By ByteBot
Russian surveillance technology provider Protei was hacked on November 8, 2025, with attackers stealing 182 gigabytes of data including years of emails and defacing the company’s website with the message “another DPI/SORM provider bites the dust.” The breach, reported by TechCrunch on November 17, exposed a company that builds deep packet inspection systems and SORM lawful intercept technology for governments across 40+ countries including Russia, Kazakhstan, Pakistan, Bahrain, and surprisingly, Italy. The stolen data was provided to DDoSecrets, a nonprofit transparency collective that archives leaked surveillance industry data, making the breach’s contents publicly available for researchers.
The irony is undeniable: a surveillance company failing to protect itself. This is the latest in a pattern that raises uncomfortable questions for developers about building such tools and demonstrates that surveillance infrastructure is inherently vulnerable to the very threats it’s supposed to defend against.
Surveillance Companies Keep Getting Hacked
Protei isn’t the first surveillance provider to be breached. The pcTattletale spyware app was hacked in May 2024, exposing data on 138,000 customers who signed up to spy on others. The Salt Typhoon telecom attack in 2024 compromised court-authorized wiretapping systems in what Senator Mark Warner called “the worst telecom hack in our nation’s history.”
The pattern is clear: systems designed to spy on others become high-value targets for nation-state actors and hacktivists. The defacement message itself—”another DPI/SORM provider bites the dust”—suggests the hacker’s awareness of this trend. When Senator Warner noted that “the idea that only authorized government agencies would use such backdoor access tools has always been flawed,” he articulated the fundamental vulnerability of surveillance infrastructure.
For developers, the lesson is stark. Surveillance infrastructure is not more secure because it’s used for surveillance. In fact, it’s less secure because it attracts sophisticated attacks. If you build surveillance tools, they will be targeted, and they will be compromised.
The Global Web Censorship Infrastructure
Protei makes deep packet inspection (DPI) systems and SORM (System for Operative Investigative Activities) lawful intercept technology for 40+ countries. SORM is Russia’s nationwide surveillance system that allows the FSB (Russian Federal Security Service) to monitor all telecommunications—calls, texts, and web traffic—without ISP knowledge or cooperation. As Privacy International explains: “In Russia, the operator installs it and have no control over what is being wiretapped. Only the FSB knows what they collect.”
Unlike Western lawful intercept systems where ISPs cooperate and have transparency, SORM gives direct FSB access via protected cables to monitoring devices installed on ISP networks. ISPs are forced to pay for these devices themselves. Court orders are required but are secret and never shown to ISPs. Surveillance can begin before warrants are even granted—a legal fiction that provides the appearance of accountability without substance.
SORM operates in Russia, Belarus, Kazakhstan, Kyrgyzstan, Uzbekistan, Nicaragua, and Cuba. It’s the technical backbone of authoritarian control, not just telecom equipment. Wikipedia’s SORM documentation details three generations: SORM-1 (phone calls), SORM-2 (internet traffic), and SORM-3 (all media including Wi-Fi and social networks, with 3-year data retention).
Related: Cloudflare Outage Exposes Internet Centralization Crisis
Democratic Countries Use Authoritarian Surveillance Tech Too
Protei sells surveillance technology to Italy—a democratic EU country—along with authoritarian regimes. The company’s customer base spans 40+ countries including Bahrain, Kazakhstan, Mexico, Pakistan, and much of central Africa. The breach exposed “a supply chain that extends far beyond Russia,” according to security researchers analyzing the leaked data.
This challenges assumptions. Developers in democratic countries may unknowingly build on or integrate with surveillance infrastructure from authoritarian tech providers. The supply chain of surveillance is global and opaque, crossing political boundaries without hesitation.
Deep Packet Inspection: The Mechanism of Censorship
Deep packet inspection examines both packet headers and actual data payload—meaning whoever controls DPI can see everything: emails, messages, file downloads, websites visited. DPI devices allow telecom companies to identify and filter web traffic by source (social media, messaging apps) and selectively block access. China uses it for the Great Firewall, India’s Jio for SNI-based filtering, and Indonesia’s Telkom for country-wide surveillance.
DPI goes beyond normal stateful packet inspection (which only checks headers) by analyzing actual content. As Fortinet’s DPI guide explains, VPNs prevent DPI content analysis through encryption, but VPN protocols themselves can be detected and blocked—creating a perpetual cat-and-mouse game between censorship and circumvention. The technical sophistication required to deploy DPI nationwide makes it a tool only available to well-funded governments and telecom providers, which is precisely why Protei’s breach matters.
Related: Browser Fingerprinting: Privacy Nightmare You Can’t Clear
Should Developers Build Surveillance Tools?
The Protei breach raises ethical questions developers face daily. Should you build tools for authoritarian regimes? What are the career implications? Can surveillance infrastructure ever be truly secure? Research suggests developers should “integrate privacy by design principles into all surveillance technologies,” and that “private sector companies developing AI technologies have a responsibility to incorporate ethical considerations into their products.”
Protei’s breach demonstrates the security burden: surveillance infrastructure attracts nation-state actors and becomes a high-value target. Career implications matter too—association with surveillance companies can hurt future opportunities and reputation in the developer community. Protei engineers built surveillance tech, and now their work is exposed on DDoSecrets, scrutinized by researchers worldwide, and used as evidence of global censorship infrastructure.
Those choices have consequences. The question isn’t just technical—it’s moral. Every line of code you write for surveillance is a line that could be used to suppress dissent, monitor journalists, or silence political opponents. The Protei breach exposes years of emails and internal communications that will reveal exactly who those customers were and what they were surveilling.
Key Takeaways
- Surveillance companies keep getting hacked—Protei is the latest in a pattern including pcTattletale (May 2024) and Salt Typhoon (2024). Systems designed to spy on others become high-value targets.
- SORM gives FSB direct access to telecommunications without ISP knowledge or cooperation. Court orders are secret, surveillance can begin before warrants are granted, and ISPs pay for their own monitoring devices.
- 40+ countries use Protei technology, including democratic Italy alongside authoritarian regimes in Russia, Kazakhstan, Pakistan, and Bahrain. Surveillance tech crosses political boundaries.
- Deep packet inspection examines actual packet content—emails, messages, websites—enabling censorship by selectively blocking traffic. China, India, and Indonesia deploy it nationwide.
- Developers face ethical choices: building surveillance tools means attracting nation-state attacks, risking career reputation, and potentially enabling authoritarian control. The Protei breach exposes those consequences.
The 182GB of Protei data now sits on DDoSecrets, available to researchers investigating global surveillance infrastructure. The next surveillance company breach is only a matter of time. The question for developers is simple: which side of that breach do you want to be on?
