Three Arrested in $170M AI Chip Smuggling Plot Targeting China – Export‑Control Violation Exposes Supply‑Chain Risks
What Happened — In October 2023, Tommy Shad English, posing as a Thailand‑based buyer, ordered 750 servers (≈ $170 M) from a U.S. hardware firm, including 600 units containing export‑controlled AI chips. He falsified end‑user certifications to hide the intended shipment to China. After a compliance review raised concerns, the scheme stalled; a second attempted order in April 2024 also failed. In March 2026 the FBI arrested Stanley Yi Zheng, with Matthew Kelly and English surrendering shortly thereafter, charging them with conspiracy to smuggle and export‑control violations.
Why It Matters for TPRM
- Export‑control non‑compliance can trigger severe civil/criminal penalties and reputational damage for vendors.
- Third‑party procurement channels may be leveraged to bypass licensing requirements, exposing clients to hidden legal risk.
- Supply‑chain visibility gaps allow malicious actors to embed illicit hardware in legitimate product lines.
Who Is Affected — U.S. hardware manufacturers of AI‑accelerated chips, downstream technology integrators, and any organizations that source critical compute equipment from these vendors.
Recommended Actions
- Verify that all hardware suppliers maintain robust Export Administration Regulations (EAR) compliance programs.
- Require documented end‑user certificates and independent validation for high‑value, export‑controlled components.
- Incorporate export‑control audit clauses into vendor contracts and monitor for anomalous procurement patterns.
Technical Notes — The scheme involved falsified end‑user certifications, use of shell companies in Thailand, and attempts to ship AI‑grade GPUs/ASICs subject to EAR Part 738. No vulnerability or malware was exploited; the risk stemmed from supply‑chain manipulation and insider collusion. Source: Help Net Security