AI chips are being smuggled1 into China. How does this happen? That is, how are the smugglers able to do it?

You might, for example, expect that sales of these chips could be vetted, and shipments tracked by US authorities. But the relevant US agency is badly understaffed: it cannot possibly vet every sale of AI chips, let alone follow up after every sale to ensure the chips have not been smuggled. So enforcement is largely left to the companies that sell and resell the chips. You might then suppose that these companies would vet their customers and monitor their distribution networks to ensure none of their chips are diverted, in order to comply with the law. But they are not strongly incentivized to do the due diligence needed to prevent most smuggling.

In this post, I’ll explain (1) why AI chip smuggling matters, (2) how AI chips and servers are sold and distributed, (3) what due diligence the exporting companies do, and (4) why those efforts often fail to prevent smuggling. In a nutshell, AI chips and servers are distributed through different channels, usually passing through multiple intermediaries across multiple countries. While most companies selling these products perform sufficient due diligence to comply with the law, others are outright negligent, and overall these efforts are not sufficient to prevent most smuggling.

How big a problem is AI chip smuggling?

Smuggling is a pretty big problem, though not serious enough to make the AI chip controls ineffective. In a new report, Epoch AI says that

between 290,000 and 1.6 million H100-equivalents (H100e) were smuggled to China through 2025. Our median estimate of 660,000 H100e would be roughly a third of China’s total compute.

US authorities recently indicted three people, including two insiders at Super Micro, a major American AI server builder, for moving $2.5 billion worth of AI servers to a shell company for diversion to China, the largest-ever export control violation in dollar terms, as far as I can tell. Over the past year, the US has announced six prosecutions for smuggling AI chips to China, totaling about $3 million worth of NVIDIA products. And before that, there were many reports, rumors, and analyses pointing to large-scale smuggling of AI chips.

Surveillance photos of dummy servers being relabeled with a hair dryer the day before an inspection by a US agent, from the indictment of the $2.5 billion Super Micro insider case.

I don’t think smuggling is a large enough problem to make the AI chip export controls ineffective overall. The controls have likely played a large role in maintaining the US lead over China in AI and may even have widened the gap in frontier performance. For example, a recent benchmark evaluation by the Center for AI Standards and Innovation (CAISI) suggests that Chinese models trail US models by about eight months, with the lag growing by about three months per year.2 And you can make a strong case for prioritizing efforts to shore up semiconductor manufacturing controls over efforts to address AI chip smuggling. But smuggling is still a serious and urgent problem.

According to CAISI, the best Chinese model today is DeepSeek-V4. DeepSeek has reportedly used thousands of smuggled NVIDIA Blackwell chips. I think it’s likely that DeepSeek-V4 was trained on NVIDIA chips.3 If DeepSeek didn’t have access to smuggled NVIDIA chips, it would likely have had to either rely on renting cloud access from chips installed outside China (which is risky from DeepSeek’s perspective because the US government could revoke remote access to those chips) or use indigenously made AI chips like Huawei Ascends to train smaller, weaker models. DeepSeek reportedly tried to train V4 on Ascend chips but abandoned the attempt after a failed training run, reverting to NVIDIA for training while supporting Ascend for inference.4 So even though smuggled chips account for only about 3% of the global compute stockpile, they represent about a third of China’s compute, which is why smuggling still matters.

AI chips are distributed through many intermediaries

The basic smuggling playbook works like this. A smuggler buys AI chips through a shell or front company (often in a third country5 but sometimes in the US), relabels them as some other product, and ships them to China through ordinary shipping services. (For example, in several cases, smugglers appear to have bought AI servers through front companies set up to look like Singaporean, Malaysian, Thai, and Indonesian neoclouds.6) Once a smuggler has the chips, getting them into China seems quite easy, so I’ll focus here on how smugglers get hold of them in the first place.

AI chips routinely pass through multiple actors and countries before they are installed and used in data centers. We can refer to all actors who sell AI chips as “AI chip sellers”. They are:

• AI chip designers, such as NVIDIA and AMD. These companies design AI chips, but they do not manufacture anything. NVIDIA holds an estimated 80-95% of the AI chip market share.7

• AI server builders (also known as original equipment manufacturers, or OEMs), such as Super Micro and Dell. These companies buy AI chips from AI chip designers and design and manufacture AI servers, each typically containing four to eight AI chips. The servers are shipped to data centers and installed in cabinets. Notable AI server builders include Super Micro (US, about 10% of NVIDIA’s revenue), Dell (US, ~3%), Wiwynn (Taiwan, ~3%), Lenovo (China/US, ~1%), Gigabyte (Taiwan, ~1%), Hewlett Packard Enterprise (US, <1%), and Inspur (China, <1%). (Why do these companies not make up more of NVIDIA’s revenue? That’s because AI chip designers like NVIDIA often sell chips directly to hyperscalers and neoclouds. In such cases, though the servers are assembled by original design manufacturers (ODMs), the transaction occurs directly between NVIDIA and the end customer. Hyperscalers and neoclouds make up about half of NVIDIA’s revenue.)

• Distributors, such as TD Synnex and Ingram Micro. These large, multinational companies are intermediaries that handle logistics and warehousing of AI chips and AI servers. The key distributors are TD Synnex (<1% of NVIDIA’s revenue), Ingram Micro (<1%), and Arrow Electronics (<1%), all headquartered in the US but with extensive operations worldwide.8

• Resellers. These companies, which are numerous and often small and local, buy AI chips and servers from distributors and sell them to end customers in the country or countries where they operate.

Before being sold, AI chips are made. For example, most of NVIDIA’s AI chips are designed by NVIDIA in the US, fabricated by TSMC in Taiwan, packaged with high-bandwidth memory by TSMC in Taiwan, tested by KYEC in Taiwan, and then either (a) assembled into SXM modules by Foxconn in Taiwan and mounted onto HGX baseboards by Foxconn and Wistron in Taiwan, or (b) assembled into PCIe cards (i.e., accelerators) by Foxconn, and possibly others, again in Taiwan.

From there, the chips9 can get to their end customers in a few different ways:

1. AI accelerators can be sold to minor end customers through distributors and resellers. In the simplest case, a company like NVIDIA sells AI accelerators to distributors, who in turn sell them to resellers, who then sell them to end customers. The end customer can then use the accelerators however they wish, for example, by installing them themselves in workstations or servers customized to their preferences. However, this pathway is quite rare, as most customers want AI servers ready for installation in data centers.

2. AI servers can be sold to minor end customers via distributors and resellers. For example, NVIDIA may sell AI chips (usually in the form of SXM modules mounted on baseboards) to Super Micro, which builds AI servers using them and sells these servers to a distributor. The distributor then sells to a reseller, which sells to an end customer.

3. AI servers can be sold to major end customers directly by AI server makers. Hyperscalers and neoclouds often purchase very large quantities of AI servers directly from server makers, bypassing distributors and resellers. For large orders of NVIDIA servers, this often involves a three-party negotiation among the customer, the server maker, and NVIDIA.

4. AI servers can be sold to major end customers directly by AI chip designers. In the case of NVIDIA, hyperscalers and neoclouds can buy AI servers directly from NVIDIA instead of from server makers. (The NVIDIA-designed servers are called DGX, while the OEM-designed servers are called HGX.) As mentioned above, these servers are built by ODMs for NVIDIA.

Most AI chips are likely sold to major end customers like hyperscalers, either directly from NVIDIA or directly from AI server makers. However, most smuggling likely involves smaller order volumes, with bad actors buying AI chips and AI servers either from AI server makers or from smaller resellers. So bad actors don’t purchase AI chips directly from AI chip designers like NVIDIA. Of the six cases that have been prosecuted by the US:

• Four involved smugglers buying AI servers and HGX baseboards from AI server makers (Super Micro and Lenovo)

• One involved smugglers buying AI chips and AI servers (the latter made by Hewlett Packard Enterprise) from an Alabama reseller

• One involved intermediaries storing goods from multiple suppliers, including SXM modules from a Massachusetts reseller and HGX baseboards from Lenovo (the same Lenovo purchases mentioned above)

These are all cases in which the smugglers were at least partly based in the US and procured AI chips from US sellers. Most smuggling likely involves actors based abroad who buy from local sellers or import from US sellers, but these cases are harder for US authorities to detect and prosecute.10

How AI chip sellers (try to) vet their customers

AI chips are export-controlled, meaning they cannot be sold to just any customer. For example, it is illegal11 to sell them to companies headquartered in China or listed on BIS-maintained lists, such as the Entity List or the Military End-User List. So when selling AI chips, companies need to conduct due diligence to ensure they are not selling to any such customer.

Most AI chips are likely sold by AI server makers, and a lot of smuggling seems to involve smugglers buying from server makers, so the remainder of this section focuses on them.12 From the point of view of AI server makers, the sales process lasts months and roughly follows these steps:

1. Talk with the customer about their requirements

2. Run software tools that gather data about the customer’s environment (i.e., data center)

3. Negotiate prices (changing server components and/or order volumes if necessary)

4. Prepare a contract (stipulating who the end customer is, where the servers are to be shipped, and who will install the servers)

5. Do due diligence

6. Build, box, and ship the products

Server makers track items at the serial number level using enterprise resource planning (ERP) software (e.g., SAP or Oracle). AI chip designers and distributors likely do too, though I’m not sure to what extent resellers do so (since they are smaller, less resourced, and less well-organized). When an order is placed, the salesperson enters it into the ERP system, and it is then routed to the appropriate factory or factories responsible for assembling, testing, boxing, and (once the order is paid) shipping the hardware to the customer. Server makers also have some visibility into their partner distributors’ inventory, since distributors typically hold a lot of the parts used by server makers. These parts (e.g., AI chips) can then be sent to the server maker for assembly when a customer makes an order via a reseller.13

From a smuggling perspective, we’re mostly interested in the due diligence step of the sales process. First, some definitions:

• Compliance is overall adherence to regulations

• Due diligence is the process of investigating and assessing risk related to a transaction, aimed at ensuring compliance

• Know Your Customer (KYC) processes are part of due diligence in which a company verifies a customer’s identity and assesses their risk level. There are several risks that sellers aim to avoid here, not only legal ones (e.g., by selling to a sanctioned customer) but also commercial ones, such as ensuring the customer can pay (counterparty credit risk).

AI chip designers, server makers, and distributors do fairly extensive compliance checks, but these checks seem mostly (and reasonably) aimed at (1) complying with the law, and (2) ensuring they get paid. AI chip sellers seem to differ a lot in both what they do to stay compliant and how effectively they do it, but they typically:

• Conduct KYC checks to ensure the prospective buyer is not a shell or front company and can pay for the order. That means the seller asks the company for information, e.g., legal name, corporate structure, location (including county/region), date of registration, affiliations, and operational history (e.g., bank statements, balance sheets). The seller will also, at least sometimes, ask local commerce ministries for information, check trade registries, and/or do other due diligence to verify some of that information.

• Ask the prospective buyer to provide a signed end-user certificate detailing how the purchase fits their business and how, where (down to the county/region level), and by whom14 the products will be used. A former HPE salesperson told me that “the primary way companies prevent chip smuggling is to ensure that we know the end destination of a system before we accept and ship an order”, but added that most of what determines the destination “is what the customer or the partner tells us”.

• Screen against lists (the Entity List, the Unverified List, the Military End-User List, and a few others)

• Check for BIS’s red flags

• Request a license from BIS if necessary

For large companies like NVIDIA and the server makers and distributors discussed here, these due diligence processes are largely handled by a centralized compliance team. (But salespeople also have some responsibilities; for example, according to a former Super Micro employee, its sales reps attended mandatory weekly meetings drilling them on export compliance requirements, though these sessions did not seem to prevent smuggling.) The compliance team will usually be located in the US, and end-user certificates and other documents are typically sent to it for approval, even for transactions handled by salespeople outside the US. The compliance team also does internal audits and trains the company’s sales, legal, finance, and shipping staff. In the $2.5 billion insider case, Super Micro’s compliance team did notice a fast-growing customer’s anomalous order volume and ran successive audits, although those audits were allegedly sabotaged from within the sales organization by senior Super Micro employees who arranged “friendly” auditors, falsified the customer’s data center lease agreements, and arranged warehouses with thousands of dummy servers to (successfully) subvert a Super Micro compliance inspection.

Sometimes, part of the due diligence process is carried out by third parties or through tools and data services they provide. These include AEB, e2open, Descartes, Dow Jones, Dun & Bradstreet, Kharon, LexisNexis, Sayari, Strider, Thomson Reuters, and WireScreen. These tools can automate parts of the due diligence process and are integrated with the ERP system. These third parties can also help validate end-user certificates, conduct background checks on buyers, perform list screening, and more.15

Some AI chip sellers seem to be happy to stick to these common activities, but others also do fairly extensive post-sale monitoring, e.g., one server maker (according to a former employee I spoke with) would also periodically follow up with the customer on a call to verify that the chips are used as intended; require the end-user certificate to be renewed every six months; negotiate the right to perform on-site inspections for large or high-security sales; and occasionally redo the list-based screening to check that the customer hasn’t been added since.

NVIDIA and its partners also carry out on-site inspections, at least occasionally.16 As mentioned, in the $2.5 billion Super Micro case, smugglers fooled the compliance team with insider help. In another case, the seller’s employees visited a data center where the chips were installed, although it turned out the smuggler had only temporarily installed them to fool the inspectors; after the inspection, the chips were removed and shipped to China.

AI chip sellers aren’t incentivized enough to stop smuggling

AI chip sellers usually only conduct due diligence for their immediate customers; they rarely conduct due diligence for their customers’ customers, or follow up to see what happens to the AI chips after they’ve been sold and shipped (with the notable exception of the on-site inspections mentioned above).

There are two important dynamics here that both enable AI chip smuggling:

• Sometimes, major AI chip sellers (notably, Super Micro) do not conduct sufficient due diligence even for their immediate customers. This can lead them to sell AI chips directly to smugglers. I’ll discuss this further below.

• Sometimes, major AI chip sellers do conduct sufficient due diligence for their immediate customers, but downstream sellers don’t. That is because, by the time the chips are sold to a smuggler (meaning someone didn’t do a good job of due diligence), they have typically passed through multiple hands, often ending up with resellers or other middlemen in countries such as Malaysia, Singapore, or Thailand.

AI chip sellers in third countries are far less incentivized to comply with US law, since it’s harder for US authorities to detect compliance failures outside the US and to prosecute illegal activities that occurred abroad, especially when the companies involved have no US presence or exposure. In addition, small resellers likely have especially weak due diligence processes because:

• They have limited resources to use for due diligence

• There are many of them, located in different countries, so there is likely more variance in how well they do compliance, or how willing they are to sell to smugglers

• They often lack any US presence, meaning transactions are approved entirely outside the US, which matters if non-US personnel are less likely than US-based personnel to comply with US export law

• They may be less responsive to the incentive produced by the risk of being fined for export violations, since the fines involved would likely be far higher than what these companies are able to pay

Resellers have a lot on the line because if they aren’t compliant, they risk losing their contract with the distributor, which can be a huge deal for these businesses. That said, I think the factors listed above outweigh this consideration. In particular, I would guess that distributors are doing little to ensure their partner resellers are doing good due diligence, as distributors would generally not be liable for selling AI chips to resellers even if those resellers have poor due diligence standards, resulting in smuggling down the line.

Meanwhile, the major AI chip and server sellers, like NVIDIA and Super Micro, are required by law to monitor for red flags and to avoid selling to obviously sanctioned or prohibited customers, but they’re not asked to ensure, in the strictest sense, that their products are never smuggled. They are potentially liable if they have “knowledge” of a violation—including “an awareness of a high probability of its existence or future occurrence”—which can result in civil penalties, but for BIS (or rather: the Department of Justice) to administer criminal penalties like prison time, the accused must have been shown to have “willfully” caused a violation, a much higher bar. (Multiple AI chip smuggling cases have been prosecuted criminally over the past year, but these cases often involve text messages showing that the smugglers were fully aware that their activities were illegal and were actively involved in the operations. For example, in one case, a smuggler told his co-conspirator over WeChat to remove mentions of Chinese customers from a draft solicitation message because, in his words, “We will draw [attention] from US government for [embargo] violation”, reassuring him in the next message that “We just talk about it, no one can hold it as [evidence] against us.” I think most smugglers aren’t so careless.)

More importantly, major AI chip sellers often don’t have even “an awareness of a high probability” of violations, because chips routinely pass through long distribution chains before reaching an end user, and sellers don’t ordinarily have visibility into who that end user is. For example, a former Super Micro employee told me that while server makers and distributors would know who they sold to, beyond that, any forensic trail would go dark. That means civil penalties are also often out of the question for these large companies.17

Super Micro shows that even major US companies can perform poor due diligence.18 Super Micro appears as the upstream seller in three separate prosecutions over the past year:

• The $2.5 billion insider case described above

• A case in which Super Micro sold 205 H100s to a California front company that fed it false end-user information, including a Singapore “end user” called Metacarbon that BIS later determined did not exist at the address Super Micro had on file

• A case in which Super Micro almost shipped $170 million of servers to a Georgia-based front, after NVIDIA employees in Thailand independently discovered that the claimed Thai end user had never heard of the order

Two things stand out across these cases. First, Super Micro’s end-user vetting accepted signed certifications and paper documentation without independent verification that the customer existed as a going concern at the claimed location. Second, in the cases where smuggling was caught, the decisive intervention came from outside the standard process—from a BIS notification that diversion was occurring, from a BIS post-shipment verification, or from NVIDIA’s own scrutiny—rather than from Super Micro’s compliance team independently working backward from red flags it had spotted itself.

It’s true that in the $2.5 billion insider case, the smugglers were not outsiders gaming an unwitting company, but included a Super Micro co-founder and board member who oversaw global sales, as well as a general manager in Super Micro’s Taiwan office. This is likely not normal for major US companies, and would have made it harder for Super Micro’s compliance team to do its work. The indictment shows the insiders repeatedly pressuring, sidestepping, and physically deceiving the compliance team across at least three audits in 2024 and 2025.

Even so, Super Micro’s compliance processes were clearly inadequate throughout this case:

• Super Micro’s sales organization was able to influence its internal audits. Sales staff, who have a clear conflict of interest, managed to arrange which auditor would conduct a given review (at least one was described in writing by an insider as “friendly”) and in the most extreme instance, the auditor tasked with conducting an on-site inspection was instead off-site, enjoying entertainment paid for by the very customer he was supposed to be auditing, while photos and videos of staged dummy servers were sent to him in lieu of an actual inspection.19

• Internal audits relied on documents that the customer itself supplied, without independent checks. When the compliance team asked the customer to demonstrate that it had enough data center space to store the volumes it was buying, the team accepted lease agreements that turned out to be falsified.

• When the compliance team noticed that the customer was buying in large volumes without clearly operating at a commensurate scale, it failed to act decisively. For example, one Singapore entity seems to have gone from a $33 million balance sheet at year-end 2023 to $3 billion (90x) by year-end 2024, driven almost entirely by $2.9 billion in “refundable deposits received” from an undisclosed source (allegedly Alibaba).20 In a single quarter, the customer ranked as Super Micro’s eleventh-most-profitable worldwide, sitting “alongside major US technology and social media companies developing hyperscale artificial intelligence infrastructure”, even though, per the indictment, it “did not have the capacity to store or use the massive quantities of servers it was purchasing”. Though the compliance team twice placed temporary holds on shipments, it released each hold after receiving explanations from the customer that it had no way to independently verify. For example, after one temporary hold, one smuggler urged a co-conspirator that “[y]ou need to have strong and persuasive reasons to convince [Super Micro’s] staffs!”, and once their drafted answers were accepted by the compliance team, the co-conspirator messaged the group, “Heheheh, Gooood news for everyone!”

Warehouses stacked with dummy servers staged for Super Micro’s compliance team, from the indictment of the $2.5 billion insider case.

I think most other major US AI chip sellers perform better due diligence than Super Micro, which seems to have unusually poor corporate governance. But Super Micro’s poor governance has been known for years and has still endured.21 Clearly, US authorities should not assume that there will never be any companies with poor governance. Instead, they should create incentives for all relevant companies to carry out strong due diligence.

Companies could take concrete steps to reduce smuggling

AI chips reach Chinese end users not because any single seller waves them through, but because the distribution chain has many links—AI chip designer, server maker, distributor, reseller, end user—and each link conducts due diligence only on its immediate counterparty. Because legal liability for diversion attaches only to “knowledge” and sellers’ visibility into where the chips end up decreases as the chips move down the chain, the equilibrium is one in which every individual transaction with a US seller can be compliant, yet large numbers of chips still end up in China. This problem won’t solve itself.

I think AI chip sellers could do a lot more here if they were sufficiently incentivized. For example, NVIDIA could implement delay-based location verification on its AI chips and contractually require customers to periodically report the chips’ location. If any chips go dark, NVIDIA could follow up with an on-site inspection, potentially refuse to sell to that customer in the future, and report its findings to US authorities. Another promising approach is to conduct on-site inspections regularly—say, every six months— to make sure chips are not just installed to fool inspectors and then removed and smuggled, as has happened before. However, conducting on-site inspections at this scale would likely require additional budget for export enforcement, or for US authorities to implement a third-party export auditor program.

But I think the most effective thing the major American AI chip sellers could do is to sell only to a select few, highly trustworthy end users, especially US hyperscalers and neoclouds. AI chip sellers are unlikely to do this voluntarily, so in practice, this would mean the US government setting up a formal, low-discretion process for becoming an authorized AI chip importer abroad, where companies are evaluated on the risk of diversion. (Shipments below a certain volume could be exempted, so that anyone could import small quantities without a license.) These authorized companies will almost certainly not divert any chips, and they can rent the AI chips22 either on a short-term basis or with longer-term allocations to any end user in the US or abroad. (If small resellers located in third countries perform poor due diligence, this would no longer matter, because the AI chips would remain in the hands of trusted companies throughout, from AI chip designers and server makers to authorized hyperscalers and neoclouds.) There likely aren’t any regulatory barriers to doing this, since US companies can operate data centers abroad, and foreign companies would also be eligible if they are bona fide. I think this policy, if implemented, would essentially solve the AI chip smuggling problem.

In addition, US authorities could require specific due diligence measures in addition to what companies already do (“compliance-plus”), such as repeated, random, unannounced on-site inspections for sales to less obviously bona fide customers. Alternatively, the US could adopt a surety bond system, as Onni described in a previous post. Finally, strong whistleblower incentives could help detect and prosecute smuggling by surfacing high-quality leads from insiders. Among other benefits, these policies would encourage companies to strengthen their due diligence practices.