Login
How China Built AI Dominance on Stolen American Silicon
DEEP DIVE — Federal prosecutors in Texas, in December, unsealed charges and related details exposing a sprawling scheme that quietly siphoned some of America’s most powerful artificial intelligence chips into China.
According to court filings, a Houston businessman and his company orchestrated a $160 million smuggling operation that moved thousands of NVIDIA’s top-tier processors overseas, evading U.S. export controls through falsified shipping records and shell transactions.
Hao Global and its founder, Alan Hao Hsu, pleaded guilty on October 10, 2025, to participating in smuggling and unlawful export activities, including knowingly exporting and attempting to export at least $160 million in Nvidia H100 and H200 GPUs between October 2024 and May 2025. Investigators say the operation was funded by more than $50 million in wire transfers originating from China, and the U.S. has seized over $50 million in Nvidia hardware and cash as part of the broader investigation, with the seizures tied to the overall network, not solely this defendant’s operation.
The operation reveals a broader strategy: if you can’t build it, take it. With a blend of state-run espionage and corporate infiltration, China has turned technology acquisition into an art form. Their ‘all-of-the-above’ approach has allowed their AI sector to grow even as export bans tighten. By sourcing the hardware from elsewhere, Beijing has made the lack of domestic chip manufacture moot.
The Corporate Insider Pipeline
The same month that prosecutors announced the NVIDIA chip smuggling charges, the Department of Justice filed a superseding indictment against Linwei Ding, a former Google software engineer accused of stealing over 1,000 confidential files containing trade secrets related to Google’s AI infrastructure. According to the indictment, Ding uploaded the files to his personal cloud account between May 2022 and May 2023 while secretly working for two China-based technology companies.
It is believed that the stolen materials included detailed specifications of Google’s Tensor Processing Unit chips and Graphics Processing Unit systems, as well as the software platform that orchestrates thousands of chips into supercomputers used to train cutting-edge AI models.
Ding allegedly circulated presentations to employees of his Chinese startup, citing national policies encouraging domestic AI development, and applied to a Shanghai-based talent program, stating that his company’s product “will help China to have computing power infrastructure capabilities that are on par with the international level.”
Within weeks of beginning the theft, Ding was offered a chief technology officer position at Beijing Rongshu Lianzhi Technology with a monthly salary of approximately $14,800 plus bonuses and stock. He traveled to China to raise capital and was publicly announced as CTO. A year later, he founded his own AI startup, Zhisuan, focused on training large AI models. Ding never disclosed either affiliation to Google.
After Google detected unauthorized uploads in December 2023, Ding vowed to save the files as evidence of his work. Nonetheless, he resigned a week later after booking a one-way ticket to Beijing. Security footage revealed that another employee had been scanning Ding’s access badge to give the appearance that he was working there during extended trips to China. Ding faces up to 175 years in prison on 14 counts: economic espionage and theft of trade secrets.
Ding has pleaded not guilty to the charges on multiple occasions. He entered a not guilty plea in March 2024 to the original four counts of trade secret theft, and again pleaded not guilty through his attorney, Grant Fondo, in September 2025 to the expanded superseding charges — including seven counts each of economic espionage and trade secret theft. Fondo has actively represented Ding in court proceedings, including a successful June 2025 motion to suppress certain post-arrest statements due to alleged Miranda violations, though no extensive public explanatory statements from the attorney or Ding appear beyond these court actions and pleas.
The federal trial in San Francisco began in early January 2026, with jury selection reported around January 8, and Ding remains presumed innocent until proven guilty.
Sign up for the Cyber Initiatives Group Sunday newsletter, delivering expert-level insights on the cyber and tech stories of the day – directly to your inbox. Sign up for the CIG newsletter today.
AI-Powered Cyber Espionage at Scale.
The threat escalated dramatically in September 2025 when Anthropic detected what it describes as the first fully automated cyberattack using artificial intelligence to breach corporate networks. Chinese state-sponsored hackers conducted the campaign, which Anthropic assessed with high confidence, targeted approximately 30 organizations, including technology firms, financial institutions, chemical manufacturers, and government agencies.
The attackers manipulated Anthropic’s Claude Code tool into executing 80 to 90 percent of the operation autonomously. Claude’s safety guardrails were bypassed by jailbreaking the system, disguising malicious tasks as routine cybersecurity tests, and breaking attacks into small, seemingly innocent steps that conceal their broader objectives. Once compromised, the AI system independently conducted reconnaissance, identified valuable databases, wrote custom exploit code, harvested credentials, created backdoors, and exfiltrated data with minimal human supervision.
“The AI made thousands of requests per second—an attack speed that would have been, for human hackers, simply impossible to match,” Anthropic stated in its analysis.
“This case is a huge concern for other companies that have almost fully adopted AI in their business operations,” JP Castellanos, Director of Threat Intelligence at Binary Defense, tells The Cipher Brief. “Instead of just using AI to draft phishing emails or assist human hackers, the perpetrators gave Claude direct instructions to carry out multi-stage operations on its own.”
The implications extend far beyond technical sophistication.
“An AI operator doesn’t have to sleep or take breaks moving at machine speed; the agent can do the work of dozens or more hackers, tirelessly and even without error, launching constant attacks that even human defenders would struggle to monitor, let alone counter,” Castellanos explained.
Chief Geopolitical Officer at Insight Forward, Treston Wheat, also noted the operational tempo represents a fundamental shift.
“AI-enabled operations can run reconnaissance, exploitation attempts, credential harvesting, lateral movement playbooks, and exfiltration workflows in parallel, iterating rapidly across targets,” he tells The Cipher Brief.
This shift not only changes how operations are conducted but also reveals the hidden supply chains that enable them.
DeepSeek’s Smuggled Silicon
In early 2025, it became impossible to ignore the connection between black-market chips and stolen IP. It was then that DeepSeek dropped the R1 model, claiming it could compete with OpenAI’s o1, but for significantly less. This, however, immediately set off alarm bells: How does a company hamstrung by U.S. sanctions move that fast without some serious ‘outside’ help?
Reports from The Information in December 2025 revealed that DeepSeek is training its next-generation model using thousands of NVIDIA’s advanced Blackwell chips — processors specifically banned from export to China. The smuggling operation reportedly involves purchasing servers for phantom data centers in Southeast Asia, where Blackwell sales remain legal. After inspection and certification, smugglers allegedly dismantle entire data centers rack by rack, shipping GPU servers in suitcases across borders into mainland China, where the chips are reassembled.
NVIDIA disputed the reports, stating it had seen “no substantiation or received tips of ‘phantom data centers’ constructed to deceive us and our OEM partners” while acknowledging the company pursues any tip it receives. The chipmaker is developing digital tracking features to verify chip locations, a tacit acknowledgement that there are enough smuggling concerns to warrant technological solutions.
Castellanos described China’s strategy as deliberately dual-track.
“China has been very open to being the lead in AI and semiconductors and the need for self-reliance in core technologies,” he said. “But also, externally, China relies on partnering with overseas institutions, building on top of Western open-source technologies, and acquiring advanced technologies through illegal means, such as through theft, smuggling, and forced transfers.”
Subscriber+Members get exclusive access to expert-driven briefings on the top national security issues we face today. Gain access to save your virtual seat now.
The FBI’s Losing Battle
Christopher Wray, the former FBI director, testified that the bureau oversees approximately 2,000 active investigations into Chinese espionage operations.
“Chinese hackers outnumber FBI cyber personnel by at least 50 to 1,” Wray testified before the House Appropriations Committee in 2023. “They’ve got a bigger hacking program than every other major nation combined and have stolen more of our personal and corporate data than all other nations—big or small—combined.”
That scale reflects a long-running strategy rather than a sudden surge.
“U.S. officials say China has long relied on a multi-pronged strategy to lie, to cheat and to steal their way to surpassing us as the global superpower in cyber,” he said. “It’s not just cyber intrusions, we are concerned about, but also human insiders stealing intellectual property. In the realm of AI, this can include insiders siphoning source code, research papers, or semiconductor designs for China.”
The Chinese approach exploits multiple vectors simultaneously, according to experts. The Ministry of State Security operates human intelligence networks. The People’s Liberation Army’s Strategic Support Force conducts offensive cyber operations.
The Thousand Talents Plan, for example, then offers Chinese researchers financial incentives to transfer proprietary information to American institutions. By investing in and partnering with ostensibly private companies, state-owned enterprises gain access to sensitive technologies.
Export Controls Lag Behind Reality
The export control regime designed to prevent China from accessing advanced chips has proven inadequate in the face of Beijing’s evasion tactics. The Commerce Department’s Bureau of Industry and Security has repeatedly updated restrictions, most recently imposing sweeping controls in October 2023 on AI chips and semiconductor manufacturing equipment.
The recent Texas case shed light on how these smugglers operate. There was more to it than simply shipping; they used crypto payments and paper-only shell companies to conceal the money trail. To pass customs, they even removed the Nvidia labels from the chips. By the time those processors reached China, they had been bounced through so many different countries that the original paper trail was basically gone.
“Export controls are not a complete solution to IP theft or technology diffusion. They are best understood as a time-buying and friction-imposing tool,” Wheat observed. “If the objective is to prevent all leakage, that is unrealistic; if the objective is to slow adversary capability development, shape supply chains, and increase acquisition cost and risk, they can be effective when paired with enforcement and complementary measures.”
The chip industry, analysts caution, is facing a structural nightmare. We’re restricting technology that’s already been stolen and studied. The $160 million operation out of Texas proved just how easy it is to game the system — they lied on customs forms hundreds of times over several months, and it still took nearly a year for authorities to notice anything was wrong.
Defending at Machine Speed
Security experts are calling this the most significant tech transfer in history, and it isn’t happening by accident. By stacking insider theft, cyberattacks, recruitment programs, and smuggling on top of each other, China has found a way to leapfrog ahead in AI. They don’t have the domestic factories to build high-end chips yet, so they’ve bypassed the need for ‘original’ innovation by taking what they need. It’s a massive operation that’s making traditional defense strategies look obsolete.
“The realistic U.S. approach is not to match China operator-for-operator. It is to win by asymmetry, such as scaling defense through automation, hardening the most valuable targets, and using public-private coordination to reduce attacker dwell time and increase attacker cost,” Wray said in his testimony.
Castellanos emphasized that defending against AI-enabled attacks requires matching the adversary’s capabilities.
“To have any hope to defend against this, we have to multiply effectiveness through automation and AI, so basically fight fire with fire,” he underscored. “Doing this requires significant investment, new skills, and perhaps most challenging, trust in autonomous defensive AI at a time when many organizations are still learning basic cyber hygiene.”
To prevent adversaries from acquiring sensitive technologies, the U.S. Government has, in recent years, implemented targeted responses, such as the Disruptive Technology Strike Force in 2023. Yet, even as FBI investigations increase and new indictments are filed, the fundamental challenge persists. Chinese intelligence services use unlimited resources, legal compulsion over Chinese nationals, and long-term strategic patience to operate in an open society with porous institutional boundaries.
“It’s a challenge for policy makers; a multi-layered response and defense in depth is needed to protect the US AI technology base better,” Castellanos added. “Harden insider threat programs, accelerate public and private intelligence sharing, modernize export controls and enforcement, increase the costs or impose costs for the offenders of these attacks and lastly innovate faster to ensure even if China steals today’s tech, the breakthrough is already in the pipeline for tomorrow.”
The Cipher Brief is committed to publishing a range of perspectives on national security issues submitted by deeply experienced national security professionals. Opinions expressed are those of the author and do not represent the views or opinions of The Cipher Brief.
Have a perspective to share based on your experience in the national security field? Send it to Editor@thecipherbrief.com for publication consideration.
Read more expert-driven national security insights, perspective and analysis in The Cipher Brief because National Security is Everyone’s Business
