One Hacker Spent 6 Months Draining 10 Petabytes From China's Military Supercomputer — Through a VPN

:fire: One Hacker Spent 6 Months Draining 10 Petabytes From China’s Military Supercomputer — Through a VPN

Someone walked into one of the most powerful computing facilities on Earth through a broken VPN door — and nobody noticed for half a year.

10 petabytes stolen. 6,000+ clients exposed. 6 months of undetected extraction. One compromised VPN domain. Missile schematics, defense simulations, aerospace research — all allegedly for sale on Telegram for cryptocurrency.

To put “10 petabytes” into perspective: that’s roughly 10 million gigabytes. You’d need about 2,500 of those 4TB hard drives stacked up. That’s more data than the entire printed collection of every library on Earth — combined. And somebody just… downloaded it. Over six months. While nobody was watching.

supercomputer hack


🧩 Dumb Mode Dictionary
Term What It Actually Means
Petabyte 1 million gigabytes. Your phone is probably 128GB. This hack was 10,000,000 GB.
VPN domain The internet “door” that lets employees connect to work from home securely. This one was busted open.
Botnet A swarm of automated programs that work together — in this case, to suck data out of a system like digital leeches.
NSCC National Supercomputing Center — China’s government-run facility that crunches numbers for military, science, and aerospace.
Exfiltration Fancy word for “stealing data by copying it out of a network.”
Cryptocurrency payment The hacker wants untraceable digital money (Bitcoin, Monero, etc.) in exchange for the stolen files.
📡 How One Person Robbed a Supercomputer

The attacker — going by the handle “FlamingChina”posted a sample of the alleged dataset on Telegram back in February 2026.

The method was almost embarrassingly simple:

  • Found a compromised VPN domain — the remote-access gateway that employees use to log in from outside
  • Got inside the network of China’s National Supercomputing Center in Tianjin
  • Deployed a botnet (a swarm of automated bots) inside the system
  • Those bots quietly copied and downloaded data for six straight months
  • Nobody detected it. Not the firewalls. Not the monitoring. Not the 6,000+ client organizations relying on the system.

The simplest door. The biggest heist.

🎯 What Was Actually Stolen

According to cybersecurity researcher Marc Hofer, who reviewed samples of the dataset, the stolen files include:

  • Missile schematics and classified defense documents
  • Aerospace engineering research files
  • Defense technology simulations (think: war-game models)
  • Bioinformatics data (biology + computing — bioweapons? gene research? unclear)
  • Nuclear fusion simulation data
  • Technical files from the Aviation Industry Corporation of China and the Commercial Aircraft Corporation of China
  • Research from the National University of Defense Technology

This isn’t some random email dump. This is allegedly the crown jewels of China’s military-industrial computing apparatus.

💰 The Price Tag

FlamingChina is running this like a damn storefront:

What You Get Price
Limited preview / sample dataset Thousands of dollars
Full 10PB access Hundreds of thousands of dollars
Payment method Cryptocurrency only

But here’s the thing nobody mentions: the verification problem cuts both ways. CNN couldn’t verify the dataset’s origins, but multiple independent experts who reviewed samples said the data appears genuine. So either this is the biggest data heist in history — or the most elaborate bluff. Both scenarios are wild.

📊 The Receipts — By The Numbers
Stat Number
Data allegedly stolen 10+ petabytes (10,000,000 GB)
Duration of extraction ~6 months
Clients of the NSCC 6,000+ organizations
Entry point 1 compromised VPN domain
Detected during extraction? No
China’s official response Silence
Previous largest China hack Nowhere close to this scale

For context: the 2015 US Office of Personnel Management hack — which was considered catastrophic — involved about 21.5 million records. This alleged breach is orders of magnitude larger in raw volume.

🗣️ What The Experts Are Saying
  • Marc Hofer (cybersecurity researcher): Reviewed the samples, confirmed the data structures are consistent with a legitimate government computing environment
  • SC Media called it potentially “the biggest hack of all time”
  • TechRadar flagged the national security implications — missile schematics in the wrong hands isn’t just a data breach, it’s a geopolitical event
  • China’s government: Complete silence. No denial, no confirmation, no comment. Which in itself is… interesting.

The silence is actually the most telling part. When breaches are fake, governments usually dismiss them fast. When they’re real, the silence stretches.

🔍 The VPN Problem Nobody Wants to Talk About

The entry method here — a compromised VPN — is the same pattern we’ve seen in breach after breach:

  • Pulse Secure VPN vulnerabilities hit thousands of organizations in 2021-2024
  • Fortinet VPN bugs have been exploited by Chinese, Russian, and Iranian state hackers
  • Cisco AnyConnect has had multiple critical flaws

VPNs are supposed to be the moat around the castle. Instead, they’ve become the most reliable door for attackers. And here we have one of the most powerful computing centers on Earth — processing classified defense data for 6,000 clients — apparently defended by a VPN that someone cracked open like a walnut.

The data shows a pattern: the more critical the system, the more likely its VPN is a single point of failure.


Cool. Someone just downloaded China’s entire military brain. Now What the Hell Do We Do? ( ͡° ͜ʖ ͡°)

hacking use case

🕳️ The VPN Audit Bounty Flipper

Every company on Earth just got nervous about their VPN setup. The play: learn to run automated VPN configuration audits using free tools like OpenVAS and Nmap, then approach small-to-mid businesses (law firms, clinics, accounting shops) and offer a “VPN Security Checkup” for a flat fee. You’re not pen-testing — you’re just scanning their public-facing VPN endpoints for known misconfigurations and generating a pretty PDF report. Charge $200-500 per audit. Most of these places haven’t touched their VPN config since COVID.

:brain: Example: A 24-year-old IT support guy in Bucharest, Romania starts offering “VPN Health Checks” on local business forums. Uses OpenVAS to scan, generates reports with LaTeX templates, charges €300 per business. Lands 8 clients in the first month = €2,400. Word of mouth kicks in because every business owner panics when they see a red “CRITICAL” flag on a PDF.

:chart_increasing: Timeline: First client in 5-7 days. Steady flow at 3-4 weeks. Plateaus when you’ve hit every small biz in your city at ~3 months — then you hire someone and expand to the next city.

🎣 The Breach Alert Reseller

When massive breaches like this drop, companies in the affected supply chain scramble to check if their data was exposed. The play: monitor breach notification feeds, dark web paste sites via IntelligenceX, and Telegram channels. Package what you find into “Exposure Reports” for specific industries. Target: companies who did business with any of the 6,000 NSCC clients. A Chinese manufacturer that uses NSCC computing services also has Western partners who now need to know if their shared files got scooped up in this breach. You’re the bridge.

:brain: Example: A 28-year-old cybersecurity student in São Paulo, Brazil builds a simple dashboard using Python + Streamlit that cross-references known NSCC client lists with company supply chain databases. Sells “Am I Exposed?” reports to import/export firms doing business with Chinese manufacturers for $150 each. Lands 20 reports in 2 weeks = $3,000.

:chart_increasing: Timeline: First sale within 3 days of breach news going viral. Window closes in 4-6 weeks as the news cycle moves on. Then you pivot to the next breach. Rinse, repeat.

📡 The Defense Contractor OSINT Mapper

This breach exposed which organizations use China’s NSCC — aerospace firms, defense universities, aircraft manufacturers. That’s now semi-public information. The play: build an OSINT (open-source intelligence) map of relationships between these organizations using publicly available data — LinkedIn connections, academic paper co-authorships, patent filings, conference attendee lists. Package this as “Supply Chain Intelligence” and sell it to due diligence firms, compliance departments, or journalists who are writing about national security. Tools: Maltego CE (free), Google Scholar, patent databases.

:brain: Example: A 31-year-old former intelligence analyst in Warsaw, Poland builds relationship maps showing how NSCC-linked entities connect to European companies. Sells three custom reports to a compliance consulting firm in London at £1,500 each = £4,500. The firm uses them in client presentations about “China supply chain risk.”

:chart_increasing: Timeline: First deliverable in 10-14 days (research is slow). Sustainable for 2-3 months as geopolitical tension keeps demand high. Fades when the next crisis dominates headlines.

🪟 The Patch Window Panic Seller

After every major VPN breach, the affected VPN vendors rush to release patches. But here’s the gap: most companies take 15-45 days to actually apply patches. During that window, you can offer “Emergency VPN Patching” as a service. Literally: you show up (remotely), apply the vendor’s patch, verify it worked, restart the service, test connectivity. It’s basic sysadmin work dressed up as emergency response. The urgency is what you’re selling, not the complexity. List yourself on PeoplePerHour or local IT forums as “Emergency VPN Security Patching — 24hr turnaround.”

:brain: Example: A 22-year-old self-taught sysadmin in Lagos, Nigeria posts “VPN Emergency Patch Service” on three WhatsApp business groups after a major VPN vulnerability makes the news. Charges ₦75,000 (~$45 USD) per server — cheap enough that businesses say yes without thinking. Patches 30 servers across 12 companies in the first week = ₦2,250,000 (~$1,350). Scales by adding two friends who also know Linux.

:chart_increasing: Timeline: First gig within 48 hours of vulnerability disclosure. Rush period lasts 2-3 weeks. Dead after 6 weeks when everyone’s either patched or doesn’t care. Wait for next CVE, repeat.

🎰 The Geopolitical Signal Trader

Data breaches of this scale move markets — defense stocks, cybersecurity ETFs, specific companies named in the breach. The play isn’t day-trading (that’s gambling). It’s tracking the second-order effects with a 2-4 week delay. When a breach like this drops, cybersecurity companies like CrowdStrike, Palo Alto Networks, and Fortinet see increased contract inquiries 2-6 weeks later. Their earnings calls reference it. Use Google Trends to track when “VPN security” or “cybersecurity audit” searches spike, then cross-reference with SEC EDGAR filings for cybersecurity firms announcing new government contracts. You’re not predicting — you’re reading signals that are already there but 90% of retail investors don’t bother to check.

:brain: Example: A 26-year-old data analyst in Kraków, Poland builds a Google Trends + SEC filing tracker using free APIs. After the FlamingChina breach news, spots CrowdStrike filing three new government contracts within 3 weeks. Buys shares on the dip. Stock moves +11% over the next quarter. Repeats the pattern after every major state-level breach.

:chart_increasing: Timeline: First signal appears 2-3 weeks post-breach. Position entry at week 3-4. Returns materialize in 1-3 months. Works reliably 2-3 times per year when major geopolitical breaches hit the news.

🛠️ Follow-Up Actions
Want To… Do This
Check if YOUR VPN is exposed Run a free scan at Shodan — search your company’s IP range + “vpn”
Monitor breach feeds Set up Have I Been Pwned alerts + follow @vaboronkov for dark web leak alerts
Learn VPN security auditing Start with TryHackMe’s VPN rooms (free tier available)
Track cybersecurity stocks post-breach FinViz screener filtered by “cybersecurity” sector + set Google Trends alerts
Understand OSINT basics OSINT Framework — free directory of every open-source intelligence tool

:high_voltage: Quick Hits

Want Do
:locked: Check your own VPN config Shodan.io — free search for exposed VPN endpoints on your IP
:open_book: Understand this breach deeper CNN’s full report on FlamingChina’s methodology
:shield: Harden your VPN today Disable split tunneling, enforce MFA, update firmware — CISA’s VPN guide
:briefcase: Sell VPN audits Grab OpenVAS + learn Nmap basics on TryHackMe
:bar_chart: Track breach → stock signals FinViz + Google Trends + SEC EDGAR

The most powerful supercomputer in China got robbed through the same door your company uses for Zoom calls. Sleep tight.

6 Likes