“FlamingChina” Stole 10 Petabytes of Missile Data From a Supercomputer — Via One VPN Login
Someone walked into China’s biggest supercomputer through a broken VPN door, grabbed six months’ worth of missile blueprints, and put them on Telegram with a price tag.
10 petabytes stolen. That’s 10,000 terabytes. Over 6 months. From a facility serving 6,000+ defense clients. Through a single compromised VPN login. Nobody noticed.
A hacker (or small crew) going by “FlamingChina” claims they breached China’s National Supercomputing Center in Tianjin — the country’s very first supercomputer hub, opened in 2009 — and walked out with classified military simulations, missile schematics, aerospace research, and nuclear fusion data. They’re now selling preview access for thousands in crypto, with the full dump going for hundreds of thousands. Security experts at SentinelOne who reviewed samples say the data looks legit. China quietly started firing senior defense officials days after the news broke.

🧩 Dumb Mode Dictionary
| Term | What It Actually Means |
|---|---|
| Petabyte | 1,000 terabytes. Your laptop holds about 1 TB. This hack grabbed 10,000 of those. |
| VPN | A secure tunnel into a network from outside — like a private hallway into a building. If someone steals the key, they’re inside. |
| Botnet | A swarm of automated programs that do tasks together — in this case, slowly sucking data out like ants carrying crumbs. |
| NSCC | National Supercomputing Center — China’s government-run mega-computer facility for science and military research. |
| Exfiltration | Fancy word for “stealing data out of a system.” Just means copying files and sending them somewhere else. |
| Zero-day | A security hole that nobody knew existed — so the defenders have had zero days to fix it. |
📡 How They Got In
Here’s the wild part — it wasn’t some genius zero-day exploit. According to CNN’s investigation, FlamingChina got in through a compromised VPN domain. That’s it. One busted login.
Once inside, they deployed a botnet — basically a network of little automated scripts — that slowly, quietly pulled data out of the system over six months straight. The trick was going slow enough that nobody’s alarms went off. Drip by drip, file by file. From February 2026 until they decided to go public.
The samples posted to Telegram on February 6 included documents marked “秘密” (secret in Chinese), animated simulations of missiles, and technical schematics that experts confirmed are consistent with real Chinese defense research.
💣 What Was Actually Stolen
This wasn’t someone grabbing a bunch of employee emails. The stolen data allegedly includes:
- Missile and bomb schematics — full technical renderings with simulations
- Aerospace engineering files — linked to the Aviation Industry Corporation of China (the people who build China’s fighter jets)
- Nuclear fusion simulation data — cutting-edge energy research
- Bioinformatics research — medical and genetic data from government projects
- Documents from the National University of Defense Technology — China’s military academy
Dakota Cary from SentinelOne told CNN: “They’re exactly what I would expect to see from the supercomputing center.”
📊 The Receipts
| Stat | Number |
|---|---|
| Data stolen | 10 petabytes (10,000 TB) |
| Duration of theft | ~6 months |
| Clients served by NSCC Tianjin | 6,000+ |
| Preview access price | Thousands of dollars (crypto only) |
| Full dump asking price | Hundreds of thousands (crypto only) |
| When samples appeared on Telegram | February 6, 2026 |
| When CNN reported | April 8, 2026 |
To put that 10 petabytes in perspective: if you downloaded at a solid 100 Mbps nonstop, it would take you over 9 years to grab all of it.
🗣️ What the Timeline's Saying
Dakota Cary, SentinelOne: “Only they [state-level intelligence services] probably have the capacity to work through all this data and come back with something useful.”
Security Magazine called it potentially “the largest data breach in Chinese military history.”
China hasn’t officially confirmed or denied anything. But right after the news broke, several senior figures linked to defense programs were quietly removed — including Yang Wei, a chief designer connected to the J-20 fighter jet program. That’s not a coincidence.
The cybersecurity community is split on whether FlamingChina is a lone wolf, a small crew, or a front for a state-level operation. Nobody knows for sure. The alias has no track record before this.
🔍 Why This Is Actually Insane
Let’s be clear about what happened here. A single VPN compromise led to the largest known breach of a national supercomputer. A facility that processes classified defense simulations for an entire country was apparently protected by… a VPN that someone cracked.
This isn’t a Hollywood plot hole — this is real. The same kind of VPN gateway that thousands of companies use every day. The same kind that your employer probably makes you log into to check your work email from home. That’s the front door to China’s missile data.
And the attacker didn’t need to be fast. They had six months. No alarms, no flags, no investigation. Just a slow drip of the most classified military data a country can produce, flowing out the back door while everyone was asleep.
Cool. So someone stole a country’s entire military brain through a VPN. Now What the Hell Do We Do? ( ͡° ͜ʖ ͡°)

🕳️ The VPN Audit Bounty Flipper
Most companies use VPNs and have ZERO idea if their gateway configs are actually secure. This breach just made every CISO on the planet paranoid about their VPN setup. Here’s the play: learn to audit VPN configurations (there are free guides from NIST and open-source tools like OpenVAS). Reach out to small/mid hosting companies and offer a one-time VPN security audit. Not a full pentest — just the VPN gateway. Cheap, fast, specific.
Example: A 24-year-old security student in Romania reaches out to 50 small hosting providers in Eastern Europe via LinkedIn, offering VPN gateway audits at $300 each after this news. 12 say yes within a week because their clients are panicking. That’s $3,600 from cold outreach using free tools.
Timeline: First client in 5-7 days if you reach out aggressively. Market panic from this breach lasts about 4-6 weeks before people forget and go back to being lazy.
📡 The Exfil Speed Detector
Here’s what nobody caught for six months: data leaving the network slowly. There are free tools like Zeek (network traffic analyzer) and RITA (Real Intelligence Threat Analytics) that specifically look for slow, persistent data leaks — exactly what FlamingChina did. Most small companies don’t even know these exist. Package Zeek + RITA into a pre-configured monitoring setup for small data centers. Sell it as “the thing that would have caught the China breach.”
Example: A freelance sysadmin in Brazil sets up a one-page site offering “slow exfil detection” packages using Zeek + RITA on a cheap VPS. Charges $150/month per client for monitoring. After this breach hits the news, posts in 10 hosting-provider Discord servers. Gets 8 clients in the first month — $1,200/month recurring.
Timeline: Setup takes a weekend if you know Linux basics. First paying client in 10-14 days. This becomes a recurring income stream, not a one-shot gig. Saturates in 2-3 months as bigger security firms start offering the same.
🎣 The Breach Notification Middleman
After every major breach, thousands of people want to know: “Am I in this leak?” With 6,000+ organizations using the Tianjin supercomputer, there are tens of thousands of researchers, engineers, and contractors whose credentials might now be in someone’s Telegram channel. Build a monitoring bot that tracks known breach paste sites and Telegram leak channels (using the Telegram Bot API) and alerts subscribers if their org domain shows up. Charge per domain monitored.
Example: A 20-year-old CS student in Turkey builds a Telegram bot in Python that monitors 30 known leak channels and sends alerts when certain keywords or domains appear. Markets it to universities and research labs in Southeast Asia — $50/month per domain monitored. Gets 25 subscribers in a month from cold emails to university IT departments. That’s $1,250/month.
Timeline: Bot build takes 2-3 days. First subscribers in 2 weeks. Works until a bigger platform (like Have I Been Pwned) incorporates this specific dataset, probably 6-8 weeks out.
🪟 The Post-Breach Resume Gold Rush
Every time a breach this big makes headlines, cybersecurity job postings spike 15-30% in the following month. Companies panic-hire. But here’s the edge: most candidates have generic resumes. Write a breach-specific cover letter template pack — one for each of the top 10 job roles that spike after a supercomputer breach (VPN security analyst, incident response, threat intelligence, network forensics, etc.). Sell the pack on Gumroad or Lemonsqueezy for $19. Market it in cybersecurity Discord servers and Reddit’s r/cybersecurity right while the news is hot.
Example: A career coach in the Philippines who dabbles in infosec creates a “Post-Breach Job Application Kit” with 10 tailored cover letters, a resume template, and a cheat sheet of talking points about the Tianjin breach. Sells 80 copies at $19 in the first two weeks via r/cybersecurity and LinkedIn posts. That’s $1,520 from a digital product that took one evening to create.
Timeline: Product created in 1 day. First sales within 48 hours of posting. The window closes in about 3 weeks when the news cycle moves on. Make it fast or don’t bother.
🎰 The Classified Data Pattern Spotter
The 10 PB dump is too big for any individual to parse. But the metadata — file naming conventions, directory structures, timestamps, organizational labels — is publicly visible in the Telegram samples. Intelligence analysts and OSINT researchers will pay for someone who catalogs and indexes this metadata into a searchable format. You don’t need the actual classified files. Just the structure. Build a spreadsheet or simple web tool that maps the leaked directory tree, timestamps, and org labels. Sell access to OSINT research firms and journalists.
Example: An OSINT hobbyist in Poland screenshots every publicly posted sample from the FlamingChina Telegram, extracts file names, timestamps, and folder structures, and builds a searchable Notion database. Offers access to 5 journalist contacts and 3 threat-intel firms at $200/seat. Makes $1,600 in the first week before China pressures Telegram to take the channel down.
Timeline: First version in 2-3 days. Revenue within the first week. This is a pure sprint — the Telegram channel could go dark any day, so speed is everything. Once the channel’s gone, your catalog becomes the ONLY public record. That’s when the real value kicks in.
🛠️ Follow-Up Actions
| Want To… | Do This |
|---|---|
| Audit your own VPN setup | Run OpenVAS against your gateway + follow NIST SP 800-77 |
| Detect slow data leaks | Set up Zeek + RITA on your network |
| Check if you’re in a breach | Use Have I Been Pwned + monitor known leak channels |
| Read the full CNN investigation | CNN: China supercomputer hackers |
| Understand VPN security basics | OWASP VPN Security Guide |
Quick Hits
| Want To… | Do This |
|---|---|
| Enable MFA on every VPN gateway — Google Authenticator is free | |
| Install Zeek and watch for steady low-bandwidth outbound traffic | |
| Follow SentinelOne’s blog for updates on the FlamingChina investigation | |
| Offer VPN audits to small hosts within the next 4 weeks while fear is high | |
| Start with OSINT Framework — it’s free and comprehensive |
One broken VPN password. Six months of silence. Ten thousand terabytes of missile data. And somebody on Telegram is asking if you’d like a preview for a few grand. Sleep tight.
!