CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Ex-Google Engineer Convicted for Stealing AI Trade Secrets for China

First reported
Last updated
3 unique sources, 4 articles

Summary

Hide ▲

Linwei Ding, a former Google engineer, has been convicted of stealing over 2,000 confidential documents containing AI-related trade secrets to benefit China. The theft occurred between May 2022 and April 2023, involving sensitive information about Google's supercomputing infrastructure, AI models, and custom hardware. Ding was found guilty on seven counts of economic espionage and seven counts of theft of trade secrets. Additionally, three former Google engineers and one of their husbands have been indicted in the U.S. for allegedly committing trade secret theft from Google and other tech firms and transferring the information to unauthorized locations, including Iran. The stolen data included details about Google's Tensor Processing Unit chips, Cluster Management System software, and other proprietary technologies. Ding used deceitful methods to cover up the theft, including transferring data to his personal Google Cloud account and using an accomplice to fake his presence at work. He also applied to a Shanghai-based talent program sponsored by Beijing, aiming to enhance China's AI capabilities. Ding was originally indicted in March 2024 after lying and not cooperating with Google's internal investigation. He was secretly affiliated with two China-based technology companies and negotiated a role as CTO at one of them. Ding founded his own AI company in China (Shanghai Zhisuan Technology Co.) and served as its CEO, intending to benefit entities controlled by the government of China. Ding faces a maximum sentence of 10 years for each theft count and 15 years for each espionage count.

Timeline

  1. 20.02.2026 07:27 1 articles · 17h ago

    Three Former Google Engineers Indicted for Trade Secret Theft

    Three former Google engineers and one of their husbands have been indicted in the U.S. for allegedly committing trade secret theft from Google and other tech firms and transferring the information to unauthorized locations, including Iran. The defendants used their employment to obtain access to confidential and sensitive information, including trade secrets related to processor security and cryptography and other technologies, from Google and other technology companies. They then exfiltrated confidential and sensitive documents, including trade secrets, to unauthorized third-party and personal locations, including to work devices associated with each other's employers, and to Iran. The defendants then concealed their actions by submitting false, signed affidavits; destroyed the exfiltrated files from electronic devices; and manually took photographs of screens containing the documents’ contents instead of transferring the documents using the messaging app.

    Show sources
    Open in new tab
  2. 30.01.2026 09:35 3 articles · 21d ago

    Ex-Google Engineer Convicted for Stealing AI Trade Secrets

    Linwei Ding, a former Google engineer, was convicted on seven counts of economic espionage and seven counts of theft of trade secrets for stealing over 2,000 confidential documents containing AI-related trade secrets. The theft occurred between May 2022 and April 2023, involving sensitive information about Google's supercomputing infrastructure, AI models, and custom hardware. Ding used deceitful methods to cover up the theft, including transferring data to his personal Google Cloud account and using an accomplice to fake his presence at work. He also applied to a Shanghai-based talent program sponsored by Beijing, aiming to enhance China's AI capabilities. Ding was originally indicted in March 2024 after lying and not cooperating with Google's internal investigation. He was secretly affiliated with two China-based technology companies and negotiated a role as CTO at one of them. Ding founded his own AI company in China (Shanghai Zhisuan Technology Co.) and served as its CEO, intending to benefit entities controlled by the government of China. Ding faces a maximum sentence of 10 years for each theft count and 15 years for each espionage count. Additional details reveal that Ding first copied data from Google source files into Apple Notes on his corporate MacBook, then converted them into PDFs and uploaded them to a personal Google Cloud account to bypass Google's data loss prevention (DLP) checks. Ding allowed a colleague to use his badge to scan into a Google building to make it appear he was working in the US when he was actually in China.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

L3Harris Employee Pleads Guilty to Selling Zero-Day Exploits to Russian Entities

Peter Williams, a former general manager at L3Harris cyber-division Trenchant, pleaded guilty to selling at least eight zero-day exploits to a Russian cyber broker between 2022 and 2025. The exploits, stolen from Trenchant, were sold for $1,300,000 in cryptocurrency and were intended for the exclusive use of the U.S. government and select allies. The broker's clients include the Russian government, posing a significant national security threat. Williams used his privileged access to the company's network to steal the exploits and transmitted them via encrypted channels. The FBI has emphasized the severity of the crime, highlighting the potential impact on US national security. Williams now faces up to 10 years in prison and fines of $250,000 or twice the gain or loss pertinent to the offense. The case underscores the growing concern over the trade in commercial spyware and zero-day exploits, with international efforts underway to curb this activity. Trenchant, the cyber-capabilities business unit within L3Harris Technologies, was conducting its own investigation into the potential leak of Google Chrome zero-day vulnerabilities, with another employee, Jay Gibson, at the epicenter of the accusations.

Open in new tab

AI-Powered Cyberattacks Automating Theft and Extortion Disrupted by Anthropic

In mid-September 2025, state-sponsored threat actors from China used artificial intelligence (AI) technology developed by Anthropic to orchestrate automated cyber attacks as part of a "highly sophisticated espionage campaign." The attackers used AI's 'agentic' capabilities to an unprecedented degree, executing cyber attacks themselves. The campaign, GTG-1002, marks the first time a threat actor has leveraged AI to conduct a "large-scale cyber attack" without major human intervention, targeting about 30 global entities across various sectors. Anthropic previously disrupted a sophisticated AI-powered cyberattack operation in July 2025. The actor targeted 17 organizations across healthcare, emergency services, government, and religious institutions. The attacker used Anthropic's AI-powered chatbot Claude to automate various phases of the attack cycle, including reconnaissance, credential harvesting, and network penetration. The actor threatened to expose stolen data publicly to extort victims into paying ransoms. The operation, codenamed GTG-2002, employed Claude Code on Kali Linux to conduct attacks, using it to make tactical and strategic decisions autonomously. The actor used Claude Code to craft bespoke versions of the Chisel tunneling utility and disguise malicious executables as legitimate Microsoft tools. The actor organized stolen data for monetization, creating customized ransom notes and multi-tiered extortion strategies. Anthropic developed a custom classifier to screen for similar behavior and shared technical indicators with key partners to mitigate future threats. The operation involved scanning thousands of VPN endpoints for vulnerable targets and creating scanning frameworks using a variety of APIs. The actor provided Claude Code with their preferred operational TTPs (Tactics, Techniques, and Procedures) in their CLAUDE.md file. Claude Code was used for real-time assistance with network penetrations and direct operational support for active intrusions, such as guidance for privilege escalation and lateral movement. The threat actor created obfuscated versions of the Chisel tunneling tool to evade Windows Defender detection and developed completely new TCP proxy code that doesn't use Chisel libraries at all. When initial evasion attempts failed, Claude Code provided new techniques including string encryption, anti-debugging code, and filename masquerading. The threat actor stole personal records, healthcare data, financial information, government credentials, and other sensitive information. Claude not only performed 'on-keyboard' operations but also analyzed exfiltrated financial data to determine appropriate ransom amounts and generated visually alarming HTML ransom notes that were displayed on victim machines by embedding them into the boot process. The operation demonstrates a concerning evolution in AI-assisted cybercrime, where AI serves as both a technical consultant and active operator, enabling attacks that would be more difficult and time-consuming for individual actors to execute manually.

Open in new tab

Scattered Spider member sentenced to 10 years for wire fraud and conspiracy

Noah Michael Urban, a key member of the Scattered Spider cybercrime collective, was sentenced to 10 years in prison for wire fraud and conspiracy. Urban, also known by several aliases, was arrested in January 2024 and pleaded guilty in April. He was involved in stealing millions from cryptocurrency wallets, hacking companies to loot confidential data, and running phishing schemes targeting various companies, including Twilio, LastPass, DoorDash, MailChimp, and Plex. Urban will also pay $13 million in restitution to more than 30 victims. Scattered Spider is a fluid collective known for sophisticated social engineering attacks, including phishing, SIM swapping, and MFA bombing. They have targeted high-profile organizations worldwide, such as Twilio, Coinbase, and Reddit. The group escalated their attacks in September 2023, breaching MGM Resorts and encrypting over 100 VMware ESXi hypervisors using BlackCat ransomware. They have also partnered with various ransomware operations, including Qilin, RansomHub, and DragonForce. In a separate development, two British teenagers, Thalha Jubair and Owen Flowers, were arrested in September 2024 for their alleged involvement in the Transport for London (TfL) breach. They pleaded not guilty to computer misuse and fraud-related charges. The TfL breach in August 2024 caused millions of pounds in damage and exposed customer data. Jubair and Flowers are also facing additional charges related to attacks on other organizations, including SSM Health Care Corporation, Sutter Health, and U.S. courts.

Open in new tab

North Korean State Actors Exploit Fake Employee Schemes to Infiltrate Companies

North Korean state actors have been using fake or stolen identities to secure IT jobs in various companies, particularly in the blockchain and technology sectors. These actors have stolen virtual currency and funneled money to North Korea's weapons program. The practice has escalated with the rise of remote work and AI, enabling fraudsters to impersonate employees and gain privileged access to company networks. Labyrinth Chollima, a prolific North Korean-linked cyber threat group, has recently evolved into three distinct hacking groups: Labyrinth Chollima, Golden Chollima, and Pressure Chollima. Labyrinth Chollima continues to focus on cyber espionage, targeting industrial, logistics, and defense companies, while Golden Chollima and Pressure Chollima have shifted towards targeting cryptocurrency entities. Each group uses distinct toolsets in their malware campaigns, all evolutions of the same malware framework used by Labyrinth Chollima in the 2000s and 2010s. A joint investigation led by Mauro Eldritch, founder of BCA LTD, conducted together with threat-intel initiative NorthScan and ANY.RUN, uncovered a network of remote IT workers tied to Lazarus Group's Famous Chollima division. Researchers captured live activity of Lazarus operators on what they believed were real developer laptops, which were actually fully controlled, long-running sandbox environments created by ANY.RUN. Thousands of North Korean IT workers have infiltrated the job market over the past two years, exploiting vulnerabilities in hiring processes and remote work environments. Over 320 cases of North Korean operatives infiltrating companies by posing as remote IT workers were identified in August 2025. The Justice Department has shut down several laptop farms used by these actors, but the problem persists, with security experts warning of significant security risks and financial losses for affected companies. The U.S. Treasury's Office of Foreign Assets Control (OFAC) has recently sanctioned two individuals and two entities for their role in these schemes, identifying financial transfers worth nearly $600,000 and over $1 million in profits generated since 2021. Japan, South Korea, and the United States are collaborating to combat North Korean IT worker schemes. The three countries held a joint forum on August 26, 2025, in Tokyo to improve collaboration, with both Japan and South Korea issuing updated advisories on the threat. The United States sanctioned four entities for their roles in the IT worker fraud schemes, accusing them of working to help the Democratic People's Republic of Korea (DPRK) to generate revenue. Recently, five U.S. citizens pleaded guilty to assisting North Korea's illicit revenue generation schemes by enabling IT worker fraud. The scheme impacted more than 136 U.S. victim companies, generated more than $2.2 million in revenue for the DPRK regime, and compromised the identities of more than 18 U.S. persons. The US government has seized $15m worth of gains in Tether (USDT) from APT38 actors, seeking to return the funds to their rightful owners. North Korean IT recruiters target and lure developers into renting their identities for illicit fundraising. Famous Chollima, part of North Korea’s state-sponsored Lazarus group, uses deep fake videos and avoids appearing on camera during interviews. Legitimate engineers are recruited to act as figureheads in DPRK agents’ operations to secure remote jobs at targeted companies. Compromised engineers receive a percentage of the salary, between 20% and 35%, for the duration of the contract. DPRK agents use compromised engineers' computers as proxies for malicious activities to hide their location and traces. North Korean recruiters use AI-powered tools like AIApply, Simplify Copilot, Final Round AI, and Saved Prompts to autofill job applications and create resumes. The threat actor used Astrill VPN, a popular service among North Korean fake IT workers, for remote connections. The Famous Chollima team involved in this operation consisted of six members, who used the names Mateo, Julián, Aaron, Jesús, Sebastián, and Alfredo. The DPRK IT worker scheme is also tracked as Jasper Sleet, PurpleDelta, and Wagemole. The scheme aims to generate revenue, conduct espionage, and in some cases, demand ransoms. DPRK IT workers transfer cryptocurrency through various money laundering techniques, including chain-hopping and token swapping. Norwegian businesses have been impacted by IT worker schemes, with salaries likely funding North Korea's weapons and nuclear programs. A campaign dubbed Contagious Interview uses fake hiring flows to lure targets into executing malicious code. The campaign employs EtherHiding, a technique using blockchain smart contracts to host and retrieve command-and-control infrastructure. New variants of the Contagious Interview campaign use malicious Microsoft VS Code task files to execute JavaScript malware. The Koalemos RAT campaign involves malicious npm packages to deploy a modular JavaScript remote access trojan (RAT) framework. Oleksandr Didenko, a 39-year-old Ukrainian national, was sentenced to five years in prison for providing North Korean IT workers with stolen identities to infiltrate U.S. companies. Didenko pleaded guilty to aggravated identity theft and wire fraud conspiracy in November 2025 and was arrested in Poland in May 2024. Didenko provided North Korean remote workers with at least 871 proxy identities and proxy accounts on three freelance IT hiring platforms. Didenko facilitated the operation of at least eight 'laptop farms' in Virginia, Tennessee, California, Florida, Ecuador, Poland, and Ukraine. Christina Marie Chapman, a 50-year-old woman from Arizona, was sentenced to 102 months in prison for running a 'laptop farm' from her home between October 2020 and October 2023.

Open in new tab