Security Alerts 9 min read

Chinese Surveillance Network Breach Exposes 4 Billion Records

Impact: CRITICAL User Risk: HIGH

In June 2025, China experienced the largest data breach in its history when cybersecurity researchers discovered a massive 631-gigabyte database containing over 4 billion records exposed without password protection. The breach affected hundreds of millions of Chinese citizens, exposing sensitive personal information including:

805 million WeChat user IDs
780 million home addresses with geographic identifiers
630 million banking records with payment card numbers and birthdates
300 million Alipay card and token details

Discovered by cybersecurity researcher Bob Dyachenko and the Cybernews research team, the database contained 16 distinct collections of data that researchers believe was meticulously aggregated for surveillance, profiling, or data enrichment purposes. The leaked information enables everything from large-scale phishing and identity theft to state-sponsored intelligence gathering and sophisticated social engineering attacks. The database’s owner remains unidentified, and affected individuals have no direct recourse or notification channels.

Index

The Discovery and Scale of the Breach
What Data Was Exposed
Technical Analysis and Infrastructure
The SGK Connection: Chinese Cybercrime Ecosystem
Security Implications and Attack Vectors
Historical Context: China’s Data Breach Epidemic
Impact on Individuals and Society
What Affected Users Can Do

The Discovery and Scale of the Breach

In May 2025, cybersecurity researcher Bob Dyachenko of SecurityDiscovery.com, working alongside the Cybernews research team, discovered an unsecured database during routine internet scans. The database was found sitting openly on the internet without even basic password protection, making it accessible to anyone who stumbled upon it. The infrastructure was quickly taken offline after discovery, but not before researchers documented the contents of what would become known as the largest single-source leak of Chinese personal data ever identified, as reported by Cybernews.

The sheer magnitude of the breach is staggering:

631 gigabytes of data
Approximately 4 billion records
16 distinct collections

To put this in perspective, this breach dwarfed previous major incidents, including the 2022 Shanghai police database leak that exposed 1 billion citizens’ records and a January 2025 incident that affected 1.5 billion records from Weibo, DiDi, and other platforms.

The database’s organization and scope suggested this was not a random data dump but rather a meticulously curated centralized aggregation point. According to CSO Online, the researchers concluded that the dataset was “meticulously gathered and maintained for building comprehensive behavioral, economic, and social profiles of nearly any Chinese citizen.”

What Data Was Exposed

The database consisted of 16 distinct collections, each containing different categories of personal information:

Major Collections:

“wechatid_db” – Over 805 million WeChat user identifiers. WeChat, owned by Tencent, is China’s ubiquitous super-app used for everything from messaging to payments to social networking, making this exposure particularly damaging.
“address_db” – Over 780 million residential addresses with geographic identifiers, essentially creating a comprehensive location database of Chinese citizens.
“bank” – Over 630 million financial records including payment card numbers, dates of birth, names, and phone numbers, creating a goldmine for financial fraud.
“three-factor checks” – Over 610 million records that researchers believe included national ID numbers, phone numbers, and usernames—the holy trinity of identity verification data.
“wechatinfo” – Nearly 577 million records of WeChat metadata, potentially including communication logs or even user conversations, according to SpyCloud’s analysis.
“zfbkt_db” – 300 million records linked to Alipay cards and tokens. Alipay is China’s dominant mobile payment platform, and access to these tokens could enable unauthorized payments, account takeovers, and identity theft on a massive scale.

The remaining 353 million records were distributed across nine additional collections covering diverse data points including:

Gambling activities
Vehicle registration information
Employment records
Pension fund details
Insurance data
Taiwan-related information (“tw_db”), suggesting surveillance capabilities extending beyond mainland China

Technical Analysis and Infrastructure

According to security researchers, the exposed database showed signs of imprecise data parsing and normalization. SpyCloud’s analysis revealed evidence that the database was compiled from disparate sources by someone who did a somewhat sloppy aggregation job:

Key-value mismatches in some collections
Typos in data labels
Inconsistent naming conventions
Non-standard naming conventions across collections
Collections with similar data categories including inconsistent data asset types
Some records showed gender data in the ‘card_id’ field and national ID numbers in the ‘gender’ field

Despite extensive investigation, researchers could not identify the database’s owners or operators. There were no attribution markers, identifying headers, or metadata pointing to a specific organization, government entity, or threat actor. The infrastructure was removed from public access within 24 hours of discovery, preventing deeper forensic analysis or attribution.

The speed of takedown suggested that the database’s operators were either monitoring for discovery or were quickly notified by automated systems. The lack of even basic password protection, however, raises questions about whether this was an operational security failure or an abandoned project.

The SGK Connection: Chinese Cybercrime Ecosystem

Based on the database’s structure, contents, and the sloppy compilation process, security experts believe this was likely the backend for an SGK (社工库, Shègōng kù), which translates to “social engineering library.” As detailed by SpyCloud researchers, SGKs are repositories of leaked and stolen personally identifiable information created by Chinese-language threat actors.

These platforms compile hacked and leaked databases to allow easy queryability of personal information on Chinese citizens. Some SGKs are fully public, while others require engaging with a cybercriminal to gain search access. SpyCloud tracks dozens of these SGKs, primarily on Telegram and clearnet websites, often marketed alongside premium lookup services where corrupt insiders from Chinese government security, law enforcement, banking, or technology sectors obtain sensitive records for higher prices.

SGKs are frequently marketed as “box opening” services. “Opening boxes and hanging people” (开盒挂人) is a phrase commonly used in Chinese doxxing communities to describe maliciously disclosing victims’ personal information to incite others to attack and abuse them. Chinese-speaking users across forums, Weibo, Telegram, Twitter/X, Reddit, and YouTube comments shared the opinion that this database was likely a dark market SGK database used for such purposes.

Chinese cybercriminal chat logs on Telegram captured by researchers showed users speculating that the leak occurred because someone forgot to set a login password for their SGK database. A forum post sharing the Bitdefender article about the breach received comments suggesting the database belonged to “those who sell opened boxes.”

Security Implications and Attack Vectors

The security implications of this breach are profound and multifaceted. With such comprehensive and highly specific data exposed, threat actors can easily correlate identities across datasets to build detailed profiles revealing:

Where individuals live
Their financial habits, debts and savings
Communication patterns on apps like WeChat
Their employment history and benefits

According to CSO Online’s report, there is no shortage of ways threat actors or nation-states could exploit this data:

Large-scale phishing campaigns – Highly personalized social engineering attacks that reference real details about victims’ lives, making them far more likely to succeed than generic attacks
Financial fraud – Unauthorized payments, account draining, identity theft for opening new accounts or taking out loans in victims’ names
Blackmail operations – Leveraging WeChat communication metadata for criminal extortion
State-sponsored intelligence gathering – Enabling surveillance operations and profiling of citizens
Sophisticated disinformation campaigns – Targeted influence operations based on detailed behavioral profiles
Cross-strait intelligence operations – The Taiwan-related data collection suggests surveillance extending beyond China’s borders, potentially feeding into geopolitical tensions

Historical Context: China’s Data Breach Epidemic

This 2025 breach represents the latest and largest in a troubling series of massive data exposures affecting Chinese users. Understanding the historical context reveals systemic vulnerabilities in how China aggregates and secures personal data.

Major Previous Breaches:

July 2022 – Shanghai Police Database – 23 terabytes of police data covering 1 billion citizens leaked online, including national IDs, criminal case details, and phone records, exposing vulnerabilities in China’s centralized policing systems, as reported by CNN.
January 2025 – Multi-Platform Aggregation – A 1.5 billion-record leak aggregated data from Weibo, DiDi, JD.com, and government entities including the Shanghai Communist Party. The Elasticsearch server’s open access allowed malicious actors to cross-reference identities, financial histories, and political affiliations.
February 2025 – Mars Hydro IoT Breach – An IoT grow light manufacturer exposed 2.7 billion records via misconfigured cloud storage, revealing Wi-Fi passwords, IP addresses, and device IDs.

Recurring Patterns:

Centralized data aggregation for profiling purposes, consistent with China’s Social Credit System and mass surveillance infrastructure
Cloud misconfigurations, particularly involving Alibaba Cloud and other major providers
Involvement of state-linked contractors like I-Soon, which leaked 570 documents in 2024 detailing hacking tools and surveillance contracts
Exploitation of cloud vulnerabilities in ways that obscure government involvement while serving state surveillance objectives

Impact on Individuals and Society

The human impact of this breach extends far beyond immediate financial risks. The exposed data creates vulnerabilities that will persist for years, if not decades, as the information cannot be changed like a password.

Individual Impact:

Permanent exposure of sensitive personal details – National ID numbers cannot be changed; home addresses remain valuable intelligence for years; financial habits and communication patterns create lasting vulnerabilities
Surveillance implications – Comprehensive behavioral profiles enable both state and non-state actors to track, target, and control individuals
Targeting of dissidents – Data can be weaponized for political control or suppressing free expression
No notification – Most affected individuals will never know their data was compromised

Societal Impact:

Erosion of trust – When super-apps like WeChat and Alipay become sources of massive data exposure, it creates fundamental insecurity about participating in the digital economy
Cross-border surveillance – Taiwan-related data feeds into geopolitical tensions and creates risks for individuals with connections across the Taiwan Strait
Targeted influence operations – Data enables intelligence gathering and potential persecution based on relationships or activities

What Affected Users Can Do

The reality for affected users is grim: there is very little direct recourse available. Since the database owner remains unidentified and there are no formal notification channels, most people won’t even know they were impacted. As researchers concluded in the Bitdefender report, “Individuals who may be affected by this leak have no direct recourse due to the anonymity of the owner and lack of notification channels.”

However, security experts recommend several proactive measures that anyone potentially affected—or anyone concerned about data breaches generally—should implement:

Change passwords immediately, especially on financial platforms and messaging apps. Enable two-factor authentication (2FA) wherever possible, and make every password unique to each account. Password managers can help generate and store complex, unique passwords for each service.
Monitor financial accounts closely for any unauthorized transactions. Set up account alerts for unusual activity. Review bank statements, credit card bills, and Alipay/WeChat payment histories regularly. Report any suspicious transactions immediately.
Use digital identity protection tools to monitor whether email addresses, phone numbers, or personal information have appeared in data leaks or on the dark web. Set up breach alerts to be notified immediately when data appears in new leaks.
Be extremely vigilant about phishing attempts. Scammers often use leaked data to personalize attacks, making them more convincing. Be skeptical of any communication asking for personal information, financial details, or urgent action—even if it references real details about your life.
Consider freezing credit or implementing additional identity theft protections, particularly if banking information was exposed. While this is more common in Western countries, similar protections may be available through Chinese financial institutions.
Limit information sharing on social media and other platforms going forward. The less additional data points available to correlate with leaked information, the harder it becomes for attackers to build comprehensive profiles.

While these steps cannot undo the exposure, they can reduce the risk of the leaked data being successfully weaponized against affected individuals. The breach serves as a stark reminder of digital vulnerability in an era where personal data fuels both state power and criminal enterprise.