China Mobile (中国移动) 2022: 1 billion Records Allegedly Leaked

Claim Summary

An unverified and highly significant data breach claim has surfaced on a dark web forum. A user operating under the alias DAN_8 has posted a thread titled “China Mobile (中国移动) 2022 Database - Leaked, Download!” The post, dated February 3, 2026, and subsequently edited multiple times by an automated process, alleges the leak of a database purportedly from the telecommunications giant China Mobile. According to the threat actor, the data originates from a 2022 security incident and contains a staggering 1.13 billion records. The post provides technical details, including file sizes and an MD5 hash, and the data is reportedly gated behind a forum registration wall.

What Is Allegedly Exposed

The threat actor claims the compromised dataset consists of two primary data types: phone numbers and International Mobile Equipment Identity (IMEI) codes. The alleged source is stated as the website chinamobileltd.com. IMEI numbers are unique identifiers for mobile devices, and their exposure, when paired with subscriber phone numbers, could facilitate sophisticated tracking, device cloning, or fraud schemes. The post specifies that the uncompressed data file is allegedly 29.46 GB in size, compressed to 6.26 GB, and provides an MD5 hash (2574D7F861237EF9C369ABFE16752FB4) for verification. No sample data, proof-of-concept rows, or screenshots of the data are presented in the public portion of the post.

Threat Actor Profile

The post author is identified as DAN_8. There is no immediately verifiable reputation or history associated with this alias on mainstream threat intelligence platforms, suggesting this could be a new or low-profile actor. The act of posting such a high-profile dataset on a public forum, as opposed to a private auction, is atypical and may indicate motivations ranging from notoriety-seeking to an attempt to build credibility. The multiple automated edits to the post, with the reason “Moved to official,” suggest some level of forum moderator involvement or a structured posting process, but this does not validate the claim’s authenticity.

Potential Impact

If the claims were verified, the potential impact would be severe due to the sheer volume and sensitivity of the alleged data. The combination of IMEI and phone number data could be exploited for:

• Device Tracking and Profiling: Creating detailed logs of device usage and movement.
• SIM Swap Attacks: Using the phone number as a starting point for account takeover attempts, especially when combined with other breached data.
• Network-Based Fraud: Potential for impersonation or social engineering attacks targeting China Mobile’s vast customer base.
• Secondary Data Enrichment: The dataset could be cross-referenced with other breaches to build more comprehensive profiles of individuals.

The scale-over 1 billion records-directly implicates a significant portion of China’s mobile subscriber population, making this a claim of national security concern.

What to Watch For

• Verification of Data: The provided MD5 hash can be used by researchers to check if this file appears in other breach repositories or malware analysis platforms.
• Emergence of Samples: Watch for any actual samples of the data appearing on other forums, paste sites, or in credential-stuffing lists, which would be the first sign of the data’s circulation.
• Official Response: Monitor for any statement from China Mobile or Chinese regulatory authorities regarding this alleged historical breach.
• Actor Activity: Observe if DAN_8 posts further datasets or gains a reputation, which could lend (or detract from) future credibility.
• Exaggeration Red Flag: The claim of 1.13 billion records is extraordinary. Such round, massive numbers are often used in hoaxes or exaggerated claims to generate maximum attention.

Disclaimer

This report details an unverified claim from a dark web forum. Yazoul Security has not independently confirmed the validity of this alleged data breach. The existence of the data, the number of records, the involvement of the named threat actor, and the impact described are all based solely on the forum post. The claims should be treated as alleged and unsubstantiated until corroborated by credible evidence or an official statement from the implicated organization. The provided file hash and technical details are for investigative tracking purposes only.