A suspected Chinese state intrusion into the FBI's domestic surveillance infrastructure has been formally elevated to the government's most serious breach classification. What was compromised — and why the Salt Typhoon group keeps winning.
The Federal Bureau of Investigation has formally classified a suspected Chinese government intrusion into its domestic wiretap and surveillance network as a "major cyber incident," Politico reported Wednesday, citing one congressional aide and two U.S. officials. The designation — the government's most serious internal classification for federal breaches — indicates the hackers successfully compromised substantial sensitive data held directly on FBI systems.
The intrusion was first detected on February 17, 2026, according to a notification the FBI sent to Congress last month reviewed by Reuters. The targeted system — known internally as DCS-3000, nicknamed "Red Hook" — is part of the FBI's Digital Collection System Network, or DSCNet, the technical infrastructure the bureau uses to process court-authorized wiretap requests and foreign intelligence surveillance orders.
DCS-3000 does not store the audio content or text of intercepted communications. That material flows through a separate platform called Digital Storm, which was not part of the compromised environment, according to analysis published by Centraleyes, a cybersecurity firm, citing details from the investigation.
What DCS-3000 does hold is arguably just as dangerous from an intelligence standpoint: the metadata architecture of active FBI investigations. That includes pen register and trap-and-trace data — logs of dialed numbers, IP addresses, communication routing information, and timing data — along with warrant information identifying who is under investigation and why.
In law enforcement terms, this is the connective tissue of an investigation. Metadata logs allow investigators to map relationships between suspects, identify networks, and track communication patterns across months or years of casework. In the hands of a foreign intelligence service, the same data reveals the identities of FBI sources, the scope of active national security investigations, and potentially which Chinese intelligence operatives have been flagged by U.S. authorities.
The FBI described the attackers' techniques as "sophisticated" in its congressional notification, reviewed by Reuters. Officials said the investigation remained in its early stages and that remediation and forensic work were ongoing. The FBI declined to comment publicly; the Chinese Embassy in Washington did not respond to Reuters' request for comment.
The attack method bears the hallmarks of what security researchers have come to call supply-chain exploitation. Rather than attempting a direct assault against FBI network defenses, the hackers compromised a commercial internet service provider that held trusted connectivity into the bureau's surveillance infrastructure. By operating through a known, legitimate vendor pathway, they were able to blend malicious traffic into routine network activity and bypass internal detection systems designed to flag unauthorized access.
U.S. authorities and independent security researchers have attributed the operation to Salt Typhoon, also tracked as APT41 — a Chinese state-sponsored group with a long record of sustained, low-noise intrusions into U.S. government and telecommunications systems. Salt Typhoon drew significant public attention in 2024 after breaching the networks of AT&T and Verizon in one of the most consequential espionage campaigns against American telecommunications infrastructure on record. That operation gave the group access to communications tied to political campaigns and senior government officials.
The targeting of DSCNet is consistent with Salt Typhoon's documented mission: not to disrupt systems, but to monitor and understand what U.S. intelligence knows about Chinese operations. Gaining insight into which Chinese nationals or assets are under FBI surveillance would be an intelligence windfall for Beijing.
The formal "major cyber incident" designation is not a routine label. Under federal policy, it triggers mandatory cross-agency coordination and indicates that the breach poses significant risks to U.S. national security, according to Politico's reporting. The White House, National Security Agency, Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, and the FBI have all been brought into the investigation, Politico reported.
A White House official told Reuters that the administration "regularly convenes meetings to discuss any cyber threat to the U.S.," but declined to discuss details of any particular incident. CISA referred questions to the FBI. The NSA did not respond to a request for comment.
Senator Mark Warner of Virginia, the ranking Democrat on the Senate Intelligence Committee, has been outspoken on the persistent threat from Chinese cyber operators. In previous public statements about Salt Typhoon's telecom intrusions, Warner warned that investigators believed the group may still maintain active footholds within certain systems.
The DCS-3000 breach follows a pattern that cybersecurity experts have watched develop for years: China's most capable cyber units avoid direct confrontations with U.S. government firewalls and instead work through the surrounding ecosystem of vendors, contractors, and service providers. The 2024 telecom campaign exploited carrier infrastructure. This time, it was an ISP with a trusted lane into federal systems.
This approach works partly because the vendors connected to sensitive government networks are not always held to the same security standards as the agencies themselves, and partly because trusted-access pathways are structurally difficult to monitor without disrupting legitimate operations. An attacker operating through a vendor's credentials and connection looks, from the inside, like normal business traffic.
For U.S. counterintelligence, the implications of the DSCNet breach are significant and likely long-lasting. The FBI cannot easily reconstruct which cases or subjects may have been exposed. Sources and investigations whose identities were contained in DCS-3000 records may need to be assessed for potential compromise. And the full scope of what was exfiltrated — if anything was — remains unknown.
The FBI told Congress it had "identified and addressed" suspicious activity on its network. What it has not said publicly is how long the intrusion persisted, whether data left the network, or whether the access vector through the compromised ISP has been fully closed.