Cyber Warfare
China Hacked the FBI's Wiretap List. Here's What They Got.
There's a database inside the FBI that most Americans have never heard of. It doesn't store the content of phone calls. It doesn't record your messages. On paper it sounds pretty harmless. Just numbers. Just metadata. Just records of who called who, and when, and how often, and from where. That database is called DCS-3000. Some people inside the bureau call it by another name: Red Hook. And China just got into it.
The FBI classified the intrusion as a "major incident" under federal law. That's the highest cybersecurity designation available. The kind of label that gets applied when a breach is so serious it could do demonstrable damage to national security. The kind of label that means a foreign government just got its hands on a map of every person the FBI is currently watching.
Think about that for a second.
Not a breach of some company's customer records. Not a leak of emails or financial data. China now knows who the FBI is investigating. They know the phone numbers of people under active surveillance. They know the call patterns, the contact networks, the digital footprints of ongoing counterintelligence cases.
And here's the part that should make your stomach turn.
The same infrastructure that was built to surveil Americans is the exact infrastructure that just handed a foreign adversary a roadmap of America's most sensitive operations.
What Red Hook Actually Is
The FBI runs an internal network called DCSNet. It's a sprawling piece of infrastructure that manages court-authorized wiretaps, foreign intelligence surveillance requests, and lawful intercept operations. Think of it as the plumbing behind every phone tap the FBI has ever legally run.
Inside DCSNet sits DCS-3000. Red Hook. The system that got breached.
Red Hook handles what are called pen register and trap-and-trace returns. That's the technical term for the metadata side of surveillance. When the FBI gets a court order to monitor a subject, they aren't always recording the actual content of calls. Sometimes they just want the map. Who is this person calling? How often? What numbers are connecting to what other numbers? What websites are being visited? What patterns emerge over time?
That's what pen register data captures. And that's what was sitting in Red Hook when the Chinese got in.
Here's why metadata is more dangerous than most people realize.
Content is often noise. Conversations are full of small talk, dead ends, irrelevant information. But metadata is pure signal. A phone number doesn't mean much in isolation. But a map of every number that number has talked to, every pattern of contact over months or years, every geographical connection and timing signature? That builds a complete picture of a network. Intelligence analysts call it graph analysis. It's how you take a single data point and unravel an entire operation.
Red Hook wasn't just holding phone numbers. It was holding the FBI's network maps. Their webs of association. Their investigative architecture. Everything they'd assembled over months or years of surveillance work, all sitting in one place, all accessible, all waiting.
How They Got In
The FBI's official statement was careful. Deliberately careful. They said the hackers gained access by "leveraging a commercial Internet Service Provider's vendor infrastructure." A method the bureau described as reflecting the group's "sophisticated tactics."
Translation: they didn't kick down the front door.
They found a side entrance. A vendor. A third party. Someone with access to FBI systems who didn't have the same hardened protections as the bureau itself. A single weak link in a chain of trust, and they walked right through it.
This is called a supply chain attack. And it's not new. It's the same playbook that's been used over and over again against American institutions, government agencies, and private companies for years. You don't target the fortress. You target the contractor who has the keys. You find the HVAC company, the software vendor, the ISP. The person who has access but doesn't have the same threat model.
Analysts first noticed something wrong on February 17th. Suspicious activity, coming out of FBI systems in the Virgin Islands. By March 4th, the bureau had formally told Congress it was investigating. By April, the FBI had classified the breach as a major incident under the Federal Information Security Modernization Act. A law that requires federal agencies to notify Congress within seven days of determining a breach is likely to result in demonstrable harm to national security.
They hit that threshold. Both conditions were met. The hackers got in, they got data, and the damage is real.
Senior U.S. Official — Politico
"It's embarrassing for the bureau to be compromised by the very adversary it's charged with tracking."
Who Did This
No hacking group has been formally named by the FBI, CISA, or the White House as of the time of this writing. But investigators have focused significant attention on Salt Typhoon, a threat actor linked to China's Ministry of State Security.
If that name sounds familiar, it should.
Between 2019 and 2024, Salt Typhoon burrowed deep into all three major American cellular providers. They sat inside those networks, quietly, for years. They siphoned call records on tens of millions of Americans. They accessed the lawful intercept infrastructure used by law enforcement. They watched the watchers. Then they disappeared back into the noise, and most people never heard about it until it was already over.
The Red Hook breach looks like chapter two of that same operation. A deliberate, patient campaign to understand exactly how America conducts surveillance. Who it's watching. How it's watching. Where the gaps are. Which assets might be compromised. Which operatives need to be pulled or warned.
Think about what China can do with that information.
If they have a list of phone numbers under active FBI surveillance, they know which of their operatives are blown. They know which cases are live. They can cut ties, disappear assets, change communication patterns, and do it all without ever tipping off the investigators supposedly watching them. They can render years of counterintelligence work useless overnight. Not by confronting it. Just by quietly stepping around it.
That's not just embarrassing. That's a strategic catastrophe disguised as a data breach.
The FBI Is Fighting on Multiple Fronts Right Now
The Red Hook breach isn't even the only active intrusion the bureau is dealing with at this moment.
Separately, Iranian hackers from a group called Handala reportedly breached FBI Director Kash Patel's personal email account. Emails spanning from 2010 to 2019. Verified by journalists through message headers. The head of the FBI. On a personal Gmail account. Compromised by a foreign government.
And before those two incidents, there was a 2023 breach of the FBI's New York field office that exposed files from an active investigation. That breach only became public in early 2026.
Three separate intrusions. Three separate foreign actors. All in play at the same time. The bureau that's supposed to be protecting the country from exactly this kind of thing is fighting a multi-front cyber war on its own networks while simultaneously trying to investigate threats to everyone else.
Former deputy assistant director of the FBI's cyber division Cynthia Kaiser told Politico that the major incident threshold is rarely hit. She said she's not aware of the FBI making that determination on a hack affecting its own networks since at least 2020. The threshold is high. The fact that they crossed it here means this isn't a close call. This is the real thing.
The Paradox Nobody Wants to Say Out Loud
Here's what nobody in Washington wants to talk about.
The system that just got breached exists because it was built to collect data at scale. Pen registers and trap-and-trace tools don't work unless there's infrastructure in place to vacuum up phone metadata and store it centrally. That infrastructure got built because collecting everyone's data seemed like a good idea for national security. Centralized. Organized. Searchable. Powerful.
And then someone else got into it.
This is the paradox of mass surveillance. The more data you collect, the bigger the target you create. Every new data point added to a centralized repository is another reason for an adversary to want in. Every new system built to aggregate and analyze becomes a single point of catastrophic failure. You build a vault to store the crown jewels. And you've also built a vault that tells every thief in the world exactly where to go.
The federal government has spent billions on cybersecurity since the Office of Personnel Management breach a decade ago. Billions. New frameworks, new requirements, new agencies, new task forces. And yet the hits keep coming. The methods don't change because the incentive doesn't change. A compromised surveillance system is worth more than almost anything else you could steal. And as long as those systems exist, someone is going to keep trying to get in.
They always do. Eventually they always get through.
The Dwell Time Nobody's Talking About
There's one more piece of this that isn't getting nearly enough attention.
The FBI detected suspicious activity on February 17th. They told Congress on March 4th. The major incident classification became public in early April. That's roughly six weeks between detection and full public disclosure.
What nobody has answered is how long the hackers were in before they were detected.
In cybersecurity, dwell time is everything. A breach caught in hours is a completely different event than a breach running for weeks or months. The longer an intruder sits inside a network undetected, the more they can see, copy, map, and understand. They don't just grab data. They watch the system operate. They learn the patterns. They identify what's valuable and what isn't. They study the architecture. And then they take exactly what they came for.
The FBI has conspicuously refused to say when the intrusion began. Only when it was detected. Those are two very different dates. And the gap between them is where the real damage lives.
What This Means If You're Not an FBI Target
You're probably not under active federal surveillance. Most people aren't.
But your data is still out there. In databases you've never seen, controlled by companies and agencies you've never consented to, being bought and sold and shared in ways that would make you uncomfortable if you knew the full picture. Your carrier has your records. Data brokers have purchased them. Analytics companies have processed them. Government agencies have requested them, sometimes with warrants and sometimes without.
The difference between your information and the data inside Red Hook is just a matter of targeting. The FBI's surveillance subjects were specifically chosen. You weren't. But the data exists either way. And every database that holds your information is a target. Not necessarily for China. Not necessarily for a nation-state. But for someone.
This is what the standard phone operating system never tells you. Everything you do on a stock iPhone or Android gets logged, stored, and passed along. A chain of custody that most people never think about until something like this happens and they realize how many links that chain actually has.
The question isn't whether your data is being collected. It is. The question is how much of it exists, where it lives, and who can get to it when they decide they want it.
The Bottom Line
Most people don't know there's another option.
A phone that doesn't report back to Google, Apple, or the government. One that doesn't tie your identity to your browsing, your app activity, or anything else you do on it. Less data collected means less data that can be stolen, sold, or handed over.
