China-linked hackers target tech firms for AI theft

CrowdStrike reports China-linked groups attacked technology firms from April 2025 to March 2026 to steal AI tools, models and related intellectual property.

CrowdStrike tracked state-linked intrusions from April 2025 through March 2026 and found technology companies were the most targeted sector. The firm reported that more than 58% of state-sponsored operations attributed to China-linked groups focused on the technology industry.

CrowdStrike identified multiple China-nexus groups behind the campaigns, including MURKY PANDA, MUSTANG PANDA, OVERCAST PANDA, SUNRISE PANDA and WARP PANDA. One operation by MURKY PANDA used password-spraying techniques and affected more than 340 U.S. entities. Password-spraying involves testing common passwords across many accounts to avoid triggering lockouts on individual logins.

The report links the intrusions to Beijing’s push for AI self-sufficiency and a stated goal of global AI leadership by 2030. CrowdStrike described AI capabilities as a high-value intelligence target because those tools and models can be applied to economic growth, military modernization and intelligence collection.

CrowdStrike warned that gaining access to technology firms can provide routes into downstream customer environments and create opportunities for supply-chain compromises. The report noted that breaches of third-party vendors and cloud environments can expose multiple organizations through a single compromise.

The firm expects China-linked actors to continue prioritizing the technology sector for at least the next 12 months. CrowdStrike urged organizations involved in AI development and deployment to strengthen defenses, harden identity controls, adopt stronger authentication, secure supply chains and monitor for anomalous activity.

The report cited U.S.-China economic decoupling, tighter enforcement of export controls and sanctions, and ongoing economic espionage as factors driving the theft of AI tools, models and research. Industry voices have argued that curbs on chip smuggling, offshore data centers and model replication could give the United States and partners a 12- to 24-month lead in some AI capabilities.

“China runs cyberespionage as an industrial policy to try to close the AI innovation gap, demonstrating that AI capabilities are the prize adversaries are after,” Adam Meyers, CrowdStrike’s head of counter-adversary operations, warned. The report did not quantify total economic losses from the intrusions but emphasized the intelligence value of stolen AI work.

Articles by this author