Former Google Engineers Indicted for Alleged Theft of Chip Security and Cryptography Trade Secrets Sent to Iran
US federal prosecutors indicted Samaneh Ghandali and Soroor Ghandali (former Google engineers) and Mohammadjavad Khosravi (Samaneh’s husband, employed at another unnamed tech firm) for alleged trade secret theft, conspiracy, and obstruction of justice tied to the exfiltration of sensitive processor-related information. The Department of Justice alleges the trio used their roles at multiple Silicon Valley companies to access and steal confidential documents covering processor security and cryptography, and moved the material to unauthorized third-party and personal locations, including destinations linked to Iran.
Investigators allege the activity included transferring large volumes of internal files to external communications platforms and sharing them in channels associated with the defendants, with additional copies later found on personal devices and systems connected to the group. Prosecutors also claim the defendants attempted to conceal the scheme through actions such as destroying records, making false statements, and photographing screens to avoid direct document transfers. Google said it enhanced safeguards and alerted law enforcement after discovering the incident; the alleged stolen trade secrets reportedly included information related to Google’s Tensor processor used in Pixel phones.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Defendants are arrested in San Jose and appear in federal court
Following the indictment, the three defendants were arrested in San Jose and made their initial appearance in federal court. Authorities said the case was investigated by the FBI's San Francisco Field Office.
Federal grand jury indicts three engineers over trade secret theft scheme
A federal grand jury indicted Samaneh Ghandali, Soroor Ghandali, and Mohammadjavad Khosravi for conspiracy, trade secret theft, attempted theft, and obstruction of justice tied to alleged theft of processor security and cryptography-related secrets from Google and other tech firms. Prosecutors said the data was transferred to unauthorized locations, including Iran.
Samaneh allegedly photographs confidential data before Iran travel
In December 2023, prosecutors allege Samaneh Ghandali photographed confidential information from Mohammadjavad Khosravi's employer before traveling to Iran. Investigators say the images were later accessed from Iran.
Defendants allegedly continue concealment and evidence-deletion efforts
After Google cut off access, investigators allege the defendants continued accessing stolen data and searched for ways to delete or conceal evidence. Prosecutors also allege they used methods such as false affidavits, record deletion, and photographing screens to avoid detection.
Google detects suspicious access and revokes Samaneh Ghandali's access
Google identified unusual activity involving Samaneh Ghandali in August 2023 and revoked her access. The company said it later strengthened safeguards and notified law enforcement after discovering the alleged theft of trade secrets.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
Ex-Google engineers charged with trade secret theft and transfer to Iran | SC Media
scworld.com
Open sourceSilicon Valley Engineers Charged With Stealing Trade Secrets From Google and Other Tech Companies
cybersecuritynews.com
Open sourceThree Former Google Engineers Indicted Over Trade Secret Transfers to Iran
thehackernews.com
Open sourceEx-Google engineers accused of swiping chip security secrets • The Register
go.theregister.com
Open sourceEx-Google engineers charged with orchestrating high-tech secrets extraction - Help Net Security
helpnetsecurity.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Ex-Google Engineer Convicted of Economic Espionage and AI Trade Secret Theft
A U.S. federal jury convicted former Google engineer **Linwei Ding** (aka **Leon Ding**) on **14 counts** spanning **economic espionage** and **theft of trade secrets** after prosecutors said he stole thousands of confidential Google documents tied to the company’s artificial intelligence technology for the benefit of a China-based startup. The U.S. Department of Justice framed the case as protection of U.S. intellectual property and national security, alleging the theft was intended to advantage the **People’s Republic of China (PRC)**. Reporting indicates Ding began exfiltrating internal materials as early as **May 2022**, including by copying content into the **Apple Notes** app, converting it to PDFs, and uploading it to a personal cloud account. The stolen information reportedly covered sensitive AI infrastructure and chip-related technology, including details associated with Google’s AI supercomputing environment (e.g., data center/cluster management components) and hardware/software used to run AI workloads (including **TPU/GPU systems** and related networking components). Ding was initially indicted in **March 2024**, with subsequent superseding indictments expanding the alleged timeframe and charges; the case is cited as *USA v. Ding*, N.D. Cal., No. `3:24-cr-00141`.
Mar 21, 2026
China-Linked Espionage Targeting U.S. Government and Technology Talent
U.S. authorities and researchers are highlighting **China-linked espionage** that increasingly leverages online recruitment and employment channels to access sensitive information. Reporting on recent federal cases describes foreign intelligence services posing as consulting firms, research groups, or recruiters to approach current and former U.S. government personnel—often starting via email or job platforms and escalating through staged interviews, fake websites, and payment offers—to solicit **classified or sensitive information**; multiple Justice Department actions in 2025 reportedly involved such virtual-first recruitment approaches. Separately, a former Google engineer, **Linwei Ding**, was found guilty of **economic espionage and trade secret theft** after prosecutors said he exfiltrated over 2,000 pages of confidential AI supercomputing documents (including TPU/GPU architecture details, orchestration software, SmartNIC networking designs, and internal system configurations) and uploaded them to a personal cloud account while maintaining undisclosed ties to China-based companies and engaging with a Shanghai-sponsored talent program. Broader context from CSIS’ long-running survey of Chinese espionage cases underscores that these incidents fit a sustained pattern since 2000 spanning both **human intelligence** and **cyber-enabled theft** targeting U.S. government and commercial technologies, while noting open-source case lists likely undercount the true scope.
Mar 21, 2026
Iran-Linked Handala Hackers Breach FBI Director's Personal Gmail
Iran-linked hackers operating as the **Handala Hack Team** claimed they breached FBI Director Kash Patel’s personal Gmail account and published excerpts from the stolen material online. Reporting says the leak totaled about **800 MB** and included personal photographs, a purported resume, and hundreds of emails, with exposed correspondence spanning roughly **2010 to 2019** and appearing to contain both personal and work-related messages. A Justice Department official confirmed Patel’s email account had been compromised and said the leaked material appeared authentic, though the emails themselves were not independently verified. Handala framed the intrusion as an embarrassment for U.S. security leadership and warned that if the FBI director could be compromised, other personnel could be targeted as well. Western cybersecurity researchers have assessed Handala as a pro-Palestinian hacktivist persona linked to **Iranian government cyberintelligence units**, and the breach follows other activity attributed to the group, including a claimed attack on medical technology company **Stryker**. The incident also comes after U.S. actions against Handala, including domain seizures and a **$10 million** reward offer tied to identifying members of the group.
Mar 30, 2026