Cyber Incident Victim: Knowlesys
Date:
Aug 2020
Location:
China
Summary
A hacking group identifying as CCP Unmasked leaked alleged internal documents from Knowlesys and two other Chinese social media monitoring firms, claiming the materials exposed government-directed surveillance and disinformation campaigns targeting platforms like Facebook and Twitter. The leaked files included confidential presentations describing the company's Intelligence Center platform, which purportedly enabled monitoring of opposition groups and collaboration with intelligence, military, and police agencies across multiple countries. While authenticity remains unverified, some document details matched nonpublic executive contact information. The hackers released a small sample before their Twitter account was suspended for sharing hacked materials, citing motives to challenge perceived threats to democracy. The incident revealed potential foreign government contracts and surveillance capabilities while subjecting the firms to reputational scrutiny.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around August 19, 2020, a hacking group identifying as CCP Unmasked infiltrated the systems of three Chinese social media monitoring firms—Knowlesys (based in Hong Kong and Guangdong), Yunrun Big Data Service (Guangzhou), and OneSight (Beijing). The group exfiltrated approximately 40GB of internal files, including presentations and Word documents, which they claimed exposed these companies’ collaboration with the Chinese government to conduct social media surveillance and disinformation campaigns targeting democratic processes. CCP Unmasked began leaking select documents via their Twitter account (@CCP_Unmasked) on September 25, 2025, but Twitter suspended the account under its hacked materials policy shortly afterward. The hackers asserted their actions aimed to challenge the Chinese Communist Party’s alleged interference in democracy and freedom of expression. Among the leaked materials was a Knowlesys presentation labeled “highly confidential,” detailing its Intelligence Center platform, which purported to monitor targets’ messages, profiles, locations, behaviors, and relationships across blocked platforms in China, including Facebook, Twitter, WeChat, YouTube, forums, and blogs. The presentation stated Knowlesys had worked “closely with intelligence agencies for 8 years,” serving clients such as intelligence and security agencies, military, and police, and highlighted capabilities to track opposition parties’ activities online.
The incident’s immediate impact included the public exposure of sensitive operational details, such as Knowlesys’s participation in international surveillance conferences (e.g., ISS World in Dubai and Milpol in Qatar) and its attempts to expand into markets like the UK. Motherboard, which received the leaked files, noted that nonpublic contact details for Knowlesys’s CEO embedded in the documents matched functional email, Skype, and WhatsApp accounts, lending credibility to at least some materials. However, the authenticity of the full dataset remained unverified, as the companies did not respond to requests for comment, and the broader 40GB cache was not publicly accessible. Researcher Adam Segal contextualized the leak as unsurprising given China’s established surveillance strategies but noted the novelty of attributing specific actions to named firms. The hackers’ disclosure highlighted Knowlesys’s role in foreign-facing monitoring, particularly its targeting of anti-government groups and terrorists for non-Chinese clients, given the inaccessibility of platforms like Facebook and Twitter within China. No containment measures or technical responses from the affected companies were documented in the available reporting.