How China’s Next-Gen DPI Powers Global Digital Control

Leaked data confirm that Beijing has shifted from domestic censorship to the active export of control tools. Chinese contractors are delivering turnkey infrastructure to suppress dissent in Pakistan, Ethiopia and Myanmar.

The main takeaway from the recent leaks, however, is not political but personal: the vulnerability of every user’s privacy to a new generation of deep packet inspection (DPI).

ForkLog examined the leaked documents of Chinese technology companies Geedge Networks and KnownSec.

Anatomy of the leak

In the autumn two large troves entered the public domain. The first—100,000 documents from Geedge Networks, a firm specialising in network monitoring and censorship. The second—12,000 files from KnownSec, which is linked to China’s state security.

The dump offers a rare look under the hood of the cyber‑surveillance industry. Where experts once merely suspected export versions of the Great Chinese Firewall, they now have technical specifications, architecture and named clients.

Geedge Networks is not just an IT company. It is closely tied to MESA Lab (a state laboratory in China) and to Fang Binxing, often called the father of the Chinese firewall. The leaks show that tools honed for years on China’s population have been packaged into a commercial product for overseas sale.

The Great Firewall in a box

Geedge’s flagship is the Tiangou Secure Gateway (TSG), a hardware–software stack installed in ISPs’ data centres. It can analyse, filter and block traffic at nationwide scale.

Its architecture is modular and highly efficient:

1. Cyber Narrator — a real-time monitoring system. It records every user action: visited sites, DNS queries, IP addresses, timestamps and data volumes. It is an activity log of an entire population.
2. TSG Galaxy — the analytics hub. Data from Cyber Narrator flow here. The system builds user profiles, detects patterns and social graphs.
3. Tiangou — the control console. It lets operators (intelligence or police personnel) add keywords to blacklists, and block domains and specific users.

The system does not rely only on IP addresses. It uses DPI. If traffic is encrypted (HTTPS), it examines metadata and behavioural patterns to infer the type of information transmitted.

The Myanmar case: technology against protest

The leak confirmed the geography of sales. China is exporting a turnkey model of state control. The documents list project codes for different countries:

1. K18/K24 (Kazakhstan): active rollout;
2. P19 (Pakistan): used to police social unrest;
3. M22 (Myanmar): deployed to suppress protests after the 2021 military coup.

The last case is the most telling—confirming the role of Chinese technology in quelling civic discontent. After the coup, the new authorities faced the imperative of controlling the information space.

Geedge documents confirm that the company supplied infrastructure to Myanmar’s providers. The system simultaneously monitors 81 million internet connections.

What the system does in Myanmar:

• de‑anonymisation — identifying VPN users;
• tool blocking — internal records show Geedge identified and classified 281 popular VPN services (including ExpressVPN) and messengers such as Signal;
• dynamic filtering — reports note a shift from “monitoring” to “active blocking” of virtually all circumvention tools within months.

In Myanmar, Geedge equipment has been found in the data centres of the operator Frontiir and the company Investcom. This shows that dual‑use technologies are being embedded directly into civilian telecom infrastructure.

Scam centres and the global threat

In parallel with state snooping, the threat from criminal groups exploiting the same grey zones is growing. The region abounds in scam centres—closed compounds from which fraudsters target users worldwide.

The United States has already begun to target this infrastructure, issuing a warrant to seize Starlink terminals used by scammers in Myanmar. Google, for its part, filed a lawsuit against the operators of the Lighthouse platform engaged in phishing.

Yet the combination of weak legal protections and a powerful technical base (supplied from abroad) creates ideal conditions for cybercrime.

KnownSec: espionage and cyberweapons

If Geedge handles “defence” (censorship), the KnownSec leak reveals offensive capabilities. The documents describe tools for hacking and remote access to devices running Windows, Linux, Android and iOS.

Key findings:

1. Scale of thefts. Hackers claimed to have stolen 95 GB of data from India’s immigration service and 3 TB of call records from South Korea’s LG U Plus. Target lists include organisations in 80 countries.
2. Tooling. Tools were found to extract chats from Telegram and Signal on compromised Android devices.
3. Hardware hacks. “Trojan” power banks are mentioned that exfiltrate data from a smartphone when it is plugged in to charge.
4. Use of AI. Attackers used language models (including Anthropic’s Claude) to write malware and analyse stolen data, circumventing safeguards in neural networks.

Feedback loop: tested abroad

The technologies are not only sold—their overseas use feeds back into China to strengthen domestic control. The leaks indicate that Geedge applies lessons from Pakistan and Myanmar to upgrade surveillance systems in Xinjiang and other provinces.

The documents describe the following experimental features:

• social scoring — assigning each user a reliability rating. The baseline is 550 points. If the score fails to rise (for example, without providing biometrics), internet access is restricted;
• geofencing — creating virtual boundaries for specific users based on cell‑tower data.

Takeaways for everyone

News of Chinese cyber‑arms exports may seem remote to users outside Myanmar or Pakistan. Yet the leaks puncture several popular myths about digital security:

1. HTTPS and encryption are no panacea. Modern DPI systems like Tiangou can effectively analyse encrypted traffic. Even if they cannot read packet contents, they mine metadata—sizes, request frequency, timing—to identify VPN, Tor or messenger use with high confidence.
2. A VPN does not make you invisible. Systems such as Cyber Narrator aim not merely to block VPNs but to flag users. The very act of reaching for circumvention tools becomes a trigger that places a user in a “suspicious” group. In Myanmar this led to targeted hunting of those who used particular apps.
3. Behavioural analysis trumps keywords. Systems have evolved from keyword spotting to building graphs of relationships. Algorithms analyse whom you talk to, which groups you join and how you move. The leak showed plans for a “reputation rating” that would automate access blocks based on a blend of behavioural factors rather than a single infraction.
4. The hardware threat is real. The episode with “spy power banks” is a reminder that danger does not always stem from code. Plugging a device into untrusted chargers or public USB ports carries a real risk of physical compromise.

Conclusion

The KnownSec and Geedge Networks leaks confirm the existence of a global market for “digital authoritarianism”. China is offering regimes not just equipment but methods of control.

For ordinary users the message is clear: the era of easy circumvention is ending. It is giving way to a contest with algorithms that can spot anomalies in encrypted traffic and assemble a profile from side‑channels. Privacy now demands not merely installing an app, but understanding the traces every action leaves online.