Potential Leakage Suspected from CCP VPN Identification Database, Internet Security Company’s Monitoring Technology Exposed

China’s cybersecurity company Renzihang has recently experienced a suspected leakage of a batch of firmware files. Data released by cybersecurity accounts show that the related systems can identify dozens of VPN and proxy tools such as Clash, V2Ray, ProtonVPN, among others. Renzihang’s public documents indicate that their products have been used in network nodes such as operators, data centers, domain systems, and cloud services, and have been involved in the construction of the Chinese Communist Party’s network supervision system.

On July 11, the cybersecurity account NetAskari posted about Renzihang’s network warehouse where firmware programs are stored that appeared to be exposed. The post listed identification targets including software like Clash, V2Ray, ProtonVPN, Windscribe, TunnelBear, ExpressVPN, and more. Currently, there have been no complete original documents surfacing online, and no third-party technical personnel have published verification results.

Guangdong network engineer Chen Cheng (pseudonym) told reporters that these systems do not necessarily need to crack the encryption content of VPNs, but mainly identify traffic characteristics. He said, “Each VPN connects to the network differently, such as how connections are established, the size of data packets, how often connections are made, which servers are contacted, all these leave traces. Devices collect these characteristics, similar to creating a fingerprint database, which could roughly indicate which circumvention tool a user is using.”

Chen also mentioned that once the system identifies that a user is using a VPN, they could potentially throttle their internet speed, disconnect them, block server nodes, or even provide the user’s connection logs to regulatory authorities. He added, “The police may approach you and ask which foreign websites you have visited.”

Renzihang’s annual report for the year 2025 shows that the company owns a patent for a VPN traffic identification method and system based on multiple models. The technical direction involved in this suspected leak aligns with that patent. The annual report also indicates that the company has participated in the construction of the industrial Internet security monitoring platform for the Ministry of Industry and Information Technology of the Communist Party and more than twenty provincial units.

Renzihang’s public documents state that the company participates in building the “national-provincial-enterprise” three-tier technical support system, including internet data centers, internet access services, domain security, network security, and data security, with their products being applied in operators, internet data centers, cloud platforms and dedicated networks.

A technician, Feng He, who previously worked in the telecommunications industry in Tianjin, told reporters that operators have access to users’ real-name information and internet browsing records, network security companies are responsible for traffic identification, and regulatory departments determine how to handle the information, thus jointly enabling tracking of circumvention tool users. He mentioned, “The tech companies claim they only provide tools, but without them, the Communist Party finds it hard to systematically identify circumvention tool users on a large scale. However, when companies receive government projects, ordinary users might end up getting recorded, throttled, disconnected, or even investigated by the police.”

The mentioned software in the post includes open-source proxy tools, commercial VPNs, and products that help Chinese netizens circumvent censorship. Some tools allow users to set up nodes themselves, making it difficult to continuously block them just based on domain names or IP addresses. These systems do not need to read communication content, but can still identify encrypted traffic based on characteristics like data packet size, connection frequency, handshake methods, among others.

A Mr. Liu, who researches internet technology at a university in Hangzhou, stated that this Shenzhen-based company listed on the Shenzhen Stock Exchange’s Growth Enterprise Market Board has long been providing technology for the Communist Party’s network monitoring, with clients including police and telecommunications operators, making it a company dependent on government projects. He said, “Their products are installed at internet gateways and data centers, aiding authorities in monitoring networks. While ordinary people may use VPNs just to access blocked news or communicate internationally, they could be flagged as subjects for scrutiny by the system. The authorities are truly worried about people circumventing censorship, not about network attacks. They (the CCP) are the attackers.”

Established in 2000, Renzihang is headquartered in Shenzhen and went public on the Shenzhen Stock Exchange’s Growth Enterprise Market Board in 2012, primarily providing network security, traffic monitoring, and content identification systems to Chinese government departments and telecommunication operators. Public records indicate that the company has provided network security services for political events such as the 19th and 20th National Congresses of the Communist Party.

This suspected leakage incident still lacks a comprehensive technical report, and it cannot be conclusively stated that all VPNs listed in the post have been cracked. Mr. Liu believes that the leaked documents have revealed the path of commercial cybersecurity companies, operators, and regulatory departments jointly participating in network monitoring.