Alleged Leak of Chinese Military-Linked Data and Knownsec Cyber Operations Documents
A broad exposure of Chinese state-linked sensitive data resurfaced across underground and open reporting, combining claims of a massive leak from the National Super Computer Center in Tianjin with renewed circulation of previously stolen Knownsec corporate documents. One report described a threat actor using the name airborneshark1 and the alias Flaming China to advertise an alleged 10 PB dataset purportedly taken from the NSCC, a government-owned high-performance computing environment used by academic institutions, state-owned enterprises, and military-affiliated research partners. The available sample data was assessed by the source as likely genuine, although the full scale of the claimed exfiltration remains unverified and may imply prolonged access or insider assistance if authentic.
Separately, a partial re-release of the Knownsec leak revived reporting on more than 12,000 classified documents allegedly exposing the internal capabilities of a major Chinese cybersecurity firm tied to government and military work. The leaked material reportedly included multi-platform RATs, Android malware targeting chat data, hardware-based collection tools such as a malicious power bank, and spreadsheets identifying overseas targets in more than 20 countries, alongside evidence of large-scale data theft from India, South Korea, and Taiwan. The Kazakhstan Daryn Online and Tanzania BRELA breach reports describe unrelated criminal data-sale listings and do not match the China-focused state-linked leak activity covered in the relevant reporting.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
Alleged NSCC thief claims six-month botnet exfiltration operation
In a March 25, 2026 update, a Telegram user calling themselves 'Flaming China' allegedly claimed responsibility for the NSCC Tianjin intrusion, saying initial access came via a compromised VPN domain controller and that roughly 10 petabytes were exfiltrated over six months using a botnet for transfer and distributed storage. The report said the dataset had not yet been sold and was still under negotiation, though the claims remained unverified.
NSCC Tianjin sale post is re-listed to attract more interest
The sale post for the alleged NSCC Tianjin dataset was later re-listed in an apparent effort to increase buyer interest. Reporting noted that if the full claimed volume is genuine, the theft likely required prolonged access, lateral movement, and possibly insider help.
Alleged 10-petabyte NSCC Tianjin dataset advertised for sale
A dark web actor using the handle airborneshark1 advertised an alleged 10-petabyte dataset purportedly stolen from the National Super Computer Center of China in Tianjin. Sample data reportedly included internal directory screenshots, credentials, technical reports, radar-related data, and 2024-2025 weapons-effects modeling documents.
Partial Knownsec leak resurfaces on dark web
On March 18, 2026, a threat actor using the name Blastoize posted a free partial download of Knownsec documents. The material appeared to be a redistribution of the original November 2025 leak rather than a new breach.
Flaming China Telegram presence appears in early February
A group or alias calling itself Flaming China appears to have established a Telegram presence in early February 2026. Later sale posts attributed the alleged NSCC Tianjin data theft to this name.
Chinese government denies knowledge of Knownsec breach
Following reporting on the Knownsec leak, the Chinese government publicly denied knowledge of any breach and reiterated its opposition to cyberattacks. The statement was part of the official response to allegations tied to the leaked files.
Resecurity assesses Knownsec leak was likely caused by an insider
After the Knownsec leak emerged, Resecurity assessed that the exposure was likely the result of insider activity rather than an external intrusion. This attribution shaped understanding of how the data was obtained.
Knownsec breach first exposed with 12,000+ leaked files
In November 2025, the original Knownsec breach was first exposed, reportedly involving more than 12,000 classified files from the Chinese cybersecurity company. The leak was described as revealing offensive malware, hardware attack tools, surveillance target lists, and records of large-scale data theft.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
9 references tracked. Mallory keeps watching after this page renders.
China supercomputer breach: 10 petabytes of military data allegedly stolen by ‘FlamingChina’ | brief | SC Media
scworld.com
Open source10 petabytes of sensitive data stolen from China's National Supercomputing Center, hackers claim - daring heist would be largest ever China hack, covering 6,000 clients across science, defense, and beyond | Tom's Hardware
tomshardware.com
Open sourceThe alleged breach of China’s National Supercomputing Center can have serious geopolitical consequences
securityaffairs.com
Open sourceHackers Claim to Have Stolen 10 Petabytes of Data from China's Tianjin Supercomputer Center
cybersecuritynews.com
Open sourceA hacker has allegedly breached one of China’s supercomputers and is attempting to sell a trove of stolen data - DataBreaches.Net
databreaches.net
Open sourceA hacker has allegedly breached one of China’s supercomputers and is attempting to sell a trove of stolen data | CNN
edition.cnn.com
Open sourceNSCC hack : UPDATE ! - NetAskari
netaskari.substack.com
Open sourceChina's massive data leak of military secrets ?
netaskari.substack.com
Open sourcePartial Leak of Knownsec Corporate Documents Resurfaces With Espionage Tradecraft, Offensive Cyber Tools, and Global Targeting Evidence
darkwebinformer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
KnownSec Data Breach Exposes Chinese Cyber Tools and Global Target Lists
Chinese cybersecurity firm KnownSec suffered a significant data breach, resulting in the leak of over 12,000 internal documents. The files, briefly posted on GitHub before removal, reportedly include details on KnownSec's contracts with Chinese government and military entities, internal hacking tools, and a spreadsheet listing 80 overseas targets. Analysis of the leaked data suggests the presence of remote access trojans (RATs) capable of compromising Linux, Windows, macOS, iOS, and Android systems, with some tools able to extract data from popular messaging apps such as Telegram and Chinese platforms. The breach also exposed large datasets, including 95GB of Indian immigration data, 3TB of call records from South Korea's LG U Plus, and 459GB of Taiwanese road planning data. Security researchers and analysts have described the leak as an intelligence gold mine, providing rare insight into the operations of a major Chinese cyber contractor. While the exact motivation behind the leak remains unclear—whether it was the act of a disgruntled insider or an external hack-and-dump operation—the incident highlights the scale and scope of KnownSec's cyber activities, including its role in mapping foreign digital infrastructure and developing tools for state-sponsored operations. The exposure of these documents is likely to have significant implications for both Chinese cyber operations and the security of the affected international targets.
Mar 21, 2026
Leaks Expose BlackBasta’s Supporting Infrastructure and China-Linked KnownSec Espionage Pipeline
Two major leak-driven investigations detailed how criminal and state-aligned cyber operations are enabled by supporting ecosystems. Internal chat logs attributed to the **BlackBasta** ransomware group—reportedly ~200,000 messages in a leaked JSON archive—were followed by a separate database leak tied to *Media Land*, which investigators linked to **Yalishanda**, a long-running bulletproof hosting provider allegedly used to support ransomware infrastructure (including server configurations, customer records, user accounts, and cryptocurrency wallet data). Separately, a large leak from Beijing-based security firm **KnownSec** was reported to expose a “vertically integrated” contractor model supporting China’s **Ministry of Public Security**, including the *ZoomEye* internet intelligence platform integrated with a classified “TargetDB” and references to offensive tooling (e.g., **GhostX**) used for reconnaissance, intrusion, and persistence. Other items in the set were not about these leak-driven exposures and instead covered unrelated topics: a PR firm’s Wikipedia manipulation (disinformation), a Citizen Lab job posting, generic ransomware resilience guidance, a general cyber-attacks timeline, a vendor’s 2026 threat landscape outlook, a law-enforcement disruption of a ransomware crew in Ukraine/Germany, a podcast on vulnerability management/incident response, an Olympics cybersecurity risk report, German legislative proposals expanding BND hacking/surveillance powers, and a malware-newsletter link roundup. Those references do not materially add to the specific story of the BlackBasta/Yalishanda infrastructure leaks or the KnownSec leak and should be treated as separate reporting streams.
Mar 21, 2026
Reports Highlight China-Led Expansion of Offensive Cyber Operations and Targeting of Defense and Critical Infrastructure
Multiple reports and leaked documents indicate **China-linked cyber operations** are expanding in scale and sophistication, with a strong emphasis on targeting government, telecommunications, and other strategic sectors. A Forescout *Vedere Labs* analysis cited by Cybernews reported China as the top origin of threat operations last year (210), with Russia and Iran also major contributors; the reporting also highlighted suspected China-linked activity tied to a multi-year compromise of South Korea’s **Onnara System**, including theft of civil servants’ **GPKI certificates and credentials**, and noted Taiwan’s National Security Bureau reporting an average of **2.63 million attacks per day** last year. Separately, leaked technical materials reviewed by Recorded Future News describe a purported Chinese internal training environment—part of an integrated system called **“Expedition Cloud”**—used to rehearse offensive cyberattacks against replicas of neighboring countries’ real-world networks, including **power/energy transmission, transportation, and smart home infrastructure**. In parallel, a Google Threat Intelligence Group report warned of a “relentless barrage” of nation-state activity against the **U.S. defense industrial base**, describing a shift beyond classic espionage into **supply-chain attacks, workforce infiltration, and battlefield-adjacent operations**; Google attributed much of the activity to **Chinese, Russian, Iranian, and North Korean** actors and noted continued Russian targeting of organizations supporting Ukraine, including phishing, malware aimed at mobile battlefield-management apps, and attempts to access encrypted messaging platforms.
Mar 21, 2026