China-Linked Espionage Targeting U.S. Government and Technology Talent
U.S. authorities and researchers are highlighting China-linked espionage that increasingly leverages online recruitment and employment channels to access sensitive information. Reporting on recent federal cases describes foreign intelligence services posing as consulting firms, research groups, or recruiters to approach current and former U.S. government personnel—often starting via email or job platforms and escalating through staged interviews, fake websites, and payment offers—to solicit classified or sensitive information; multiple Justice Department actions in 2025 reportedly involved such virtual-first recruitment approaches.
Separately, a former Google engineer, Linwei Ding, was found guilty of economic espionage and trade secret theft after prosecutors said he exfiltrated over 2,000 pages of confidential AI supercomputing documents (including TPU/GPU architecture details, orchestration software, SmartNIC networking designs, and internal system configurations) and uploaded them to a personal cloud account while maintaining undisclosed ties to China-based companies and engaging with a Shanghai-sponsored talent program. Broader context from CSIS’ long-running survey of Chinese espionage cases underscores that these incidents fit a sustained pattern since 2000 spanning both human intelligence and cyber-enabled theft targeting U.S. government and commercial technologies, while noting open-source case lists likely undercount the true scope.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
CSIS documents long-running Chinese espionage against the United States
CSIS published a survey summarizing alleged and confirmed Chinese espionage and cyber-espionage incidents in the United States from roughly 2000 through 2023. The report highlights sustained targeting of U.S. government, defense, critical infrastructure, healthcare, and commercial entities, along with multiple DOJ indictments and public attributions over the period.
Nextgov reports China-linked recruitment targeting laid-off U.S. personnel
Nextgov/FCW reported that foreign intelligence services, primarily linked to China, were exploiting recent U.S. federal layoffs by approaching former and sometimes current government personnel through fake job offers and recruiter-style outreach. The operations used staged interviews, consulting fronts, and payment offers to solicit classified or sensitive information.
OpenClaw patches high-severity RCE flaw CVE-2026-25253
The OpenClaw ecosystem recently patched a high-severity remote code execution vulnerability tracked as CVE-2026-25253. The fix was noted alongside broader concerns about malicious third-party skills in the platform.
Researchers find 200+ malicious skills in OpenClaw AI assistant ecosystem
Security researchers identified more than 200 malicious 'skills' published for the OpenClaw open-source AI assistant. The packages posed as benign utilities but were designed to deliver information-stealing malware, highlighting supply-chain risk in AI assistant plugin ecosystems.
Okta and Mandiant report rise in ShinyHunters-linked vishing intrusions
Okta and Mandiant reported a surge in vishing-driven intrusions tied to ShinyHunters-related clusters that impersonate IT staff to obtain MFA approvals and SSO credentials. The campaigns enabled access to platforms such as Okta, Microsoft Entra, and Google, followed by SaaS data theft and extortion activity.
Google engineer Linwei Ding found guilty of economic espionage
Former Google software engineer Linwei Ding was found guilty of economic espionage and trade secret theft after exfiltrating more than 2,000 pages of confidential AI supercomputing documents. The material was allegedly shared with China-linked technology interests.
FDD identifies broad network of China-linked fake recruiting websites
Analysts at the Foundation for Defense of Democracies assessed a network of fake consulting and recruiting firms likely tied to China that targeted current and former U.S. government personnel. An FDD researcher identified more than 100 related websites showing indicators such as China-based registration, Chinese language packs, and plagiarized content.
DOJ announces multiple 2025 cases tied to virtual foreign recruitment efforts
According to Nextgov/FCW, the U.S. Department of Justice announced charges or indictments in at least five cases during 2025 involving current or former U.S. government personnel accused of passing sensitive information to foreign intelligence services. In nearly all of those cases, the initial contact reportedly occurred online through recruiter-style outreach, email, or job platforms.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Survey of Chinese Espionage in the United States Since 2000 | Strategic Technologies Program | CSIS
csis.org
Open sourceNow accepting applications - for classified intel - Nextgov/FCW
nextgov.com
Open sourceThe Good, the Bad and the Ugly in Cybersecurity - Week 6
sentinelone.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Five Eyes Warns China Is Recruiting Insiders Through LinkedIn and Gig Platforms
The Five Eyes intelligence alliance has warned that Chinese military intelligence services are using professional networking, recruitment, and freelance platforms including **LinkedIn**, **Indeed**, and **Upwork** to identify and cultivate people with access to sensitive government and military information. According to the joint bulletin, Chinese operatives pose as recruiters, consultants, think tanks, or HR firms, then build relationships with targets and gradually request increasingly sensitive reporting. The campaign is aimed not only at security clearance holders and active military personnel, but also at academics, journalists, freelance writers, think tank staff, and others whose unclassified knowledge of policy, strategy, capabilities, or installations can be combined into actionable intelligence. The advisory says communications often shift from mainstream platforms to encrypted messaging apps, while payments may be routed through services such as PayPal, Zelle, Wise, Western Union, and cryptocurrency. Officials said some targets have already provided information, leading in some cases to criminal prosecutions, revoked security clearances, and job losses. The warning builds on earlier MI5 alerts, including concerns about Chinese approaches to parliamentarians and a prior estimate that roughly 10,000 Britons were targeted over five years, while similar tactics have also been reported in the United States through fake consulting firms seeking information from former federal workers.
Jun 12, 2026
Ex-Google Engineer Convicted of Economic Espionage and AI Trade Secret Theft
A U.S. federal jury convicted former Google engineer **Linwei Ding** (aka **Leon Ding**) on **14 counts** spanning **economic espionage** and **theft of trade secrets** after prosecutors said he stole thousands of confidential Google documents tied to the company’s artificial intelligence technology for the benefit of a China-based startup. The U.S. Department of Justice framed the case as protection of U.S. intellectual property and national security, alleging the theft was intended to advantage the **People’s Republic of China (PRC)**. Reporting indicates Ding began exfiltrating internal materials as early as **May 2022**, including by copying content into the **Apple Notes** app, converting it to PDFs, and uploading it to a personal cloud account. The stolen information reportedly covered sensitive AI infrastructure and chip-related technology, including details associated with Google’s AI supercomputing environment (e.g., data center/cluster management components) and hardware/software used to run AI workloads (including **TPU/GPU systems** and related networking components). Ding was initially indicted in **March 2024**, with subsequent superseding indictments expanding the alleged timeframe and charges; the case is cited as *USA v. Ding*, N.D. Cal., No. `3:24-cr-00141`.
Mar 21, 2026
Phishing and Social Engineering Campaigns Leveraging Trusted Channels and China-Linked Tradecraft
Multiple reports highlight **social engineering-driven compromise** rather than exploitation of software vulnerabilities, with attackers relying on trusted-looking communications and infrastructure to bypass defenses. One campaign described by X-Labs uses a “clean” initial business email (often passing `SPF`/`DKIM`/`DMARC`) that contains **no direct malicious link**, instead delivering a **PDF attachment** that leads victims through a multi-stage document chain. The chain leverages reputable cloud services—including **Vercel Blob**—to host intermediary PDFs that redirect to a **Dropbox-impersonation** credential-harvesting page, and then uses a **Telegram bot** as a collection point for stolen credentials, complicating detection and takedown. Separately, researchers reported a targeted operation attributed to **China-linked Mustang Panda** (aka *HoneyMyte*) against government officials and diplomats, using **fake diplomatic briefing documents** themed as U.S./international policy updates to induce execution and install surveillance tooling, including **PlugX** (noted as a DOPLUGS variant). In parallel, U.S. reporting described **HUMINT-style recruitment approaches** tied primarily to China, where adversaries pose as recruiters/consulting firms on email and job platforms to elicit or purchase sensitive information from current/former U.S. government personnel—an espionage pathway that is adjacent to, but distinct from, the phishing/malware activity described in the other reporting.
Mar 21, 2026