I. Background of the Incident
On the evening of December 22, 2025, several leading Chinese social media and content platforms experienced abnormal situations almost simultaneously. Kuaishou's live streaming system was the most severely affected, quickly attracting widespread attention across the internet. At the same time, platforms such as Douyin, Xiaohongshu, and Bilibili (B站) also received numerous user reports of slow access, abnormal functions, or unstable servers. The simultaneous occurrence of abnormalities across multiple platforms on the same night led to the widespread belief that this was not a simple technical malfunction, but rather a large-scale, organized cyberattack.
II. Course of the Incident
According to user feedback and subsequent platform announcements, around 10 PM on December 22nd, a large number of Kuaishou live streams were suddenly "taken over" by illegal content, with a rapid influx of sexually explicit, vulgar, and otherwise inappropriate images. While some live streams saw a rapid increase in viewership, the reporting function failed, and content review was significantly delayed. The platform's existing risk control and manual review systems failed under the high-volume attack.
As the abnormal situation continued to spread, Kuaishou was forced to take extreme measures, temporarily shutting down some live streaming functions to prevent the further spread of illegal content. Live streaming functions were gradually restored until the early morning of December 23rd. During this time, Kuaishou officially confirmed that the incident was due to "external malicious attacks" and stated that they had reported the incident to the police and were cooperating with relevant departments in the investigation.
During the same period, although platforms like Douyin and Xiaohongshu did not experience content control issues on a similar scale, users widely reported lagging, abnormal recommendations, and comment section loading failures; while Bilibili was confirmed by numerous users to have experienced server crashes or widespread access failures that night, further reinforcing the belief that multiple platforms were simultaneously under attack.
III. Analysis of Attack Characteristics and Methods
Based on all available information, this incident exhibited clear characteristics of automation, scale, and coordination. The attackers are suspected of using bulk-registered or stolen accounts to simultaneously broadcast and stream illegal content through automated programs, quickly overwhelming the platforms' content security thresholds. This type of attack did not rely on a single vulnerability, but rather overwhelmed the review, risk control, reporting, and manual intervention systems through a "traffic flood" approach. Unlike traditional DDoS attacks, this incident was more of a "content layer attack," utilizing the processing limits of the compliance mechanisms themselves to cause system failure. Its social impact and public opinion repercussions far exceeded those of a simple service disruption.
IV. Impact and Consequences
From a social perspective, a large number of ordinary users were exposed to severely illegal content without warning, causing significant negative impacts and triggering strong public questioning of child protection and platform responsibility. The incident quickly trended on multiple platforms, becoming one of the most controversial cybersecurity incidents of the year.
From an industry perspective, this incident exposed systemic weaknesses in live streaming and content platforms in extreme attack scenarios: including insufficient identification of abnormal patterns by review models, lack of scalable capacity in reporting systems, and manual review response speeds failing to keep pace with the attack. The capital market also reacted quickly, with significant fluctuations in the stock prices of related companies, reflecting investors' concerns about platform governance capabilities.
V. Significance and Reflection
The attack on December 22, 2025, marks a shift in the security threats faced by domestic internet platforms, from the "infrastructure layer" to the "content and governance layer." Attackers are no longer simply aiming to "paralyze the system," but rather to amplify the impact of platform failures by creating public opinion shocks and social risks.
This incident serves as a strong warning to the entire industry: future platform security is no longer just a technical issue, but a comprehensive interplay of technology, management, compliance, and social responsibility. How to build a content security system with extreme resilience while ensuring user experience will become a long-term challenge that all large platforms must address.
VI. Conclusion
Overall, the large-scale attack on Chinese social media platforms on December 22nd was a landmark cybersecurity event. It not only caused short-term service and public opinion disruptions but also revealed, at a deeper level, the vulnerability of current internet platforms in the face of new attack patterns. It is foreseeable that this incident will drive stricter regulatory requirements, higher standards of technological investment, and a redefinition of the "platform security boundaries" for the entire industry.