‘FlamingChina’: the Largest Cyber-Espionage Hack in China’s History

In April 2026, the global community of cybersecurity and international security experts found itself on high alert. The reason was a statement by an unknown hacker group or individual using the pseudonym “FlamingChina” claiming to have maliciously infiltrated the infrastructure of China’s National Supercomputing Centre in Tianjin and stolen over 10 petabytes of top-secret military and scientific-technical data. If this information is confirmed, the incident will be the largest known data theft in China in its entire digital history.

TIMELINE OF EVENTS

On 6 February 2026, a message from the FlamingChina group appeared on a Telegram channel, announcing the breach and providing the first samples of the stolen information. This date is considered the starting point for the public disclosure of the incident, although the actual intrusion into the centre’s systems took place much earlier.

The hackers claim that the data includes research findings in the fields of aerospace engineering, military development, bioinformatics, modelling of thermonuclear reactions and other cutting-edge areas. The samples of materials published by the attackers contain schematics and 3D renderings of military equipment — aircraft, missile systems and munitions.

The Tianjin Supercomputing Centre was opened in 2009 as the first facility of its kind in China. It serves over 6,000 organisations from the research, industrial and defence sectors, providing computing power for complex simulations and modelling.

WHAT EXACTLY WAS STOLEN

Among the organisations whose data was likely compromised are the Aviation Industry Corporation of China (AVIC), the Commercial Aircraft Corporation of China (COMAC) and the National University of Defence Technology. All these entities play a key role in China’s defence industry and the country’s scientific and technical capabilities.

The scale of the theft is staggering: one petabyte equals 1,000 terabytes, whereas a standard consumer laptop typically has only one terabyte of storage. Thus, 10 petabytes is a volume exceeding ten million gigabytes. By way of comparison: the entire digitised collection of the US Library of Congress takes up approximately 10 terabytes — meaning the stolen data is a thousand times larger.

Among the materials posted by the attackers as samples are documents marked ‘Secret’ in Chinese and Ukrainian, technical files, animated renderings and images of advanced weapons systems.

METHOD OF INTRUSION AND MODUS OPERANDI

Cybersecurity researcher Marc Hofer, who managed to establish contact with a person who identified themselves as the hacker FlamingChina on Telegram, reported that the attackers gained initial access via a compromised VPN domain. Once inside the infrastructure, a botnet was deployed — a distributed network of automated programs that gradually extracted data from the centre’s servers.

The data extraction process lasted around six months and went undetected by the centre’s security systems. The attackers’ strategy involved transmitting data in small bursts simultaneously from multiple servers, making it impossible to detect anomalous activity using standard monitoring tools.

FlamingChina likely succeeded precisely because it relied not so much on malicious software as on vulnerabilities in the supercomputer’s architecture itself.

EXPERT ASSESSMENTS

Despite the lack of independent verification of the full dataset, leading experts assess the likelihood of the samples being genuine as high. Dakota Cary, a consultant at cybersecurity firm SentinelOne, told CNN: ‘This is exactly what I would expect to see from a supercomputing centre. You use such centres for large-scale computing tasks. The variety of samples posted by sellers does indeed indicate a wide range of clients for this centre.”

At the same time, Cary noted that only a very limited group of actors could make use of such a vast array of information: only hostile state intelligence services likely have the capacity to process such a massive volume of data and extract operationally significant intelligence from it.

POSSIBLE CONSEQUENCES AND CONTEXT

The breach could potentially explain why, in March 2026, the profiles of several leading Chinese experts in the fields of aviation, nuclear weapons, radar and missile systems vanished without a trace from the website of the Chinese Academy of Engineering. This fact, which has not yet been officially commented on, fits with the hypothesis of a large-scale investigation launched by the Chinese security authorities.

In its 2025 National Security White Paper, the Chinese government itself identified the construction of ‘robust security barriers for the network, information and AI sectors’ as a priority, emphasising the need for coordinated cyber defence mechanisms for critical information infrastructure.