BOTTOM LINE UP FRONT. The phone network can no longer keep a secret, and no one can promise it ever will again. Salt Typhoon is a Chinese state intrusion into the telephone networks themselves, the plumbing every call and text passes through, not your handset or your apps. Its most alarming move was to get inside the lawful wiretap system, the access built so police can listen with a warrant. The back door built for the good guys became a front door for Beijing. For anyone of intelligence interest, a politician, an official, a defence contractor, a dealmaker, the record of who you called, when, and from where must now be assumed recoverable by a hostile state. As of early 2026 it has not been cleaned out, and senior officials have stopped pretending it will be soon. There is one response that genuinely works: stop trusting the network, and make what flows through it unreadable. This is a Five Eyes problem, not a distant American one. UK telecoms were named among the targets, and if the US has been compromised, we can probably expect the UK to have been too.

1. What is Salt Typhoon?

Think of it less like a burglar picking one house and more like someone quietly copying the keys to the whole street, including the locksmith’s master set. Salt Typhoon is the name for a Chinese state hacking operation that broke into the telecoms networks at the deepest level. Not one phone. The infrastructure that carries everyone’s traffic.

Who is behind it is unusually well established. This is China’s intelligence apparatus, linked to the Ministry of State Security, the MSS, Beijing’s main civilian spy agency. The striking thing is how firmly it has been pinned down. Cyber attribution is normally hedged and slow. This one is not. The Five Eyes governments issued joint guidance naming the campaign, and in January 2025 the US Treasury sanctioned a Chinese firm, Sichuan Juxinhe Network Technology, for its role (US Treasury, 2025). Western governments rarely put their name to attribution unless the evidence is strong.

This is not one elite unit. The MSS runs much of this through a stable of private “cybersecurity” companies acting as cut-outs, intermediaries that give the state deniability, the same hacker-for-hire ecosystem exposed in the 2024 i-Soon leaks, a document dump that laid bare China’s commercial hacking industry (MERICS, 2023; SentinelOne, 2024). That industrial scale is part of why it is so hard to shut down.

What they got, in rising order of seriousness:

• Metadata, at scale. Who called whom, when, for how long, and roughly from where. For most people, this is the exposure. Not your words, but the pattern of your life, and that pattern is famously revealing. A Stanford study in the Proceedings of the National Academy of Sciences showed that telephone metadata alone can expose relationships, health conditions and movements with startling precision (Mayer, Mutchler and Mitchell, 2016). As Michael Hayden, former head of both the NSA and the CIA, reportedly put it, “we kill people based on metadata” (Just Security, 2014). Reporting points to metadata on more than a million users concentrated around Washington. Treat the headline figures in this paper as directional: they trace to US official briefings, not to an independent audit. The shape of the breach is not in doubt. The exact numbers are.

• Actual content, on a small set of high-value targets. For specific individuals, including figures connected to both sides of the 2024 US election, the intruders could pull real call and text content.

• The wiretap system itself. This is the killer point. By law, carriers must build a lawful-intercept capability into their networks so police and intelligence services can wiretap suspects with a warrant. Salt Typhoon got into that system. So Beijing was potentially able to see which targets US law enforcement was lawfully monitoring, a direct window into Western counter-intelligence (Lewis, CSIS, 2024). They did not break the wiretap. They tapped it. It is the cleanest real-world proof of an argument computer scientists have made for decades: you cannot build a door that only your friends can use. The definitive academic statement of this is the 2015 paper “Keys Under Doormats” by Abelson, Rivest, Schneier and colleagues, which warned that any lawful-access backdoor inevitably becomes a vulnerability for everyone (Journal of Cybersecurity, 2015).

Read this from London, not Washington. The FBI assessed in August 2025 that the campaign had touched at least 200 US organisations, with victims across more than 80 countries. The allied dimension is solid: a thirteen-nation advisory co-sealed by the UK’s National Cyber Security Centre named telecommunications among the targeted sectors and flagged a cluster of activity in the UK (NCSC, 2025). The UK runs its own lawful-intercept regime under the Investigatory Powers Act, with the same structural weakness built in. Any British firm in defence, dual-use technology, government-facing consultancy or sensitive M&A should assume its principals’ communications metadata is a collection target. And this is not only a problem for primes and large funds. A mid-market firm negotiating a supply contract with a Chinese counterparty should assume the other side may be able to see which of its government or customer contacts it has been calling.

One thing to keep straight. Salt Typhoon is espionage, listening. Volt Typhoon is a separate Chinese campaign that buries itself in critical infrastructure, power, water, ports, to cause disruption in a future crisis. One is a spy in the wires. The other is dynamite in the foundations. Do not conflate them.

2. Why it cannot be cleaned out

The blunt answer is that it has not been fixed, and officials have stopped pretending otherwise. In February 2026 the FBI described the activity as “very much ongoing,” and the US Senate Commerce Committee was publicly pressing AT&T and Verizon to substantiate their claims of being secure. The reasons are structural, not a matter of someone forgetting to patch a server.

• Too deep to evict. Once an attacker is this far in, they plant multiple hidden ways back. Close one door and they walk through another. Eviction means hunting down every foothold across an enormous network and then proving a negative, that the intruder is entirely gone, which is close to impossible at this scale.

• Too sprawling and old to map. Telecoms networks are decades of merged companies and legacy equipment layered on top of each other, with no single map of it all. The way in was unglamorous: known flaws in routers and edge networking gear, the boxes that sit at the edge of the network, much of it unpatched or too old to receive security updates, rather than secret zero-day exploits (CISA advisory AA25-239A, 2025). It is a house with too many windows to ever fully close.

• Too expensive to replace. Telecoms run on thin margins and carry live national traffic. Replacing the vulnerable kit costs billions and takes years, and the bill falls on commercial operators with little appetite to pay it.

• The asymmetry. The attacker needs one way in. The defender has to secure everything, everywhere, continuously. That is the whole game.

The honest summary: this is the new normal, not an incident with an end date.

3. What balances this position

Set against all that, a calibration. Capability is not omniscience. Tapping a million metadata records clustered around one city’s political class is a precision counter-intelligence operation, not blanket surveillance of every British or American citizen. Content interception was selective and aimed at high-value individuals. The sheer volume of global traffic makes mass content collection impractical even for a state. Most people’s conversations were never listened to, and never will be.

But the bigger point survives the correction. This struck the deepest layer, where access is general and persistent, and the networks have not been declared clean. A capability planted in the foundations can be widened later. If you are a person of interest, assume your communications pattern is an open book and govern yourself accordingly. For everyone else, the loss is subtler but real: the basic confidence that the telephone network is private has been structurally degraded. The closest historical parallel is “The Thing,” the Soviet listening device concealed in a carved wooden US Great Seal that hung in the American ambassador’s Moscow residence for seven years before it was found (CIA, “The Compromise of the Great Seal”). The most dangerous intercept is always the one built into the infrastructure you already trust.

4. The only defence that works: make the network unreadable

The single most useful shift is mental: stop trusting the phone network itself. You cannot secure the pipes. You can make what flows through them unreadable.

For individuals. Use end-to-end encrypted messaging and calling. Signal is the reference standard; WhatsApp, iMessage and FaceTime are also end-to-end encrypted, which means the message is scrambled on your device and only unscrambled on the recipient’s, so the carrier, and anyone hiding inside it, carries only gibberish. Assume ordinary SMS texts and standard calls are open, because they travel through the network in a form the carrier can read, which is exactly what was compromised. Be wary of RCS, the newer “improved texting” standard, which has only recently begun adding encryption across different phone platforms and is not yet guaranteed end-to-end. And remember encryption protects the message, not a hacked handset: keep the device updated and locked down, and for higher-risk individuals turn on Apple’s Lockdown Mode, a setting that strips out the riskiest features to shrink the attack surface. After Salt Typhoon, US authorities took the remarkable step of urging the public to use encrypted apps (CISA, NSA and FBI hardening guidance, December 2024). When a government tells citizens not to trust the government-mandated phone system, that tells you how serious this is.

For organisations. Start with the questions a board should be able to answer, because they are the fastest route to the actions that matter:

• Which of our communications would damage us if a foreign state read them, and where do those travel today?

• Are our executives and key people on end-to-end encrypted channels by default?

• Have we war-gamed our exposure to interception at the network level, including through our advisers and partners?

The mental model behind the answers is to treat all telecoms as hostile transport: design on the assumption that the public phone network is monitored by a capable adversary, and protect the content regardless. Take genuinely sensitive conversations, live M&A, legal privilege, security matters, off the public network entirely, onto approved secure channels or back into the room. Harden the devices, which most large firms already do through their mobile management programmes, and then extend the same discipline to the weak link almost everyone forgets, the counterparties.

A warning for regulated firms, and the people in them. Before you move deal talk onto Signal or WhatsApp, understand what that can break. An FCA-authorised firm is obliged to record and retain certain communications, and a consumer messaging app with disappearing messages does the precise opposite, because it is engineered to leave no record. Solving an espionage problem by pushing sensitive business onto unmonitored, self-deleting apps simply swaps a Chinese interception risk for a regulatory and litigation-discovery one. This is not theoretical. In the United States the SEC and CFTC have levied well over two billion dollars in “off-channel communications” fines against major banks for exactly this, staff doing business on personal WhatsApp the firm could not capture, and UK regulators are watching the same behaviour. The fix is not to abandon encryption, it is to buy the right tier of it: enterprise-grade platforms that are end-to-end encrypted and also journalled and archivable, so the content stays unreadable to the carrier while a compliant record is kept for the firm. Encryption and recordkeeping only conflict if you reach for consumer tools. As an individual, do not run client business through your personal messaging apps. As an institution, mandate an approved, captured platform and police it. The reassuring part, for a board weighing the bill, is that this is cheap relative to the exposure: enterprise encrypted communications and device management are line items, not capital programmes.

Real versus theatre. Real: end-to-end encryption, keeping sensitive talk off the public network, hardened devices, disciplined counterparties. Theatre: trusting a “secure” carrier contract, treating a VPN as a cure-all, because it hides your traffic from the local network but does nothing for a call crossing a compromised carrier core, or assuming a premium handset is inherently safe.

5. The strategic prize: a map of the West’s decision-makers

Strip away the IT language and ask the only question that matters to a hostile state. What does this buy Beijing. The answer is not a stack of phone bills. It is a living map of the people who run a country, and that map is the raw material of statecraft.

The leverage. Bulk metadata plus selective content plus the wiretap access lets an adversary reconstruct the contact networks, movements and daily patterns of an entire decision-making class. Who briefs whom. Which official rings which journalist at eleven at night, and is therefore the source. Who is calling a divorce lawyer, a gambling line, or a number they would not want their spouse to see. Telephone metadata alone exposes relationships, health and movement with startling precision, a point established in peer-reviewed work and not in dispute (Mayer, Mutchler and Mitchell, PNAS, 2016). That is the input for blackmail, for spotting who might be recruited, and for counter-intelligence. The sharpest point is the wiretap system. Getting inside lawful intercept does not just expose suspects, it exposes which people Western law enforcement and intelligence are themselves watching, which can burn agents, informants and live operations. Independent analysis describes precisely this, China seeking to monitor US law enforcement’s sealed wiretap requests, and the targeting of political candidates’ phones for potential blackmail or election interference (Simmons, Lawfare, 2025). This is a counter-intelligence catastrophe and a standing reservoir of leverage, held quietly, available indefinitely.

Pre-positioning for a crisis. In peacetime the map mostly sits there. Its value is cashed in during a confrontation, and the obvious one is a Taiwan scenario. Holding the contact networks and movement patterns of a rival’s leadership means being able to locate the right people, pressure the wavering ones, discredit the inconvenient ones, and silence the dangerous ones at the precise moment leverage decides outcomes. The same Carnegie analysis that warns bulk data lets China cheaply profile millions and map their interpersonal connections frames it exactly this way, as leverage to be exercised, not merely information to be held (Carnegie Endowment, 2025).

Why this is not hypothetical. Communications metadata already enables strategic and lethal targeting, and the proof is recent. Peer-reviewed work on counterterrorism finds that the large majority of drone and night-raid operations used cell-phone data and communications intelligence to locate high-value individuals, the academic context for Michael Hayden’s line, “we kill people based on metadata” (Journal of Conflict and Security Law, 2024). Israel’s recent operations show the playbook at industrial scale. The reporting on the “Lavender” and “Where’s Daddy?” systems describes AI-assisted tooling that used phone tracking and metadata to identify people and locate them at home (+972 Magazine, 2024, corroborated by the Guardian, 2024). The September 2024 Lebanon operation, in which pagers and walkie-talkies were turned into weapons, shows the related discipline of supply-chain device compromise (Lieber Institute, West Point, 2024). None of this means China is killing anyone. The point is narrower and more uncomfortable. These cases prove what communications and metadata dominance makes possible, and Salt Typhoon hands Beijing the equivalent map of the West.

So what. This is why a network intrusion is a national-security and statecraft problem, not an IT problem. For a government it is a standing counter-intelligence wound. For an institution it is the exposure of who its people really talk to. For any individual of intelligence interest, a minister, an official, a defence executive, a dealmaker, it means assuming that the pattern of your life is already held by a hostile state, and may be used against you on a day not of your choosing. The breach is not the theft of your calls. It is the construction, somewhere in Beijing, of a map with your name on it.

The network is compromised. So stop trusting the network.

The Interlock decodes the geopolitics that moves money, for the people who have to act on it. If this was useful, subscribe and the next one comes to you. Please subscribe and contact us at admin@theinterlock.org

References

Academic

1. Abelson, Anderson, Rivest, Schneier et al., “Keys Under Doormats: mandating insecurity by requiring government access to all data and communications,” Journal of Cybersecurity 1(1), 2015. Link

2. Mayer, Mutchler and Mitchell, “Evaluating the privacy properties of telephone metadata,” Proceedings of the National Academy of Sciences 113(20), 2016. Link

3. “Social network analysis and counterterrorism: a double-edged sword for international humanitarian law,” Journal of Conflict and Security Law 29(1), 2024 (metadata and network analysis used to locate individuals for targeting; the Hayden quote in context). Link

Think tanks and policy
4. James A. Lewis, “Communications Networks Safety and Security,” CSIS, December 2024. Link
5. “’Here to stay’: Chinese state-affiliated hacking,” MERICS, November 2023. Link
6. “Breaking the Encryption Impasse,” Carnegie Endowment, 2020. Link
7. “Managing the Risks of China’s Access to U.S. Data and Control of Software and Connected Technology,” Carnegie Endowment, January 2025 (bulk data as profiling and coercion leverage). Link
8. Alistair Simmons, “Reconfiguring U.S. Cyber Strategy in the Wake of Salt Typhoon,” Lawfare, October 2025 (China targeting sealed wiretap requests; candidate-phone targeting). Link

On metadata-enabled targeting (precedent)
9. “’Lavender’: The AI machine directing Israel’s bombing spree in Gaza,” +972 Magazine and Local Call, April 2024. Link
10. “Israel used AI to identify 37,000 Hamas targets,” The Guardian, April 2024. Link
11. “Well, It Depends: The Explosive Pagers Attack Revisited,” Lieber Institute, West Point, 2024. Link

Official and primary
12. NCSC (UK) and allies, advisory exposing China-based companies enabling the campaign, August 2025. Link
13. CISA advisory AA25-239A, August 2025. Link
14. CISA, NSA and FBI, “Enhanced Visibility and Hardening Guidance for Communications Infrastructure,” December 2024. Link
15. US Treasury, sanction of Sichuan Juxinhe Network Technology, January 2025. Link
16. CIA, “The Compromise of the Great Seal.” Link