The Chinese Communist Party’s Great Firewall (GFW) experienced the largest internal document leak in its history, revealing that key research and development institutions such as Geedge Networks Ltd. were not only involved in the construction of the Great Firewall but also exporting detailed network censorship and monitoring technologies to countries like Myanmar, Pakistan, Ethiopia, and Kazakhstan.
On September 11, 2025, the Chinese Great Firewall, also known as the national firewall or data cross-border security gateway, experienced its largest internal document leak to date. Over 500GB of source code, work logs, and internal communication records were made public, detailing the research and development operations of the Great Firewall as well as the export of related technology overseas.
The leak originated from Geedge Networks Ltd., a significant technical force behind the Great Firewall, and the MESA laboratory of the Second Research Office of the Institute of Information Engineering of the Chinese Academy of Sciences.
The leaked documents reveal that these institutions not only provided services to governments in regions like Xinjiang, Jiangsu, and Fujian by constructing provincial firewalls but also exported censorship and monitoring technology under the framework of the Belt and Road Initiative to multiple countries.
According to the analysis by the GFW Report platform, which focuses on researching and tracking China’s internet censorship mechanisms, the leaked documents totaled approximately 600GB, with a single file, mirror/repo.tar, serving as a storage server for RPM packages taking up 500GB. The leaked content includes complete source code, detailed work logs, internal communications, and specific project documents related to collaborations with multiple governments.
The platform conducts measurement experiments and publishes reports analyzing China’s Great Firewall and regional internet censorship systems.
The leaked documents expose key individuals and institutions involved in the Great Firewall technology export, with Fang Binxing, known as the “Father of the Great Firewall,” being a central figure in this system.
In late 2008, Fang Binxing founded the National Engineering Laboratory for Information Content Security (NELIST), initially under the auspices of the Institute of Computing Technology of the Chinese Academy of Sciences, before transferring to the Institute of Information Engineering of the Chinese Academy of Sciences in 2012.
In January 2012, some NELIST members formed a team within the Institute of Information Engineering and officially named it the Processing Architecture Team, with the English name MESA (Massive Effective Stream Analysis). This team played a critical role in the technical research and development of the Great Firewall, undertaking numerous major projects with annual contract revenues exceeding 35 million yuan.
In 2018, Fang Binxing established Geedge Networks Ltd. in Hainan, serving as the Chief Scientist. The core research and development personnel of the company mainly came from the MESA laboratory, with Zheng Chao serving as the CTO. The leaked documents show that many mentors and students from the MESA timeline appear in the git commit records of Geedge Networks Ltd., indicating a close personnel exchange relationship between the two organizations.
According to the leaked documents, Geedge Networks Ltd. provided technical services to at least five countries: Kazakhstan, Ethiopia, Myanmar, Pakistan, and an undisclosed country codenamed A24. These countries are identified by codenames in the leaked materials, often comprising the initials of the country name followed by two years.
Kazakhstan was one of the first clients of Geedge Networks Ltd. following its establishment. Starting in 2019, the company sold its flagship product, the “TIANGOU Secure Gateway” (TSG), to the Kazakhstan government. This product, similar to the Chinese Great Firewall, has the capability to monitor and filter all network traffic passing through it, as well as detect and block circumvention activities.
In Ethiopia, Geedge Networks Ltd. began operations in 2021, partnering with local telecommunications operator Safaricom to deploy monitoring equipment in its regional data centers. The leaked documents indicate a temporal connection between the company’s equipment deployment and the social media blockade incident in Ethiopia in February 2023.
The leaked documents provide detailed insights into the powerful functions of Geedge Networks Ltd.’s product suite. The “TIANGOU Secure Gateway” (TSG) is the company’s flagship product, featuring capabilities such as deep packet inspection, real-time monitoring, traffic throttling, injection, modification, and the ability to attribute network traffic to real identities to identify and block circumvention tools.
TSG Galaxy is a data storage and analysis system that preserves metadata of TCP and UDP sessions and their protocols, including TLS, SIP, DNS, QUIC, etc. This system not only allows monitoring of internet traffic but also phone calls, establishing a comprehensive communication monitoring network.
Cyber Narrator is a user interface designed for non-technical users to track network traffic at the individual customer level, associating activities with specific areas to identify the real-time geographical locations of mobile users. The system also enables government clients to view aggregated network traffic and identify individual users using circumvention tools.
Network Zodiac is a system that monitors other components, similar to Grafana, with the capability to SSH into any other host, providing customers with direct access to troubleshoot and manage network devices.
According to Geedge Networks Ltd.’s official website, the company is headquartered in Hainan, China, and is a national high-tech enterprise specializing in network intelligence, committed to providing innovative network intelligence and security solutions for customers. The core research and development team of the company comes from top Chinese universities and research institutions, with over 20 years of experience in constructing large-scale information security systems.
Geedge Networks Ltd.’s main products include the TIANGOU Secure Gateway (TSG), a machine learning-based next-generation firewall (or AI-related), providing a feature-rich and convenient one-stop security solution tailored to the network border needs of large organizations.
The technical deployment of Geedge Networks Ltd. follows standardized processes. When deploying in a new country or region, company employees travel to the customer’s location and install hardware at government and local Internet service provider premises. The local ISP is an integral part of the system setup, requiring open access to Geedge employees during installation and providing network scheme explanations.
The hardware used for collecting and storing massive data is placed within the data centers of various ISPs. The system can be deployed in two main modes: mirror mode (passive mode) mirrors data through network TAP without affecting normal network operation, while online mode (active mode) requires traffic to pass through the device for inspection, allowing for the complete blocking of specific traffic but impacting network speeds.
This unprecedented document leak not only reveals the internal operations of the Chinese Great Firewall project but more significantly exposes how these technologies are exported overseas through frameworks like the Belt and Road Initiative, providing several governments with the capability of network monitoring and censorship. The next part will analyze in detail the specific deployment of these technologies in various countries and their far-reaching implications for global internet freedom. (To be continued)