An investigation into a data leak from TopSec, a Chinese cybersecurity company, suggests that it may provide censorship-as-a-service solutions to various clients, including a state-owned enterprise within China.
Established in 1995, TopSec primarily offers services such as Endpoint Detection and Response (EDR) and vulnerability scanning. However, it also appears to be delivering tailored solutions to meet government initiatives and intelligence requirements, according to researchers Alex Delamotte and Aleksandar Milenkoski from SentinelOne, in a report.
The leaked data includes details about infrastructure, work logs from employees, and references to web content monitoring services, all indicating that these services are used to enforce censorship for both public and private sector clients.
The leak also suggests that TopSec provided customized monitoring services to a state-owned enterprise involved in a corruption scandal, further implying that such services are being deployed to monitor and control public sentiment when needed.
Among the data exposed, there is a contract for a “Cloud Monitoring Service Project” issued by the Shanghai Public Security Bureau in September 2024. The document reveals that the project involves the continuous surveillance of websites under the Bureau’s jurisdiction to identify security concerns and changes in content, as well as to generate incident alerts.
The platform in question is specifically designed to detect hidden links within web content, along with those containing sensitive terms related to political criticism, violence, or pornography.
Although the specific goals of the monitoring are not entirely clear, it is suspected that the alerts generated could be used by customers to take further actions such as issuing warnings, removing content, or restricting access when sensitive keywords are identified. According to public records reviewed by SentinelOne, the contract for this project was awarded to Shanghai Anheng Smart City Security Technology Co. Ltd.
SentinelOne researchers discovered the leak after analyzing a text file uploaded to the VirusTotal platform on January 24, 2025. The precise method of the data leak remains unknown.
The file in question includes extensive work logs, which document the tasks performed by TopSec employees and the time spent on them, often accompanied by scripts, commands, or other data related to the tasks, the researchers noted.
In addition to these work logs, the leak reveals commands and playbooks used to manage TopSec’s services through various common DevOps and infrastructure technologies, such as Ansible, Docker, ElasticSearch, Gitlab, Kafka, Kibana, Kubernetes, and Redis.
Also found in the leak were references to a framework called Sparta (or Sparda), which is believed to handle sensitive word processing by receiving content from downstream web applications via GraphQL APIs, further supporting the notion of censorship keyword monitoring.
“These leaks provide a valuable perspective on the intricate relationships between government agencies and private cybersecurity firms in China,” the researchers commented.
“While many countries feature significant overlap between government requirements and private sector cybersecurity companies, the connections between these entities in China are far more integrated, reflecting the state’s control over managing public opinion through online enforcement.”
