Cyber Threat Actor: FlamingChina
| Actor Type | Location | Known Incidents |
Criminal
|
—
|
1 incident |
|---|
Profile
FlamingChina is the alias used to describe the threat actor responsible for the February 6 2026 intrusion into the National Supercomputing Center in Tianjin. According to publicly reported sources, the actor gained initial access through a compromised virtual private network and subsequently employed a botnet to distribute the exfiltration process, aiming to avoid detection by security monitoring. Over several months, the actor extracted more than ten petabytes of data, which included defense documents, missile schematics, and research materials from aerospace, military, bioinformatics, and fusion simulation domains. The stolen dataset was later advertised for sale on the Telegram messaging platform, with samples displaying classified markings that led independent experts to assess the leak as genuine, although the exact origin of the breach could not be independently verified. This incident represents the only publicly documented operation attributed to FlamingChina in the available information.
The targeting of a national supercomputing facility indicates a focus on high‑value scientific and defense infrastructure located in China, suggesting that the actor sought information with strategic significance. By offering the exfiltrated data for sale, the actor demonstrated a financial motive tied to the monetization of stolen intellectual property, though no further details about revenue or financial gain are provided in the sources. The observed tactics—initial VPN compromise followed by botnet‑assisted data dispersal—highlight a reliance on legitimate‑appearing access channels and distributed techniques to obscure large‑scale transfers. No public attribution links FlamingChina to a specific state sponsor, criminal consortium, or other affiliations, and the available reporting does not clarify whether the actor operates independently or as part of a larger group. Consequently, the profile remains confined to the confirmed facts of the Tianjin supercomputing breach, the associated data sale attempt, and the described TTPs without extrapolation beyond the evidence.
