What‘s worse: a massive financial crime, or a years-long international espionage operation?

China is emerging as the lead suspect in the that affected 500 million customers, according to . Security investigators reportedly said that the techniques and tools present in the attack mirror previous Chinese hacks.

On November 30, that it had discovered a security breach affecting its Starwood guest database. The hack was expansive: it affected the personal information of 500 million customers, and had gone undetected for four years.

The longevity of the attack is another reason experts think the hack may have been part of international espionage efforts, and not financial crime. 

“One clue pointing to a government attacker is the amount of time the intruders were working quietly inside the network,” Michael Sussman, a former DOJ official, told Reuters. “Patience is a virtue for spies, but not for criminals trying to steal credit card numbers.”

A hack of this nature might have been used to gather intelligence on the travel and whereabouts of Marriott customers. With more than 6,700 properties worldwide, if the hack was about intelligence, it could have provided something like a daybook for the meetings and movements of high profile people all over the world.

But the probe is ongoing. Investigators think that multiple attackers could have been inside the Starwood system at the same time, meaning that China may not be the only culprit.

The tools also may not be exclusive to China. Some of the techniques that connect the breach to the nation state have also been posted online. So it‘s possible that hackers unaffiliated with Chinese espionage efforts may have used them, too.

China reportedly denies the allegations, and Marriott had no further comment.