Salt Typhoon: Inside the Worst Telecom Breach in U.S. History
The integrity of American telecommunications has faced an unprecedented crisis. A Chinese state-sponsored hacking group known as Salt Typhoon has executed one of the broadest and most consequential cyber campaigns in recent years, infiltrating the very infrastructure the U.S. Government uses for lawful surveillance. Described by Senator Mark Warner as “the worst telecom hack in our nation’s history,” this breach didn’t just steal data—it compromised the backbone of domestic signals intelligence.
Who is Salt Typhoon?
Salt Typhoon is a prolific hacking collective attributed to China’s Ministry of State Security. Unlike other state-sponsored actors, Salt Typhoon focuses specifically on telecommunications infrastructure. Researchers indicate the group’s activities are part of a larger strategic effort to help China prepare for a potential conflict regarding Taiwan, a scenario U.S. Officials describe as an “epoch-defining threat.”
While Salt Typhoon focuses on espionage and data theft, it operates alongside other Chinese groups with different objectives:
- Volt Typhoon: Prepositions itself for destructive cyberattacks to cause widespread disruption.
- Flax Typhoon: Manages a botnet of hijacked devices to mask malicious internet traffic.
How the Breach Happened: Exploiting the “Inside Wire”
The attackers didn’t rely on simple phishing emails. Instead, they targeted the edge of the networks, specifically hacking Cisco routers to gain entry. Once inside, Salt Typhoon took control of surveillance devices that U.S. Telecom companies are legally required to maintain.
These devices are mandated by the Communications Assistance for Law Enforcement Act (CALEA) of 1994, which ensures that providers build surveillance capabilities into their networks so the FBI and other agencies can execute court-authorized wiretaps. Salt Typhoon effectively turned the government’s own surveillance tools against it, using the CALEA architecture as a primary entry point to monitor communications.
The Scale of the Compromise
The intrusion began as early as 2021, with some hackers maintaining undetected access for up to three years. By late 2024, officials confirmed that at least nine major U.S. Carriers were compromised, including:
- AT&T
- Verizon
- T-Mobile
- Lumen Technologies (formerly CenturyLink)
- Spectrum (Charter)
- Consolidated Communications
- Windstream

The damage extends far beyond U.S. Borders. By August 2025, the group had breached more than 200 companies across 80 different countries.
What Data Was Stolen?
The breach allowed Chinese operatives to access a staggering amount of sensitive information, with a heavy concentration of targets in the Washington D.C. Metro area.
1. Communications Metadata
Salt Typhoon accessed metadata for over one million users, including:
- Phone numbers called and received
- Call timestamps and durations
- Text message metadata
- IP addresses and location data
2. Actual Audio Recordings
In the most alarming aspect of the breach, the hackers recorded actual audio from phone conversations. High-profile targets included:
- Phones belonging to Donald Trump
- Phones belonging to JD Vance
- Staff from the Kamala Harris 2024 presidential campaign
3. The “Wiretap List”
Perhaps the most damaging theft was the acquisition of an almost complete list of phone numbers currently being wiretapped by U.S. Law enforcement. This provided China with a roadmap identifying which of its own spies had been detected by U.S. Intelligence.
- Target: Global telecom and internet giants (9+ U.S. Carriers).
- Method: Exploited Cisco routers and CALEA wiretap systems.
- Scope: 1 million+ users’ metadata; 200+ companies in 80 countries.
- High-Value Theft: Audio of 2024 presidential candidates and U.S. Law enforcement wiretap lists.
- Response: FBI is offering a $10 million reward for information.
The Path Forward: Cybersecurity Implications
The Salt Typhoon attacks highlight a critical vulnerability in the “lawful intercept” architecture. When the tools designed for national security are compromised, they become a liability of the highest order. This breach has prompted the FBI to urge citizens to switch to complete-to-end encrypted messaging apps to prevent foreign adversaries from eavesdropping on private communications.
As the list of affected countries grows, the focus now shifts to purging persistent access from network edges and redesigning how surveillance mandates are integrated into critical infrastructure to prevent a repeat of this systemic failure.
Frequently Asked Questions
What is Salt Typhoon?
Salt Typhoon is a Chinese state-sponsored hacking group that targets global telecommunications infrastructure to steal government records and monitor high-interest targets.
Which U.S. Companies were affected?
Major affected companies include AT&T, Verizon, T-Mobile and Lumen Technologies, among others.
How did they get in?
The group exploited Cisco routers at the network edge and took control of systems mandated by the Communications Assistance for Law Enforcement Act (CALEA).
Was my data stolen?
While the breach affected over a million users, the group focused heavily on senior government officials and targets in the Washington D.C. Area. For those concerned about security, the FBI recommends using end-to-end encrypted messaging services.