Welcome to the second issue of Firewall Watch Weekly.
Last week we covered Russia blocking Telegram, the GFW's upgraded anti-fraud monitoring, and DLSite launching an accelerator service. This week, the pace keeps accelerating — major moves on both the China and Russia fronts.
Let's cut straight to this week's Top 3.
This issue covers April 12–18, 2026.
This Week's Top 3
[Critical] GFW expands QUIC protocol blocking — Previously limited to partial regional throttling, this week confirmed a nationwide blockade of outbound QUIC traffic. Proxy nodes running QUIC/HTTP3 are down en masse, affecting multiple mainstream tools.
[Important] Russia's AI traffic identification system goes live in first cities — Last week we reported on the $780 million AI censorship budget. This week there's a follow-up: Moscow and St. Petersburg have begun pilot operations. The rollout is much faster than expected.
[Notable] China's Cybercrime Prevention Law draft enters second reading — Language around circumvention-related provisions has tightened further, with clearer legal consequences for "providing circumvention tools" and "using circumvention for illegal activities."
China Updates
GFW Launches Mass Blocking of Outbound QUIC Traffic
This is the week's most impactful technical event for the circumvention community.
Starting April 14, a flood of user reports confirmed that connections based on QUIC (the protocol underlying HTTP/3) were collectively going dark. Previously, the GFW's approach to QUIC was "selective interference" — throttling in certain regions, blocking certain IP ranges — but this is a full-scale escalation: virtually all outbound QUIC traffic on UDP port 443 is now being blocked.
The hardest hit are users of QUIC-based circumvention tools like Hysteria and TUIC. These protocols gained popularity over the past two years because QUIC's multiplexing and low latency are genuinely appealing — great for gaming, great for streaming. But the GFW has now sealed off the QUIC exit route entirely.
The technical community consensus: the GFW isn't performing deep packet inspection (DPI) to identify circumvention traffic specifically — it's being cruder than that, broadly restricting outbound UDP 443. This means even legitimate HTTP/3 web browsing may be affected, but the GFW has apparently decided the collateral damage is acceptable.
What's affected:
- Hysteria / Hysteria2: Down across the country
- TUIC: Same
- Self-hosted QUIC-based nodes: Essentially dead
- Normal HTTP/3 browsing: Some sites load slower (recovers after falling back to TCP)
What's unaffected:
- TCP-based circumvention tools (TLS-disguised)
- WebSocket / gRPC over TCP solutions
- CDN relay solutions
The lesson is clear: users who put all their eggs in the QUIC basket got burned this week. The fundamental measure of a circumvention tool's resilience is whether it can disguise traffic as ordinary HTTPS over TCP — because the GFW can never block TCP 443, since that would mean shutting down the entire internet.
More on GFW developments: GFW 2026 Q2 Update: QUIC Blocking and New Detection Methods
Cybercrime Prevention Law Draft — Second Reading
Last week we mentioned China's push to advance the Cybercrime Prevention Law draft. This week it's confirmed to have entered the second reading at the NPC Standing Committee.
Several noteworthy changes:
-
The definition of "providing circumvention tools" has been broadened — It now potentially covers not just developing and selling VPNs, but also "providing technical tutorials" and "sharing proxy nodes." This is a major blow to the tech community's culture of knowledge-sharing.
-
Heavier penalties for "using circumvention for illegal activities" — If you use a VPN and then do something else illegal (fraud, gambling, etc.), the circumvention itself becomes an aggravating factor.
-
Lower threshold for administrative penalties — Individual VPN use could theoretically result in warnings or fines, with wider discretion for local law enforcement.
An important caveat: a legal draft and actual enforcement are two different things. Mass prosecution of individual VPN users remains impractical for now, but once the legal framework is in place, it's like a sword hanging overhead — when it drops depends on political needs.
Previous issue recap: Firewall Watch Weekly W15
Russia Updates
AI Traffic Identification System: Moscow and St. Petersburg Pilot
Last week we reported on Russia's $780 million AI censorship budget, assuming it was a "long-term plan" — but this week, reports indicate that ISPs in parts of Moscow and St. Petersburg are already testing an AI-driven traffic analysis system.
According to feedback from Russia's tech community, the system's characteristics include:
- It doesn't block immediately — it "flags and throttles" — Connections identified as VPN traffic aren't cut off but throttled to near-unusable speeds (reportedly around 50–100 kbps)
- It learns quickly — Users report that after switching to a new VPN protocol, the first two days are fine, but throttling kicks in by day three. This suggests the system has continuous learning capabilities
- False positive rate isn't negligible — Some users report normal HTTPS connections being misidentified and throttled, especially when connecting to overseas servers
This contrasts notably with China's GFW approach. The GFW tends toward "precision strikes" — detect VPN traffic, cut it immediately. Russia is taking a "fuzzy interference" approach — don't completely block it, but make the experience so miserable you give up. Different strategies, but for ordinary users, the end result is similar: you can't get through.
More Russia analysis: Russia VPN Censorship 2026: Complete Block List
Telegram Blocking Continues to Tighten
Continuing from last week's Telegram blocking coverage. New developments this week:
- More regions report voice calls completely non-functional
- Image and file transfer throttling has gone from "slow" to "extremely slow," with some users reporting it takes 3–5 minutes to send a single photo
- Telegram's official response remains absent, but there are reports they're testing new anti-blocking mechanisms
RKN (Roskomnadzor) has made its position clear: if Telegram won't cooperate with content moderation demands, the pressure will keep increasing. At this trajectory, complete Telegram blocking is just a matter of time.
Interesting Developments
Last week we reported on DLSite launching DLBooster to help Chinese users access its platform. This week there's a follow-up.
First, DLBooster's buzz in Chinese online communities has been off the charts. Users on Weibo and Xiaohongshu are sharing their experiences in droves, and because it's called an "accelerator" rather than a "VPN," platform moderation seems to be turning a blind eye to the discussions. The power of language — as we noted last week.
Even more interesting: according to industry sources, at least two to three other overseas digital content platforms are evaluating similar approaches. The logic is simple: China has a massive market of paying users, the GFW blocks those users, which means it blocks revenue. If the platform itself provides an "acceleration" service, users can pay for access, and the platform recovers some of the revenue the GFW cut off.
This is a fascinating trend: circumvention is gradually shifting from "politically sensitive behavior" to "commercial infrastructure." As more legitimate commercial platforms offer similar tools, the "circumvention = crime" narrative gets diluted. Of course, this could also accelerate government crackdowns — so where it ultimately leads remains to be seen.
This week's circumvention tool status tracker (mainland China):
| Tool / Protocol Type |
Status |
Notes |
| TLS-disguised (TCP 443) |
Green — Normal |
Currently the most stable method |
| CDN relay solutions |
Green — Normal |
Higher latency but stable |
| Hysteria / TUIC (QUIC) |
Red — Down |
GFW blocked outbound QUIC this week |
| WireGuard |
Red — Down |
Old issue, too recognizable |
| OpenVPN |
Red — Down |
Same |
| Commercial VPNs (ExpressVPN, etc.) |
Yellow — Marginal |
Requires frequent server switching |
| Cloudflare WARP |
Yellow — Sporadic |
Depends on region and luck |
(Quick plug time) Sunset Browser uses proprietary TLS-disguised technology, so this week's QUIC crackdown had zero impact on our users. Open the app, one-tap connect, no need to worry about underlying protocols. Alright, plug over.
What to Watch Next Week
-
Will the GFW loosen its QUIC blockade? — A complete QUIC ban affects legitimate HTTP/3 performance, and some major international companies may push back through Chinese ISPs. Watch whether it retreats from "total block" to "selective block."
-
Russia's AI censorship pilot — expansion scope — Currently limited to Moscow and St. Petersburg. If results meet expectations, the next wave likely hits Novosibirsk, Yekaterinburg, and other major cities.
-
Cybercrime Prevention Law — third reading timeline — After the second reading, watch whether a third reading is scheduled for late April or early May. A fast schedule signals strong high-level momentum.
-
Pre-May Day holiday routine tightening — Historical pattern: China typically ramps up internet controls before major holidays. With two weeks until May Day, watch for new GFW moves.
Monthly Censorship Report
For more comprehensive data and analysis, see our monthly report: April 2026 Internet Censorship Monthly Report
FAQ
Q: QUIC is blocked — what should I do?
If you're using Hysteria, TUIC, or any other QUIC-based tool, switch to a TCP-based solution as soon as possible. Specifically, use TLS-disguised circumvention tools that make your traffic look like ordinary HTTPS web browsing. If you don't want to deal with the technical details, a ready-made circumvention app is the easiest option.
Q: Will Russia's AI censorship affect China?
Technologies do cross-pollinate. Russia and China have maintained informal technical exchanges on internet censorship. If Russia's AI traffic identification proves effective in the field, the GFW will likely study and possibly adopt similar technology. The reverse is also true — Russia will eventually learn from the GFW's QUIC blocking methods.
Q: After the Cybercrime Prevention Law passes, will individual VPN users be arrested?
Mass arrests of individual users are highly unlikely in the short term — the enforcement costs are too high, and the user base is too large. But this law gives law enforcement the legal basis to prosecute "whenever they want to," particularly when someone is already under scrutiny for other reasons and VPN use can be piled on as an additional charge. Advice: use it quietly and don't brag about circumvention on social media.
Information is limited, and we can't confirm DLBooster's technical architecture or privacy policies. As a general principle: platform-provided "accelerators" only help you access that specific platform — they're not general-purpose circumvention tools. Your traffic necessarily passes through the platform's servers, so assess privacy implications accordingly. If you need comprehensive circumvention capability and privacy protection, a dedicated tool remains the better choice.
This is the second issue of Firewall Watch Weekly. If you found it useful, share it with anyone who might need it. See you next Friday.
Have topics you'd like covered or news tips? Drop them in our community.