UPDATE:
About those 12,000 files that allegedly leaked from the security firm Knownsec (知道创宇) onto GitHub: Here's what we know so far from public reporting, company statements, and translated Chinese forum posts.
No independent sources confirm the quantity posted in many articles we came across.
On 31-10-2025, a user created a thread on a known illegal marketplace for an "exclusive sale of KNOWNSEC Chinese infosec company data." This thread had the same screenshots attached that were circulating on several social media platforms three days later.
The thread owner updated the post on 02 Nov 2025 12:51 GMT, adding more samples by linking to the image-sharing host ibb[.]co.
The metadata of images uploaded to this host reveal that the user uploaded a total of 63 images between Sun, 02 Nov 2025 12:35:00 and 12:35:48 GMT.
Some of the images first publicly surfaced the day after in a blog post authored by a user who goes by "netaskari."
On 05-11-2025, several security-focused WeChat accounts reported a Knownsec (知道创宇) leak, suggesting that an insider was involved. We've seen claims that accounts on WeChat had specific data altered or removed.
On 07-11-2025, another update on the illegal market followed, in which the thread owner stated that they had sold the data and that it would no longer be for sale.
According to Security419 (据安全419), the underlying intrusion occurred in 2023 via a 0-day vulnerability within the infrastructure of a "third-party cloud desktop provider," affecting a limited number of employee cloud desktops.
Knownsec further mentions that its honeypot detected the activity in 2023, and their IR team contained, cleaned, and traced it.
We found no evidence that supports a more recent breach.
Reported scope (per Knownsec): "employee contact lists, internal training materials, a subset of customer names, and dark-web monitoring/early-warning data."
Knownsec also reported that its business systems are stable, that the 2023 incident has been closed, and that it has been in contact with the relevant regulators.
Besides several mentions that the company's data had leaked onto GitHub, thorough OSINT does not reveal any such repository has been reported on. Given the timeline of events, we firmly believe this to be false.
As the first post in the GitHub leak got published by an outlet that describes itself as an Artificial Intelligence-Driven Media Outlet, we believe the event was confused with another Chinese leak, the "I-Soon" leak, which actually occurred on GitHub and received a TOS takedown shortly after.
‼️ China's largest cybersecurity firm, Knownsec, was breached, exposing details of China's state cyber operations.
The data includes cyberweapon documentation, internal hacking tool source code, and global target lists covering over 20 countries, including Japan, Vietnam, and India.
A spreadsheet lists 80 hacked foreign organizations, plus evidence of 95 GB of stolen Indian immigration data and 3 TB of call records from South Korean mobile operator LG U Plus.
One of the documents mention a malicious power bank, disguised as a charging device.
Knownsec is key to China's cybersecurity, providing advanced defense and offensive capabilities, including espionage tools.
A thread with their tools 🧵