 2026
U.S. Telecoms Launch C2 ISAC After Salt Typhoon Breached Carrier Networks
Major U.S. telecommunications providers have formed the **Communications Cybersecurity Information Sharing and Analysis Center (C2 ISAC)** to strengthen real-time threat sharing and collective defense after the China-linked **Salt Typhoon** campaign compromised carrier networks in the United States and abroad. The intrusions, described by Sen. Mark Warner as the worst telecom hack in U.S. history, affected multiple major providers including **AT&T, Verizon, Lumen Technologies, T-Mobile**, and others, with investigators saying the activity has been ongoing since at least 2019 and there is still no clear public evidence the threat actors have been fully removed from communications networks. Officials and reporting said the espionage campaign enabled attackers to move between telecom networks, exfiltrate large volumes of data, and in some cases listen to audio calls in real time while targeting high-value intelligence, government, and political communications. Investigators also found breaches of U.S. lawful intercept systems used for court-ordered surveillance, while a separate suspected China-linked compromise of an FBI surveillance system likely exposed phone numbers of monitored targets; the campaign has also been linked to exploitation of vulnerabilities in **Cisco** routers to gain access to telecom infrastructure.
May 25, 2026