China has developed one of the most extensive and sophisticated cyber operations in the world, often described by Western intelligence and cybersecurity experts as a state-directed “hacker army.” This apparatus, combined with the country’s vast domestic surveillance infrastructure, positions Beijing as a global leader in both offensive cyber capabilities and internal monitoring. While China denies many of the accusations, attributing them to geopolitical bias, reports from governments, cybersecurity firms, and leaked documents paint a picture of a highly organized, resource-rich ecosystem that supports espionage, intelligence gathering, and potential disruption on an unprecedented scale.
The Cyber Espionage Machine
China’s offensive cyber activities are primarily attributed to state-sponsored advanced persistent threat (APT) groups linked to the Ministry of State Security (MSS) and the People’s Liberation Army (PLA), including its dedicated Cyberspace Force. Prominent groups include Salt Typhoon (also tracked as OPERATOR PANDA or RedMike), Volt Typhoon, APT41 (Double Dragon), APT31, APT40 (Leviathan), and others such as Mustang Panda and APT27.
These operations have escalated in recent years. Cybersecurity analyses indicate a significant surge in China-nexus espionage, with some reports noting a 150% increase in intrusions during 2024-2025. In 2025 alone, threat intelligence tracked over 510 APT operations affecting dozens of countries, with China responsible for the majority in certain regions like Taiwan and Southeast Asia.
High-profile incidents highlight the scope:
- Salt Typhoon’s prolonged infiltration of U.S. telecommunications networks, enabling access to communications of high-profile individuals, including former political figures.
- Breaches of Southeast Asian military organizations, where actors maintained years-long access using novel backdoors and evasion techniques.
- Compromises of U.S. military entities, such as the Army National Guard, exposing administrative credentials and network diagrams.
- Suspected intrusions into sensitive systems, including an FBI internal network related to domestic surveillance orders in early 2026.
These campaigns often involve pre-positioning for future disruption, targeting critical infrastructure like telecoms, energy, transportation, and government networks. Actors exploit legitimate features of cloud platforms, use living-off-the-land techniques, and employ custom malware to maintain stealthy, long-term access. The goal appears twofold: gathering intelligence on adversaries and preparing for potential cyber conflict, particularly in scenarios involving Taiwan or regional disputes.
China’s approach has evolved into an “industrialized” model, with a division of labor among reconnaissance providers, exploit developers, malware creators, and infrastructure operators. This ecosystem draws talent from universities, hacking competitions, and private contractors—sometimes revealed through leaks like those from i-SOON—allowing for high-volume, resilient operations.
Western agencies, including the U.S. FBI, CISA, NSA, and Five Eyes partners, have repeatedly described China’s program as larger than that of any other nation, with officials noting it surpasses combined efforts from major adversaries.
The Domestic Surveillance Backbone
Parallel to its external cyber operations, China operates what is widely regarded as the world’s largest surveillance network. Estimates place the number of CCTV cameras at over 700 million as of recent years—one for roughly every two citizens—integrated into systems like “Skynet.” These employ AI-powered facial recognition to track individuals in real time across cities and public spaces.
This infrastructure supports broader control mechanisms:
- The Great Firewall censors internet content and monitors online activity.
- Social credit systems, refined through 2025 guidelines and national platforms, aggregate data from government, financial, and commercial sources—over 80 billion records covering hundreds of millions of entities by early 2025—to enforce compliance, issue penalties, or provide incentives.
- Tools target specific groups, such as ethnic minorities in regions like Xinjiang, dissidents, and critics, blending physical surveillance with digital tracking.
While officially framed as tools for public safety, crime prevention, and economic stability, critics argue they enable mass monitoring and suppression of dissent. The system processes vast financing volumes (tens of trillions of yuan) and integrates with corporate and tech ecosystems.
Implications and Global Concerns
China’s dual cyber and surveillance capabilities represent a fusion of internal control and external power projection. Offensive operations feed intelligence into a global espionage system, while domestic tools ensure regime stability. This “whole-of-nation” approach—blending state agencies, contractors, and private firms—creates a formidable advantage in cyber domain competition.
Beijing consistently rejects allegations of malicious hacking, insisting its activities are defensive or misattributed. However, joint advisories from multiple nations and ongoing attributions underscore persistent concerns over economic espionage, intellectual property theft, and risks to critical infrastructure.
As cyber threats evolve, with AI acceleration and supply-chain vulnerabilities amplifying risks, China’s model sets a benchmark—and a warning—for how states can wield technology for strategic dominance. The world watches closely, balancing deterrence, diplomacy, and defense in an era where code and cameras shape power.
About The Author
