If you've been in cybersecurity long enough, you develop a reflex: dramatic claims usually aren't true. So when a tweet started circulating in early April 2026 alleging 10 petabytes of data had been stolen from China's National Supercomputing Center in Tianjin—including defense documents and missile research—my reaction was the same as most practitioners: prove it. This brings us to the crucial question: did it really happen?
What Actually Happened
Back in February 2026, a hacker group calling itself "FlamingChina" posted samples on a Telegram channel. They claimed a massive exfiltration from the NSCC in Tianjin. This is one of China's premier supercomputing facilities—the kind that should have world-class defenses. Let's put the number in perspective. Ten petabytes is about 10,000 terabytes. That's not a smash-and-grab. It's like backing up a truck and driving away with the entire filing cabinet—every drawer, folder, and sticky note. Skepticism ran high in the cybersecurity community—including me. But as many of us looked more closely, it seems that while the size may be hard to believe, the actual data are real.
The Evidence Checks Out
CNN brought in independent experts to review the leaked files. They found technical manuals, login credentials, and renderings of defense equipment that looked authentic. Dakota Cary at SentinelOne confirmed that the samples fit what you'd expect from clients of a national supercomputing center. The data's range suggested something real, not fabricated. China's government has remained silent, which only confirms the severity of the breach.
How They Did It (and Why It Matters to You)
Here's the part that should make every Chief Information Security Officer (CISO) reading this uncomfortable: the attackers reportedly got in through a compromised VPN domain. A VPN, or Virtual Private Network, is typically used to securely connect remote users or offices to a private network. Not a zero-day. Not some exotic nation-state toolkit.
Just a VPN—this should be a wake-up call.
Once inside, they used a botnet to siphon data in small chunks over roughly six months. It was a low-and-slow operation. This kind of exfiltration flies under the radar of traditional monitoring because no single transfer is large enough to trigger an alarm. It's the digital equivalent of stealing a warehouse one box at a time.
This is the same attack pattern we discuss with our clients at ProCircular. If one of the world's best-resourced computing centers can miss a six-month exfiltration (data being secretly extracted over a long period), what does that mean for mid-market organizations with legacy SIEM (Security Information and Event Management) and understaffed SOC (Security Operations Center) teams?
The right tools exist: behavioral analytics (tools that learn normal activity patterns), egress anomaly detection (monitoring for unusual outgoing data), and network segmentation (dividing networks into smaller parts for better security). For example, configure behavioral analytics to establish baselines for normal user and system activity.
This can help alert you to unusual data access or movement, like downloads at odd hours or from unexpected accounts. Likewise, monitor for unusual data transfers—spikes in outbound traffic, data sent to unfamiliar places, and broken file transfers spread over time. Even routine firewall log reviews may help spot 'low and slow' attacks (attacks involving small amounts of data exfiltrated slowly to avoid detection). These methods are most effective when deployed, tuned to your specific environment, and actively monitored by trained staff.
What Was Stolen
The leaked samples reportedly cover data from over 6,000 NSCC clients. The highlights read like a defense contractor's nightmare: stealth aircraft and UAV research from AVIC, hypersonic missile simulations from the National University of Defense Technology, and virtual wind-tunnel tests. This includes simulations for bunker-buster bombs. If even a fraction of this is accurate, it represents one of the most significant intelligence leaks in modern history.
Here are a few sample images from the DW and X:
But is the "10PB" headline number real?
This is where healthy skepticism still applies. The breach is real—that much is clear from the verified samples. But there's a strong argument that the "10 petabytes" figure is inflated. Hackers selling data on the dark web have every incentive to exaggerate the volume to drive up prices. Full access reportedly costs hundreds of thousands of cryptocurrency. My read: the volume is significant. The data is authentic, and the military and aerospace content is genuine. Whether it's 10PB or 2TB, the damage is done. The exact number matters less than the fact that someone lived inside a national computing facility for six months. Nobody noticed.
The Takeaway
Every breach like this is a warning, and the lesson isn’t really about China’s security posture—it’s about our own. If you're running a mid-market organization and think you're too small to be targeted, or believe your perimeter is "good enough," this should be your wake-up call. The attackers didn't use magic. They used a compromised VPN and patience. That's it. The defenses that would have caught this—continuous monitoring, network segmentation, egress anomaly detection, and human review of data—are the same ones we deploy for our MXDR clients every day.
But with limited time and budget, where should you start? First, prioritize monitoring and alerting for VPN usage and unusual file transfers, since these were the initial breach vector (the method used to gain unauthorized entry) and the method of exfiltration (the unauthorized transfer of data out) in this case. Next, focus on network segmentation to limit what an attacker can access if they get inside.
Behavioral analytics and regular review of outbound traffic can be phased in as resources allow. Even simple steps, like routinely auditing user access and enabling multi-factor authentication (requiring more than just a password) on VPNs, can block attacks like this before they start. The key is to tackle the highest-risk points first and build layered detection over time.The question isn't whether someone is trying to get into your network. The question is whether you'd notice when they did.
What should you do right now?
As an immediate step, CISOs and IT leaders should use this week as an excuse to get together and talk shop.
Verify your ability to detect unusual VPN access and large or unusual data transfers. Start with a simple check of your existing alerts on these actions. Next, run a quick simulated exfiltration test. Have a team member move a large volume of data outside normal hours, then determine whether your monitoring tools flag it. Review who currently has VPN access and revoke any unnecessary or stale credentials. Finally, ensure regular reviews of outbound traffic patterns, even if it’s a monthly manual log review. These first steps can help surface gaps in your current detection. They give you a better roadmap to shore up your defenses before someone else finds a way in.