A threat actor operating under the handle FlamingChina claims to have exfiltrated more than 10 petabytes of classified military and aerospace data from China's National Supercomputing Center (NSCC) in Tianjin, listing the full dataset for sale at hundreds of thousands of dollars in cryptocurrency. Multiple independent cybersecurity experts who reviewed data samples told CNN the material appeared genuine, marking what could be the largest confirmed data theft ever attributed to a single Chinese government-linked facility.

What Happened

The actor posted an initial dataset sample to an anonymous Telegram channel on February 6, 2026, claiming months-long undetected access to the NSCC Tianjin infrastructure. The NSCC Tianjin is a centralized high-performance computing hub serving more than 6,000 clients across Chinese academia, government, and defense sectors. FlamingChina offered a limited preview for thousands of dollars, with full access priced in the hundreds of thousands, payable in cryptocurrency. CNN reached out to China's Ministry of Science and Technology and the Cyberspace Administration of China; neither had responded at time of publication.

What Was Taken

The alleged dataset spans more than 10 petabytes and reportedly includes:

• Documents marked classified ("secret") in Chinese
• Missile schematics and technical defense equipment renderings
• Animated simulations of defense hardware including bombs
• Aerospace engineering research files
• Military research documents
• Bioinformatics and fusion simulation data
• Material linked to the Aviation Industry Corporation of China (AVIC), the Commercial Aircraft Corporation of China (COMAC), and the National University of Defense Technology (NUDT)

The breadth of the claimed dataset suggests the NSCC's role as a shared compute backbone gave the actor lateral access to data belonging to dozens of high-value tenant organizations simultaneously.

Why It Matters

NSCC Tianjin is not a standalone research cluster. It is critical national infrastructure that underpins weapons development programs, next-generation aerospace projects, and military simulation workloads for some of China's most sensitive defense contractors. A successful long-duration exfiltration from this node is strategically significant for several reasons.

First, the aggregation risk is severe: breaching a shared compute hub yields data from hundreds of tenants in a single operation, compressing the cost-per-target for espionage dramatically. Second, the data types described, including missile schematics and fusion simulation outputs, represent years of state-funded R&D that adversaries could use to accelerate their own programs or identify exploitable design flaws. Third, if the claimed months-long dwell time is confirmed, it signals a serious gap in China's detection and response posture at a facility of this sensitivity, which has implications for how peer adversaries and non-state actors assess the achievability of similar operations globally.

The Attack Technique

Technical details of the initial intrusion vector have not been publicly disclosed. However, the actor's own claims and expert assessments point to several notable characteristics: prolonged dwell time measured in months, large-scale staged exfiltration without triggering detection, and access broad enough to reach data belonging to multiple high-value tenant organizations. This profile is consistent with either a supply chain compromise affecting the NSCC's shared infrastructure layer, exploitation of a privileged administrative account, or abuse of a trusted internal network path that bypassed perimeter controls. The actor's reported ease of entry suggests either an unpatched vulnerability in internet-facing services or a credential compromise that was never revoked.

What Organizations Should Do

Organizations operating shared compute infrastructure or relying on national research and computing networks should treat this incident as a direct prompt for defensive review:

1. Audit tenant isolation controls. Shared HPC environments must enforce strict data segregation between tenants at the hypervisor, storage, and network layers. Assume defaults are insufficient.
2. Review privileged account hygiene. Rotate credentials for all administrative and service accounts. Enumerate accounts with broad data access and reduce scope to least-privilege.
3. Deploy behavioral exfiltration detection. Large-volume data movement over extended periods should trigger anomaly alerts. Tune DLP and SIEM rules specifically for bulk transfer patterns rather than relying on perimeter controls alone.
4. Classify and tag sensitive data proactively. If data marked classified is stored in shared infrastructure, it must be identifiable in real time so access anomalies can be correlated with asset sensitivity.
5. Test incident response for long-dwell scenarios. Tabletop exercises should include attacker persistence lasting weeks or months, not just acute breach scenarios. Many detection pipelines are tuned for speed, not patience.
6. Validate third-party and tenant security posture. If your organization shares infrastructure with government or defense entities, treat that shared boundary as an attack surface and assess your exposure accordingly.

Sources: A hacker has allegedly breached one of China's supercomputers and is attempting to sell a trove of stolen data