Silicon Valley Engineers Charged With Theft of Google, Tech Trade Secrets

Federal prosecutors have arrested three Silicon Valley engineers accused of stealing sensitive chip security trade secrets from Google and others and routing them to unauthorized locations, including Iran, raising national security concerns.

A federal grand jury in the U.S. District Court for the Northern District of California returned an indictment against Samaneh Ghandali, Soroor Ghandali, and Mohammadjavad Khosravi. The indictment was filed Wednesday and unsealed Thursday in San Jose, according to a statement from the DOJ.

While employed at Google, Samaneh Ghandali allegedly “transferred hundreds of files, including Google trade secrets, to a third-party communications platform,” to channels bearing each defendant’s first name, the DOJ said.

A copy of the unsealed indictment was not immediately available at the time of writing. Decrypt has reached out to the relevant DOJ office for further information and comment.

The trio allegedly used their employment at Google and two other unnamed companies to access confidential files tied to mobile computer processors. Per the DOJ, the stolen material included trade secrets related to processor security and cryptography, and Google materials were later copied to personal devices and to work devices associated with the other companies where the defendants were employed.

Prosecutors allege that the defendants sought to conceal their actions by deleting files, destroying electronic records, and submitting false affidavits to victim companies denying that they had shared confidential information outside the company.

In one episode described in the indictment, the DOJ alleges that in December 2023, the night before traveling to Iran, Samaneh Ghandali photographed roughly two dozen images of another company’s work computer screen displaying trade secret information.

While in Iran, a device associated with her allegedly accessed those photographs, and Khosravi allegedly accessed additional trade secret material.

According to the DOJ, Google’s internal security systems detected suspicious activity in August 2023 and revoked Samaneh Ghandali’s access. The indictment alleges she later signed an affidavit stating she had not shared Google’s confidential information outside the company.

All three defendants are charged with conspiracy and theft of trade secrets under federal law, as well as obstruction of justice under a statute that criminalizes corruptly altering, destroying, or concealing records or other objects to impair their use in an official proceeding.

The obstruction charge carries a statutory maximum sentence of 20 years in prison.

Risks and security implications

Observers say the case illustrates how insider access to advanced semiconductor and cryptographic systems can carry national security implications.

“Employees with legitimate access can quietly extract highly sensitive IP over time, even with existing controls in place,” Vincent Liu, chief investment officer at Kronos Research, told Decrypt.

The risk to semiconductor and cryptography firms often comes from “trusted insiders, not hackers,” he added, describing insider risk as a “persistent, structural vulnerability requiring constant monitoring and strict data compartmentalization.”

In such cases, “the insider is the attack surface,” Dan Dadybayo, strategy lead at crypto infrastructure developer Horizontal Systems, told Decrypt. “Firewalls don’t matter when the exfiltration vector is legitimate access,” he said, arguing that when engineers can move “architecture, key management logic or hardware security design out of controlled environments, the ‘perimeter’ collapses.”

If sensitive processor and cryptographic IP reached Iran, Dadybayo said regulators would likely respond aggressively.

He pointed to “tighter enforcement of deemed export rules where knowledge access itself counts as export” and “stricter segmentation, monitoring and licensing requirements inside U.S. firms,” adding that advanced chips and cryptography “are no longer treated as neutral commercial goods” but “instruments of geopolitical power.”

The case also exposes gaps between formal compliance and real-world resilience.

“In most technology organizations, information-theft risks are assumed to be mitigated by obtaining SOC 2 and ISO certifications,” Dyma Budorin, executive chairman at crypto security and compliance firm Hacken, told Decrypt.

Such frameworks “often measure compliance maturity, not actual resilience against a determined attacker—especially an insider.”

Certification, he said, proves controls exist “at the time of audit,” but “it does not prove that sensitive data cannot be stolen.”

Because these standards prescribe common safeguards, Budorin argued, they can make defenses predictable.

For sophisticated attackers, “compliant” often means predictable, he added, warning that real security requires “continuous validation, behavioral monitoring, and adversarial testing,” or organizations risk being “compliant on paper while critically exposed in practice.”