Cyber Incident Victim: OneSight
Date:
Aug 2020
Location:
China
Summary
A group of hackers known as CCP Unmasked leaked alleged internal documents from three Chinese social media monitoring firms, including OneSight, claiming the files exposed government-linked surveillance and disinformation operations targeting foreign platforms like Facebook and Twitter. The hackers released presentations and confidential materials purportedly detailing tools for monitoring opposition groups, terrorists, and public opinion across blocked platforms, suggesting services for intelligence agencies and foreign governments. Twitter suspended the group’s account under its hacked materials policy, though some document details matched non-public company information. The actors stated their motivation was to challenge perceived Chinese government interference in democracy, while researchers noted the activities aligned with known state-linked monitoring practices despite the novelty of internal evidence exposure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around August 19, 2020, the hacking group CCP Unmasked infiltrated three Chinese social media monitoring firms—Knowlesys (Hong Kong/Guangdong), Yunrun Big Data Service (Guangzhou), and OneSight (Beijing)—and exfiltrated approximately 40GB of internal documents. The group publicly announced the breach on September 26, 2025, by contacting journalists and leaking select files via their Twitter account @CCP_Unmasked, framing the action as an exposé of Chinese government-backed disinformation campaigns and social media surveillance targeting democratic processes. Twitter suspended the account within hours under its hacked materials policy, halting further public dissemination. The hackers claimed the documents revealed close collaboration between these companies and Chinese intelligence, military, and police agencies, though Motherboard could not independently verify the authenticity of the full dataset.
The leaked materials included confidential presentations and operational documents in English and Chinese. A Knowlesys presentation labeled "highly confidential" detailed its "Intelligence Center" platform, which monitored global social media platforms like Facebook, Twitter, WeChat, YouTube, blogs, and forums—despite these platforms being blocked in China—to track terrorists, anti-government groups, and opposition party activities. The presentation stated the company had worked with intelligence agencies for eight years and listed nonpublic contact details for its CEO, which matched functional email, Skype, and WhatsApp accounts, lending credibility to at least that document. Knowlesys had previously demonstrated capabilities to monitor targets' messages, locations, relationships, and public opinion during elections, according to Freedom House. The hackers did not disclose their intrusion methods but emphasized their motive was to challenge China's alleged interference in democracy through disinformation. None of the three companies responded to requests for comment. Cybersecurity researcher Adam Segal noted that while the companies' surveillance activities aligned with known Chinese government practices, the breach provided rare internal documentation linking specific firms to these operations. The incident exposed potential foreign clients, as Knowlesys had recently marketed services in the UK and participated in surveillance conferences in Dubai and Qatar.