Geedge & MESA Leak: Analyzing the Great Firewall’s Largest Document Leak


Authors: Mingshi Wu

中文版: 积至公司与MESA实验室:防火长城史上最大规模文件外泄分析

1. Introduction

The Great Firewall of China (GFW) experienced the largest leak of internal documents in its history on Thursday September 11, 2025. Over 500 GB of source code, work logs, and internal communication records were leaked, revealing details of the GFW’s research, development, and operations.

The leak originated from a core technical force behind the GFW: Geedge Networks (whose chief scientist is Fang Binxing) and the MESA Lab at the Institute of Information Engineering, Chinese Academy of Sciences. The documents show that the company not only provides services to governments in places like Xinjiang, Jiangsu, and Fujian, but also exports censorship and surveillance technology to countries such as Myanmar, Pakistan, Ethiopia, Kazakhstan, and other unidentified country under the “Belt and Road” framework.

The significance and far-reaching implications of this leak are substantial. Due to the massive volume of data, GFW Report will continue to analyze and provide updates on the current page and on the Net4People.

Enlace Hacktivista has provided the access to the leak:

The leaked files total about 600 GB. Among them, the file mirror/repo.tar alone, as an archive of the RPM packaging server, takes up 500 GB.

For detailed instructions on how to use the specific files, David Fifield has already provided a more thorough explanation on Net4People.

     7206346  mirror/filelist.txt
497103482880  mirror/repo.tar
 14811058515  geedge_docs.tar.zst
  2724387262  geedge_jira.tar.zst
 35024722703  mesalab_docs.tar.zst
 63792097732  mesalab_git.tar.zst
       71382  A HAMSON-EN.docx
       16982  A Hamson.docx
      161765  BRI.docx
       14052  CPEC.docx
     2068705  CTF-AWD.docx
       19288  Schedule.docx
       26536  TSG Solution Review Description-20230208.docx
      704281  TSG-问题.docx
       35040  chat.docx
       27242  ty-Schedule.docx
      111244  待学习整理-23年MOTC-SWG合同草本V.1-2020230320.docx
       52049  打印.docx
      418620  替票证明.docx
      260551  领导修改版-待看Reponse to Customer's Suggestions-2022110-V001--1647350669.docx

3. Safety Considerations

Due to the highly sensitive nature of these leaked materials, we strongly advise anyone who chooses to download and analyze them to take proper operational security precautions. It may be possible that these files may contain potentially risky content and accessing them in an insecure environment could expose you to surveillance or malware.

Please consider analyzing these files only in an isolated (virtual) machine without internet access.

4. Background

Great Firewall of China (GFW) is an umbrella term for a series of Internet censorship systems. Behind it, teams for research and development, operations, hardware, and management each play their roles and coordinate with one another. In addition to fixed government agencies (such as the CNCERT), different entities provide technical support depending on individual contracts and tenders. This leak originates from an important branch of the GFW’s R&D capacity: Geedge Networks and MESA Lab. The MESA lab is affiliated with the Institute of Information Engineering, Chinese Academy of Sciences (IIE, CAS).

The origins trace back to Fang Binxing, the “Father of the Great Firewall”, coming to Beijing. At the end of 2008, he established the National Engineering Laboratory for Information Content Security (NELIST), initially based at the Institute of Computing Technology, Chinese Academy of Sciences. Beginning in 2012, the supporting institution changed to the Institute of Information Engineering, Chinese Academy of Sciences. In January 2012, some NELIST personnel formed a team at IIE, and in June 2012 the team was officially named the Processing Architecture Team, English name MESA (Massive Effective Stream Analysis). Below is an excerpt from MESA’s self-introduction:

MESA Timeline

   January 2012: Liu Qingyun, Sun Yong, Zheng Chao, Yang Rong, Qin Peng, Liu Yang, and Li Jia formed a team at IIE;
   June 2012: The team was officially named the Processing Architecture Team, English name MESA (Massive Effective Stream Analysis);
   2012: Liu Qingyun was selected for IIE’s inaugural “Rising Star” talent program;
   2012: Yang Wei and Zhou Zhou joined the team;
   2012: The team successfully completed the cybersecurity assurance task for the 18th National Congress;
   January 2013: MESA’s first PhD trainee, Liu Tingwen, graduated successfully;
   2013: Li Shu, Liu Junpeng, and Liu Xueli joined the team;
   December 2013: The MESA team received IIE’s 2013 Major Scientific and Technological Progress Award;
   2014: Zhou Zhou was selected for IIE’s “Rising Star” talent program;
   2014: The MESA component SAPP platform began large-scale engineering deployment;
   2014: Zhang Peng, Yu Lingjing, and Jia Mengdie joined the team;
   2015: Zheng Chao was selected for IIE’s “Rising Star” talent program, and Zhang Peng was selected for IIE’s “Outstanding Talent Introduction” program;
   August 2015: MESA moved from the Agriculture Bureau to the Huayan Beili office area;
   July 2015: PhD student Sha Hongzhou trained by MESA graduated successfully, and Liu Xiaomei received Outstanding Graduate honors;
   2016: Dou Fenghu, Zhu Yujia, Wang Fengmei, Li Zhao, Lu Qiuwen, Du Meijie, Shen Yan, and Fang Xupeng joined MESA in succession, and the team expanded rapidly;
   2016: The team undertook multiple major engineering projects, with annual contracted revenue exceeding 35 million;
   December 2016: The MESA team participated in winning the National Science and Technology Progress Award (Second Prize);
   2018: Sun Yong and Zhou Zhou received the 2017 National State Secrecy Science and Technology Award (Second Prize);

By 2018, Fang Binxing had also established himself in Hainan, and Geedge (Hainan) Information Technology Co., Ltd. (Geedge Networks Ltd.) was founded in the same year. Fang served as chief scientist, and the “core R&D personnel came from universities and research institutes such as the Chinese Academy of Sciences, Harbin Institute of Technology, and Beijing University of Posts and Telecommunications.” Much of this talent came from MESA—for example, Zheng Chao served as CTO. Attentive readers will notice that many mentors and students from the MESA timeline appear in the leaked Geedge company git commits.

5. Analysis of Non–Source Code Files

The non–source-code portion of the leaked files has already been analyzed in detail by multiple professional teams, including, but not limited to, InterSecLab, Amnesty International, Justice for Myanmar, The Globe and Mail, Der Standard, and Follow the Money. David Fifield has collected and compiled these reports as follows:

Below are David Fifield’s notes on related media reports and technical write-ups. Please note that the source-code portion of the leak has not yet been analyzed:

6. Analysis of Source Code Files

The source-code portion of the leaked files has not yet been carefully analyzed. This leak is significant and far-reaching. Given the large volume of material, GFW Report will continue to update our analysis and findings on the current page as well as on Net4People.

6.1 Analysis of MESA Git contributors

On September 26, 2025, Dynamic Internet Technology (DIT) released a website that visualizes the contributors and contributions to the MESA Lab git repos:

7. Acknowledgement

We would like to thank InterSecLab, Amnesty International, Justice for Myanmar, The Globe and Mail (环球邮报), Der Standard, and Follow the Money for their extensive and rigorous work. As part of a research consortium, InterSecLab has been working on indexing, translating, analyzing, interpreting, and summarizing 600 GB of leaked data over the course of nine months — an effort that has been invaluable in shedding light on the significance of this leak. The investigations, reporting, and analysis from all of these organizations provided essential context and insights for future work.

To clarify, the GFW Report has never contributed to the analysis that forms the reports by these organizations.

8. Contact or Join Us

This report was first published on GFW Report. We also actively updated our analysis and findings on Net4People.

We encourage you to share questions, comments, analysis, or additional evidence on this topic, either publicly or privately. Our private contact information can be found in the footer of the GFW Report website.


Comments

Atom feed

76 Comments

Anonymous

is there any checksum file?

Bram Cohen

Just use BitTorrent.

I feel so based that Trump himself can come around and slap my dick. Cock and balls torture is fun for all family.

Anonymous

based

darkfader

did we finally some good opensource DPI sigs

Boobies

Anonymous

Dicks

Anonymous

Balls

Anonymous

fumo fumo

Goat and your mom

Pee pee poo poo

whoami

شرمط و مرمط

Anonymous

Nigger cunt

Anonymous

Winnie-the-Pooh

marco

ching chong

Let's kill some niggers m'kay?

Anonymous

xi jinping

Cash Royale

Nerf Miner

Anonymous

nerf miner

Anonymous

chinese communist party losses keep piling up like russian bodies on the fields of ukranian farms. delightful to see.

Anonymous

definitely not delightful thats for sure

Anonymous

Are you aware that Ukraine lost more? Thats not a cartoons dude, war is evil

Anonymous

The guy who sees an article about pure evil software and wonders: "hey, how could I be even more of a douche than them in my comment?"

Jonny Doo

I cringed

Anonymous

u r nazi scum

Anonymous

Of course Ukraine lost more, since China is not actively partaking in the war.

Anonymous

Is there also a list of websites or content that's been banned? It would be very useful for analysing the biggest fears of the chinese government

Anonymous

what's the source code folder?

Anonymous

mesalab_git.tar.zst

Anonymous

i need more hdds

Anonymous

in China, people who needs low cost HDD could buy some in PDD online, and the cost is about 30RMB/500G. I just buy two HDDs and make a RAID0 disk, it works well.

Anonymous

Is there anything interesting about how the GFW is architected, or is it just normie networking tech + government enforced practices?

Fang Binxing

Fiber optical splitting like NSA's Upstream, plus packet injections.

Andreas Malm

i find it hard to believe a canadian company is being sanctioned because they work with countries the us doesn't like. it seems much more likely that they maybe refused to put a backdoor for the us military or had some other internal dispute

Anonymous

hard to believe a canadian company is being sanctioned because they work with countries the us doesn't like

Sanvine was selling DPI technology to repressing regimes as well as US-based Comcast before to block BitTorrent if you haven't known.

Yeah, they might refuse any US backdoor, but that doesn't hint privacy or noncooperation, they were installing backdoors for other government against people.

Helpless Investors

The US government saw Sandvine as the perfect deal for getting foreign intel—heck, even the electricity was paid for by the foreigners—so they went ahead and proposed an acquisition. Francisco Partners asked for too much, so the US government came up with an excuse to hit them with sanctions. In the end, they had to sell their shares cheap.

From Sandvine Letter of Amnesty Report: AppLogic Networks is owned by several US-based entities, none of which is Francisco Partners, the former owner of Sandvine.

Anonymous

Who watches the watchmen? Apparently, Great Firewall Report.

Anonymous

hard

Anonymous

So… how do we bring the firewall crashing down?

Anonymous

Well...You first need some cyber Mongolians.

Anonymous

Damn you Mongolians, you tear down my shitty firewall!

I don't know if the Chinese are asking you to

Anonymous

Yes please.

  • Where did all the numerous Mongolian tribes go after they penetrated the Great Wall of China?
  • Became Chinese?

Anonymous

Maybe you should stop joking and finally make a new video about hackers?

Anonymous

Where did all the numerous Mongolian tribes go after they penetrated the Great Wall of China? Became Chinese?

We are eventually all become Chinese. Lol.

Anonymous

maybe more VPS nodes in mainland lol CCP has been cautious to ban nodes to avoid unsatisfaction

Hello from vxug

Hello from vxug

Anonymous

AWESOME

Anonymous

Very cool

N

gingangoogingan

習近平 小熊維尼

Someone in China likely will disappear from this leak

Morgan Marquis Boire

I used to enjoy raping women in the ass, but now I've shifted to shemales. Trannies, ladyboys, chicks with dicks, whatever you want to call them - I love the quality blowjobs, rim jobs, etc. from a female who's got a big cock - then I enjoy getting fucked in MY ass with a sticky pozzed up creampie ending ;)

You should see my tiny cock, it flinches like a snail being beaten up with a stick. I hate my penis so much that one day I will get high on weed and cover it with caustic lime to make it disappear.

Anonymous

Cool story bro.