China Relaunches Tianfu Cup Hacking Contest with Government Control and Secrecy
2 min. read 
Published on
China brought back the Tianfu Cup hacking competition in 2026 under Ministry of Public Security oversight. The event ran January 29-30 with heavy restrictions. No public results emerged, unlike past high-profile payouts.
Tianfu Cup started as Pwn2Own rival, paying $1.9M in 2021 for Windows, iOS, Chrome exploits. 2023 focused domestic targets like Huawei. 2024-2025 hiatus preceded this secretive return.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
MPS announced January 16. Tianfu X post deleted fast. Official site blocked non-China IPs, then went dark post-event. Total prize pool dropped to CNÂ¥1M ($140K).
Targets spanned smartphones (iPhone 17, Xiaomi 14 Ultra), OSes (Windows 11, Ubuntu), browsers (Chrome, Safari), cloud (VMware ESXi), security (Palo Alto), mail servers, apps (WeChat, Teams), databases, office tools, and AI platforms (Hugging Face, Ollama).
New tracks tested AI vulnerability hunting agents and known vuln reproduction.
China MPS press release confirms CNÂ¥1M total prizes. No individual awards published.
Target Categories Table
| Category | Examples | Goal |
|---|---|---|
| Smartphones | iPhone 17, Xiaomi 14 Ultra, Galaxy S24 | RCE + kernel escape |
| Operating Systems | Windows 11, Ubuntu, macOS | Full compromise |
| Browsers | Chrome, Edge, Safari | Sandbox escape |
| Cloud/Virtualization | VMware ESXi, Docker | Host privilege gain |
| AI Platforms | Hugging Face, Ollama, LangChain | Default RCE |
Secrecy Measures
Site geo-blocked pre-event, offline after. No vendor notifications. X announcements scrubbed. Results classified.
2021 Chinese law mandates zero-day reporting to government. Microsoft links it to state stockpiling.
Historical Payouts
| Year | Total Prizes | Top Targets | Notes |
|---|---|---|---|
| 2021 | $1.9M | Windows, iOS, Chrome | Global headlines |
| 2023 | Unknown | Huawei, Xiaomi | Domestic focus |
| 2026 | $140K | iPhone 17, AI tools | MPS control |
Strategic Shifts
AI agent track tests automated vuln discovery. Known vuln reproduction emphasizes reliability. Smaller prizes suggest quality over quantity.
Past Tianfu exploits appeared in Chinese espionage. 2026 bugs likely follow suit.
Industry insider notes “rules and targets changed significantly.”
Implications
Government runs premier hacking event. Transparency vanishes. Vendors stay blind. State gains exclusive zero-days.
Pwn2Own pays millions publicly. Tianfu secrecy fuels weaponization fears.
FAQ
China’s Ministry of Public Security.
CNÂ¥1M ($140K) total.
AI platforms, AI vuln agents.
Completely offline post-event.
Likely state stockpiled per 2021 law.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages