HomeArtificial IntelligenceArtificial Intelligence NewsChina's AI Espionage Is Targeting People, Not Just Networks

China’s AI Espionage Is Targeting People, Not Just Networks

When the first wave of industrial-era corporate espionage cases hit U.S. courts in the 1990s, the initial framing was reassuringly technical: foreign actors were stealing blueprints, not people. That framing proved dangerously incomplete. The deeper, longer-lasting damage came from compromised insiders — engineers, contractors, and executives who were cultivated, coerced, or simply outbid. A new chapter in that same playbook is now being written around artificial intelligence, and the early evidence suggests the pattern is repeating.

China-linked actors targeting American AI companies are broadening their tactics well beyond traditional network intrusions, according to experts and industry participants interviewed by CNBC. The shift — from exploiting software vulnerabilities to exploiting human ones — has accelerated sharply in the 18 months since the release of DeepSeek’s R1 model in early 2024, which many observers regard as the starting gun of the current U.S.-China AI race. The central question this raises is not whether the threat exists, but whether the companies most exposed to it have any realistic means of defense.

⚠ New employees at AI companies are being targeted by cyberattacks on their very first days on the job — and most AI startups don’t have the resources to stop it, industry insiders warn.

Who’s Affected?

The exposure is not evenly distributed. U.S.-based cybersecurity company CrowdStrike reported in June that Chinese entities accounted for more than half of all state-sponsored intrusions targeting technology companies — specifically their AI assets — in the 12 months ending March 31, 2025. That figure, cited by CrowdStrike, frames the scale of a campaign that Matt Pearl, director of the strategic technologies program at the Center for Strategic and International Studies, told CNBC is no longer narrowly focused on hardware designs or discrete trade secrets.

“As the AI race has heated up, the [People’s Republic of China] has targeted the tech sector increasingly,” Pearl said. Rather than pursuing a single trade secret, he said, China-linked actors have broadened their interest to anything capable of narrowing what he described as a three-to-four-month AI capability gap with the United States — including product roadmaps, supply chain weaknesses, and personnel. Separately, AI content detection startup Copyleaks said last year that responses generated by DeepSeek’s R1 model resembled those produced by OpenAI’s ChatGPT approximately 74 percent of the time, leading its CEO and co-founder Alon Yamin to suggest the open-source Chinese model may have been trained on U.S.-developed outputs. DeepSeek and OpenAI did not immediately respond to requests for comment. American tech startup Anthropic has also accused Chinese companies, including Alibaba, of illicit attempts to acquire its AI capabilities, according to CNBC. Alibaba did not respond to a request for comment.

The human dimension of the threat is illustrated — though not independently verified — by the account of Brian Abbott, founder and CEO of U.S. startup Agentiq Capital, who told CNBC in June that he believed an employee hired from China last year was an agent of Beijing. Abbott alleged the individual deliberately altered code and website content, replacing references to “ASI” — artificial superintelligence — with “fintech,” a term he said venture capital investors have grown skeptical of, in what he characterized as an attempt to undermine the company’s fundraising. The employee was dismissed earlier this year, Abbott said, and the company filed a complaint with the FBI. CNBC was unable to independently verify the allegation.

The FBI confirmed to CNBC that “China’s economic espionage campaign is a continuing threat that costs the American economy hundreds of billions of dollars per year and puts our national security at risk,” adding that it “prioritizes investigating any potential theft of U.S. technology by foreign actors.” The Cyberspace Administration of China and the U.S. Department of State declined to comment when contacted by CNBC.

Taken together, the CrowdStrike intrusion data, the Copyleaks stylistic analysis, and the Agentiq Capital allegation point to a three-layered threat architecture: technical intrusion, model-level intellectual property replication, and human infiltration. No single incident proves a coordinated strategy, but the convergence across independent data points suggests that AI companies face a systemic exposure that cannot be addressed by cybersecurity software alone — a reality that has significant implications for how investors should assess the moat durability of AI startups relative to their larger, better-resourced competitors.

What Comes Next?

The structural vulnerability is concentrated among smaller companies. Cliff Steinhauer, director of information security and engagement at the non-profit National Cybersecurity Alliance, described the phenomenon to CNBC as “cyber poverty lines” — a threshold below which small businesses simply lack the resources of large corporations to mount credible defenses. Social engineering tactics, amplified by AI-generated content, are increasingly the method of choice precisely because they are inexpensive to deploy and difficult to detect. Copyleaks’ Yamin told CNBC that his own company has seen new employees targeted by cyberattacks immediately upon joining. “We’ve seen a lot of cases within our company, new employees that are joining the company, immediately they’re a target of cyberattacks to get access to our AI models,” he said, adding that he expects such cases to increase.

Isaac Stone Fish, founder and CEO of consultancy Strategy Risks, told CNBC that Beijing’s attempted interventions have “certainly increased over the last 18 months” and that China’s approach includes not only hacking but also “supply chain restrictions, employee harassment, targeted government subsidies of copycat competitors, among other strategies.” He noted that while Beijing tends to focus more heavily on large corporations, startups remain especially exposed because they “don’t necessarily have cyber expertise.” This dynamic is compounding existing capital asymmetries: while the AI spending race among large technology companies accelerates, smaller AI startups are simultaneously being asked to innovate faster and defend more aggressively — on budgets that permit neither at full scale.

On the policy front, the asymmetry runs further. In China, policymakers have provided AI startups with free or subsidized computing power and rent-free office space, according to CNBC’s reporting. In the United States, Anthropic on June 11 announced a program called Claude Corps to train 1,000 people in AI and match them with non-profits — a workforce initiative, not a security program. The U.S. government’s primary public tool remains technology export controls, a blunt instrument that, as Graham Webster of Stanford University’s DigiChina Project observed to CNBC, should surprise no one if it invites countermeasures. “The U.S. government is trying to hold China back to some extent,” Webster said. “We should not be surprised that the Chinese government tries otherwise.” Webster also cautioned that the difficulty of distinguishing state-sponsored espionage from individual or corporate-level efforts creates interpretive risk — and that the current narrative around Chinese AI may be “overtaking reality,” particularly as major U.S. companies prepare for significant initial public offerings. For context on how regulatory and market pressure interact in AI capital markets, the current AI market inflection has sharpened the stakes on both sides of that dynamic.

The Strongest Counterargument

The most substantive objection to the narrative presented above comes from Webster himself, and it deserves a fair hearing. The argument is that the threat is being systematically overstated — not because the incidents are fictional, but because the institutional incentives to amplify them are powerful. Cybersecurity firms benefit commercially from elevated threat perception. U.S. companies pursuing IPOs benefit from a narrative that positions their technology as strategically irreplaceable national assets. And policymakers benefit from a threat frame that justifies expansive export control regimes.

Webster’s caution that “the narrative is overtaking reality in a lot of decisions” is a genuine epistemological challenge to the claims made by CrowdStrike, CSIS, and others. The Agentiq Capital allegation, for instance, remains unverified by CNBC’s own account, and none of the other experts interviewed for the original reporting said they had encountered a similar verified instance of state-directed subversion inside a U.S. startup. The stylistic similarity between DeepSeek R1 and ChatGPT outputs, while suggestive, is also not conclusive evidence of training-data theft; large models trained on overlapping public datasets can converge stylistically without any illicit transfer. This counterargument does not dissolve the broader concern — the FBI’s confirmation of economic espionage at scale, and CrowdStrike’s intrusion data, are not easily explained away. But it does impose an evidentiary standard: specific, verified incidents should be distinguished from plausible threat models, particularly when capital allocation and policy decisions depend on the distinction.

Tough Questions for the People in Charge

  1. To CrowdStrike: Of the state-sponsored intrusions attributed to Chinese entities in the 12 months ending March 2025, how many resulted in confirmed data exfiltration of AI assets, and what was the methodology for attributing them to state actors versus independent criminal groups?
  2. To the FBI: The “hundreds of billions of dollars per year” figure cited in your CNBC statement — what is the methodology behind that estimate, and what share of it is attributable specifically to AI intellectual property theft versus other technology sectors?
  3. To AI startup CEOs and their boards: What specific security protocols govern the onboarding of employees from jurisdictions identified as high-risk by U.S. intelligence agencies, and have those protocols been independently audited?
  4. To U.S. venture capital investors: How are you assessing insider-threat exposure in due diligence for AI startups, and are you pricing the “cyber poverty” risk differential between startups and large incumbents into valuations?
  5. To U.S. policymakers: Given that export controls are the primary public instrument for containing Chinese AI advancement, what evidence exists that those controls are slowing capability development rather than accelerating domestic Chinese investment in the targeted technologies?

Most Popular