When former Google engineer Linwei Ding was convicted of stealing confidential AI technology, the case showed how quickly the race for AI advantage can become a trusted-access problem.
While the verdict came in January 2026, the dynamics it exposed have become more relevant in the months since. Five Eyes leaders have warned the world is only months away from AI models dramatically accelerating cyber threats. Meanwhile, the release of China’s open-source GLM-5.2 has drawn Silicon Valley attention for its coding and agentic workflow capabilities, amplifying questions about how quickly China is closing the gap. The Ding case, alongside these developments, makes one thing clear: the AI race is being run through the people with access to the systems and engineering behind it.
Evidence at trial showed Ding stole Google trade secrets covering the systems used to train and run advanced AI, including Google’s custom TPU and GPU systems, SmartNIC technology, and software that coordinates thousands of chips. At the same time, he was secretly affiliated with two PRC-based technology companies and had applied for a Shanghai government-sponsored talent plan, where he said he planned to help China build computing power infrastructure “on par with the international level.”
The case shows how quietly insider risk can form when privileged access, outside commercial interests, talent recruitment, and advanced AI know-how begin to overlap. It is also the kind of pathway DTEX examines in its new report, Inside China’s Talent Acquisition Ecosystem, which looks at how access, affiliation and incentives can create exposure before a conventional insider threat is visible.
AI infrastructure is now a strategic target
AI security conversations often focus on models and the outputs they produce. The Ding case draws attention to something less visible: the infrastructure that makes advanced AI possible.
The stolen trade secrets described by the DOJ related to the hardware and software foundation behind advanced AI, including chips, networking, orchestration software, and supercomputing systems. These are the systems that determine how quickly organizations can train models, deploy AI, and compete in sectors where compute has become a strategic resource.
In this context, the real value lies in the ability to understand, adapt and rebuild the capability behind the stolen file.
The talent pathway changes the risk profile
The talent plan detail is especially central to the risk pattern.
Foreign research, academic collaboration, and commercial work are not suspicious on their own. The risk emerges when routine professional relationships begin carrying undisclosed obligations, commercial incentives, or access to strategically important technology.
In the Ding case, prosecutors described that overlap clearly: trusted access inside a leading AI company, theft of AI infrastructure intellectual property, secret ties to PRC-based companies, and a talent plan application tied to China’s computing ambitions.
That is what moves the case beyond a straightforward trade secret theft. It shows how legitimate access can become a route for strategic knowledge acquisition.
Technology transfer is not always a single act
Insider risk programs are critical here because they sit closest to the early signals: downloads, uploads, unusual access, data movement, application use, and changes in user behavior. In cases involving advanced AI infrastructure, those signals need to be read with context: role, timing, external activity, career movement, and the sensitivity of the data involved.
When sensitive AI IP leaves an organization, the architecture, methods, engineering judgment, and implementation knowledge often travel with it.
In advanced technology environments, that knowledge can help another organization recreate systems, accelerate development, or avoid years of trial and error.
By the time an incident appears, the relationships and incentives behind it may already be in place.
Export controls do not replace enterprise visibility
The debate over restricting access to advanced AI chips, model weights, and frontier AI capability has intensified for good reason, and cases like Ding’s help explain why.
Even with limits on high-end chips and advanced models, insider risk persists wherever people with legitimate access also hold external affiliations, commercial incentives or pathways into foreign technology programs.
That is the enterprise gap. Export controls stop at the boundary, leaving organizations without visibility into who has access to their most sensitive systems, where else they are affiliated, or whether their behavior still matches legitimate work.
The behavioral signals that show up first: what to watch for
Across the Ding case, five behavioral patterns stand out; none conclusive alone, but together they form the kind of early-warning picture analysts can act on:
1. Staged aggregation of sensitive files. Between May 2022 and May 2023, Ding uploaded more than 1,000 confidential files from Google’s network covering TPU and GPU architecture, SmartNIC designs, and AI training infrastructure. Aggregation of high-value technical material over an extended window (particularly when files span multiple systems or projects) is one of the earliest forensic indicators of intent.
2. Targeted access aligned with strategic priorities. The material Ding took mapped directly to the capabilities tied to the Shanghai talent program he applied to: chip architecture, networking, and the orchestration software behind large-scale AI training. When the data a user is reaching for lines up with known strategic priorities, that alignment is itself a high-signal indicator when paired with privileged access.
3. Evasion of standard controls. Ding copied data from Google source files into Apple Notes on his Google-issued laptop, converted the notes to PDF, and uploaded the files to a personal account. This is a known workflow used to bypass detection. Format-shifting, personal cloud uploads, and movement through non-corporate channels are deliberate evasion patterns.
4. Undisclosed external affiliations and incentives. While employed at Google, Ding was secretly tied to two PRC-based technology companies: he was in discussions to serve as CTO of Beijing Rongshu Lianzhi Technology and went on to found and lead Shanghai Zhisuan Technology as CEO. He circulated internal plans to ‘replicate and upgrade’ large-scale computing platforms similar to Google’s and pitched the resulting technology to PRC-controlled entities, including government agencies and academic institutions. Outside roles, foreign program applications, and undisclosed commercial interests are the affiliation half of the access-affiliation-incentive pattern.
5. Concealment and misdirection. When Google began investigating in December 2023, Ding signed a self-deletion affidavit without disclosing his earlier transfers. Investigators later found a colleague had badge-swiped him into Google’s California office on three December dates while Ding was actually in China pitching investors. Together, these actions show an insider working to cover their tracks, not just continue the activity.
The next cases will be harder to spot
As AI infrastructure becomes more valuable, insider risk teams should expect more cases where legitimate access sits alongside external affiliations, commercial ambition, or state-aligned technology priorities.
Advanced AI development concentrates sensitive knowledge inside AI labs, cloud providers, semiconductor companies, universities, defense-adjacent research organizations, and enterprises building proprietary AI systems. These environments hold the data, systems, models, and expertise others want to acquire or replicate.
These cases rarely look risky early on. They may appear as career movement, research collaboration, startup activity or outside funding until the wider context is assembled.
The answer lies in better context around the people, access, obligations and incentives attached to sensitive work.
For organizations protecting sensitive research, IP or advanced technology, the real test is whether they can recognize the conditions that make technology transfer possible before an incident is visible.
Read DTEX’s new report, Inside China’s Talent Acquisition Ecosystem, to understand how those conditions form and the signals worth paying attention to.
FAQ: AI theft, Chinese talent plans and insider risk
Former Google engineer Linwei Ding was convicted of stealing confidential AI trade secrets tied to Google’s AI supercomputing infrastructure. Evidence at trial also showed he had ties to PRC-based companies and applied for a Shanghai government-sponsored talent plan.
The case shows how a talent plan becomes risk-relevant when it overlaps with trusted access, outside company ties, and sensitive AI infrastructure. The issue is not the talent plan alone; it is the wider pattern around access and capability transfer.
Chinese talent plans can create pathways for expertise, methods, research, and technical know-how to move into priority sectors. In sensitive areas like AI infrastructure, the transfer risk extends beyond files to the knowledge needed to recreate capability elsewhere.
Subscribe today to stay informed and get regular updates from DTEX



