The Number
Taiwan's National Security Bureau reported that China launched an average of 2.63 million cyber intrusion attempts per day against Taiwan's critical infrastructure in 2025. Not per year. Not per month. Per day.
That is roughly 30 attempted intrusions every second, every day, for an entire year, against the digital infrastructure of an island of 23 million people. The figure is up 113% from 2023. The energy sector and the hospital and emergency services sector saw the sharpest increases.
Most coverage treated this as a big scary number and moved on. The number is not the story. The pattern is the story.
The Pattern Nobody Is Reading
Buried in the NSB report is the single most important sentence about the Taiwan situation that has been published this year.
What Taiwan's NSB found: "Relevant hacking and intrusion operations against Taiwan demonstrated a certain extent of correlation with the joint combat readiness patrols carried out by the People's Liberation Army." — Taiwan National Security Bureau, 2025 Annual Cyber Report
Read that carefully. The cyberattacks are not random. They are not purely opportunistic espionage. They rise and fall in correlation with PLA military operations. When China runs a joint combat readiness patrol around Taiwan, the cyberattack volume moves with it.
That means the cyberattack data is a real-time temperature gauge for Chinese military intent. Every analyst, every fund manager, every defense planner obsessively watches PLA air sorties around Taiwan as the tension indicator. The smarter signal is the cyber correlation, because cyber operations can be scaled up instantly and scaled down instantly, while moving aircraft and ships takes logistics and leaves satellite signatures.
What 2.6 Million Attacks a Day Actually Targets
The NSB report breaks the attacks across nine critical infrastructure sectors: government agencies, energy, communications, transportation, emergency services and hospitals, water resources, finance, science and industrial parks, and food installations.
That list is not a list of espionage targets. That is a list of everything you would need to disable to paralyze a society in the opening hours of a conflict. Espionage targets government and defense. Pre-positioning targets the power grid, the hospitals, the water system, the food supply.
This is the same doctrine as Volt Typhoon inside US infrastructure. We covered that operation in detail in our breakdown of Chinese pre-positioning in American power and telecom networks. The Taiwan operation is the same playbook, running at far higher intensity, against a far closer target.
The 27-Second Problem
The speed has changed. Taiwan's cyber defenders report that some breaches now occur in as little as 27 seconds from initial contact to system compromise. Generative AI has collapsed the timeline.
Traditional cyber defense assumed a "dwell time" — the gap between an attacker getting in and the attacker accomplishing their objective. Defenders used that gap to detect and respond. AI-accelerated attacks compress the gap toward zero. By the time a human analyst sees the alert, the objective is already complete.
For a defender, 2.6 million attempts a day where any single one could succeed in 27 seconds is not a security problem. It is a probability problem. You will not stop all of them. You can only build systems resilient enough that the ones that succeed do not matter.
The Four Tactics
The NSB identified four primary attack methods, and each one tells you something:
1. Hardware and software vulnerability exploitation. Exploiting unpatched systems. This is the bread and butter — and it is why unpatched infrastructure anywhere is a national security liability.
2. Distributed denial-of-service (DDoS). Flooding systems offline. DDoS is not subtle. It is used for disruption and for cover — a loud DDoS attack can mask a quiet intrusion happening simultaneously.
3. Social engineering. Phishing, impersonation, credential theft. The human layer is always the weakest. AI-generated phishing has made this dramatically more effective.
4. Supply chain attacks. Compromising a trusted vendor to reach the real target. This is the most sophisticated vector and the hardest to defend.
A separate China-aligned espionage campaign disclosed in May 2026, tracked as a cluster targeting government and defense sectors across South, East, and Southeast Asia, used exactly this approach — exploiting known flaws, dropping web shells for persistent access, and deploying the ShadowPad backdoor. Taiwan is one node in a regional campaign.
The Timeline Tells
The NSB report includes timing data that confirms the correlation thesis. Cyberattacks against Taiwan's critical infrastructure peaked around the first anniversary of President Lai Ching-te's inauguration in May. They climbed again during Vice President Hsiao Bi-khim's trip to Europe in November.
Both of those are political events that Beijing wanted to punish or deter. The cyberattack volume was the punishment mechanism — deniable, scalable, and immediate. China cannot sail a carrier group every time a Taiwanese official travels. China can spike cyberattack volume in an afternoon.
This gives you a forward-looking framework. Watch the Taiwanese political calendar. Major elections, inauguration anniversaries, high-profile foreign trips by Taiwanese officials, US arms sale announcements — each one is a likely trigger for a cyberattack spike. And if the spike is ever dramatically larger than the political event would warrant, that is your signal that something beyond routine coercion is happening.
What This Means for Markets
Taiwan is not just an island with a tense political situation. Taiwan is where TSMC fabricates the most advanced semiconductors on Earth — the chips inside every iPhone, every Nvidia GPU, every advanced AI system. Roughly 90% of the world's most advanced chip production sits within range of the cyber war described in this article.
The market prices Taiwan risk almost entirely through the lens of physical invasion. A blockade, an amphibious assault, a missile campaign. Those are the scenarios in every analyst model.
The cyber dimension is underpriced. A sophisticated cyberattack on TSMC's fabrication facilities, or on the power and water infrastructure those facilities depend on, could disrupt advanced chip production without a single shot being fired. The pre-positioning described in the NSB report includes the energy and water sectors that semiconductor fabrication absolutely requires.
This is part of why Apple is reportedly diversifying chip production toward Intel and Samsung, which we analyzed in depth here. The smart money is treating Taiwan concentration risk as a when, not an if.
What This Means for You
If you are an individual reader, you are not a target of China's 2.6-million-a-day campaign. But the doctrine matters, because it is the same doctrine being run against US infrastructure, and the tactics scale down to the individual level.
Supply chain attacks and foreign-invested apps are the relevant vector. Taiwan's Ministry of Digital Affairs banned government agencies from using certain Chinese-developed apps, including the mapping app Amap, on the grounds that they pose a cybersecurity threat. The principle applies to individuals: apps developed under jurisdictions with mandatory data-sharing laws are data collection vectors whether or not you are personally important.
Reasonable individual defense: audit the apps on your phone for their country of origin and ownership, keep all software patched (the number one attack vector), use a VPN to encrypt your network traffic so a compromised network cannot harvest your activity. A reputable provider like NordVPN covers the network layer — Panama jurisdiction, audited no-logs, with Threat Protection that blocks known malicious domains. It is not a cure for nation-state targeting, but it closes the bulk-collection vector that feeds the social engineering described above.
The Reading
For the definitive history of how state-sponsored cyber operations evolved into the doctrine on display in Taiwan, Sandworm by Andy Greenberg is the essential book. It documents Russian operations primarily, but the institutional logic — cyber as a tool of state coercion integrated with military strategy — applies directly to what China is running against Taiwan.
For why Taiwan is the chokepoint that makes all of this matter at the global level, Chip War by Chris Miller remains the reference text. It explains how the world ended up with 90% of advanced chip production concentrated on one contested island and why that concentration is the single largest strategic vulnerability in the global economy.
The Bottom Line
2.63 million cyberattacks a day is a staggering number, but the number is not the warning. The warning is the correlation. China's cyber operations against Taiwan move in lockstep with PLA military activity, which means the cyberattack volume is a live readout of Chinese intent.
Watch it. When the cyber gauge spikes far beyond what the political calendar would explain, that is the signal that the situation has changed. Everyone else will be watching for ships and aircraft. The earlier signal is already running, 30 times a second, every second, and almost nobody is reading it.
