Introduction: A Customs Officer Opens a Box at Kuala Lumpur International Airport
In early June 2026, long before most people finished their morning coffee in Kuala Lumpur, a shipment moved quietly through the Free Trade Zone of Malaysia’s main international airport. On paper, the cargo looked entirely ordinary: computer components, server equipment, electronics passing through one of Asia’s busiest logistics corridors. It did not arrive with the drama of a spy novel. There were no submarines, no diplomatic pouches, no secret meetings in hotel rooms. There were only pallets, invoices, airway bills, customs forms, and the familiar language of global trade.
But when officers of the Royal Malaysian Customs Department inspected the cargo at approximately 4:30 in the afternoon on June 5, the ordinary became geopolitical. Inside the shipment were 72 server units containing advanced artificial intelligence chips, valued at roughly RM52.9 million, or about US$12.9 million, seized on suspicion of violating Malaysia’s Strategic Trade Act 2010 [1]. Preliminary investigations found that the servers had been flown into the KLIA Free Trade Zone and were destined for re-export to another Asian country without the required permit. The paperwork described the cargo as generic hardware. The syndicate behind the shipment, investigators concluded, had deliberately chosen Malaysia as a transit point so that the servers could reach their final destination without facing restrictions [2].
The servers were declared as ‘computer components’ to avoid detection by the authorities.
— Zulkifli Muhammad, KLIA Customs Director, Royal Malaysian Customs Department [2]
The shipment was confiscated. A local Malaysian company that facilitated the transaction was called in to assist the investigation. And, suddenly, a routine logistics event at an airport warehouse became a small window into the new architecture of global power. Malaysia had imposed export controls on the movement of high-performance chips of U.S. origin only the year before, under sustained pressure from Washington to stem the flow to China of the semiconductors most crucial to frontier AI development [2]. The June seizure was the moment that policy collided with practice.
This is how the age of Silicon Laundering begins: not with a declaration of war, but with a customs officer opening a box.
For most of the public, artificial intelligence still appears as an application layer. It is a chatbot answering questions, a coding assistant generating software, a search engine summarizing the web, a robot learning to fold laundry, or a model translating language in real time. But beneath the user interface is another world: wafers, accelerators, memory bandwidth, export licenses, cloud regions, server racks, customs codes, shell buyers, leasing contracts, datacenter electricity, and geopolitical suspicion. The modern AI model is not merely trained. It is supplied. It is powered. It is permitted. It is routed. It is financed. It is hidden or disclosed through a chain of institutions that stretches from TSMC fabs and Nvidia roadmaps to Malaysian airports, Singaporean subsidiaries, U.S. Commerce Department rules, Chinese procurement demand, and private datacenter operators on five continents.
In the first AI era, the central question was: Can machines think?
In the second AI era, the question became: Can models scale?
In the third AI era, the question is now becoming: Can compute be controlled?
The United States has tried to answer that question through export controls. Beginning with the landmark rules of October 7, 2022, and expanding through successive updates, Washington stopped treating advanced GPUs as ordinary commercial goods and began treating them as strategic infrastructure — closer in regulatory spirit to enriched uranium than to consumer electronics. Yet by 2026, the policy had grown more complicated, not less. On January 13, 2026, the U.S. Bureau of Industry and Security issued a final rule revising its license review policy for exports of certain semiconductors to China and Macau, moving the Nvidia H200, the AMD MI325X, and similar chips from a presumption of denial to case-by-case review, provided that specified security requirements are met — including third-party laboratory testing in the United States, know-your-customer procedures at the ultimate consignee, and a cap ensuring that aggregate shipments to China do not exceed 50 percent of the same product shipped for end use in the United States [7][8]. The rule implemented President Trump’s December 8, 2025 announcement that the H200 and similar products could be shipped to approved customers in China in exchange for a 25 percent payment to the United States [9].
Then, on May 31, 2026 — in a rare Sunday release that signaled institutional urgency — BIS issued guidance clarifying that a license is still required to export advanced computing items to entities headquartered in Country Group D:5, which includes China, or Macau, or to entities whose ultimate parent company is headquartered in those jurisdictions, even when the receiving entity itself is physically located somewhere else entirely [11][12]. In other words, a Chinese-headquartered company operating a datacenter subsidiary in Malaysia, Singapore, or the Gulf is still a restricted end user under U.S. law, no matter what its local incorporation papers say.
That clarification matters because the battleground has shifted. The problem is no longer only whether a chip can be shipped directly from the United States to China. The problem is whether a restricted entity can access the same computational power through a foreign subsidiary, a third-country datacenter, an indirect broker, a cloud provider, a colocation facility, a re-export route, or a rented GPU cluster sitting comfortably outside China’s borders. The new frontier of export control is not the chip alone. It is the identity of the compute user.
The Department of Justice has already moved from abstract warning to criminal allegation. In November 2025, DOJ unsealed an indictment alleging that a conspiracy of two U.S. citizens and two Chinese nationals exported 400 Nvidia A100 GPUs to the People’s Republic of China between October 2024 and January 2025, and attempted two additional exports — ten Hewlett Packard Enterprise supercomputers containing Nvidia H100 GPUs, and 50 separate Nvidia H200 GPUs — that were disrupted by law enforcement before completion [3][4]. The conspirators, prosecutors alleged, created a phony Florida real-estate company as a front, routed hardware through Southeast Asia, and collected roughly $3.89 million in wire transfers sent directly from Beijing.
The indictment alleges “a deliberate and deceptive effort to transship controlled NVIDIA GPUs to China.”
— John A. Eisenberg, Assistant Attorney General for National Security, U.S. Department of Justice [3]
Nor was that case isolated. In December 2025, federal prosecutors announced the first-ever conviction in an “AI diversion” case: a Texas man and his company, Hao Global LLC, pleaded guilty to smuggling and unlawful export activities after moving or attempting to move at least $160 million worth of Nvidia H100 and H200 GPUs toward China, Hong Kong, and other prohibited destinations between October 2024 and May 2025, using falsified shipping documents and even a fictional brand name applied to relabeled hardware [5]. In March 2026, prosecutors arrested a cofounder of server maker Supermicro on charges of masterminding a $2.5 billion scheme to route the company’s AI servers to China through a sham company in Southeast Asia [6]. And in July 2026 — days before this paper was completed — a Taiwanese court approved detention orders for Supermicro branch managers and a distributor executive in Taiwan’s first formally acknowledged criminal investigation into Nvidia chip diversion, a case that exposed the awkward fact that Taiwan has no statute directly criminalizing the export of AI chips to China, forcing prosecutors to rely on document-forgery charges instead [40].
These were not theoretical weaknesses in policy design. They were alleged real-world movements of strategic computing hardware through utterly commercial channels — freight forwarders, resellers, invoices, warehouses.
At the same time, DeepSeek’s emergence forced Silicon Valley and Washington to confront an uncomfortable question. If Chinese AI labs can build highly capable models despite export controls, are the controls failing, or are Chinese labs simply becoming more efficient? DeepSeek’s own technical report claimed that DeepSeek-V3 required only 2.788 million H800 GPU hours for its full training — pre-training, context extension, and post-training combined — with an estimated official training cost of $5.576 million at an assumed rental price of $2 per GPU hour, explicitly excluding the costs of prior research and ablation experiments [14]. Yet in a CNBC interview at Davos in January 2025, Alexandr Wang — then CEO of Scale AI, and since June 2025 Meta’s first Chief AI Officer leading Meta Superintelligence Labs [18] — cast public doubt on that account.
My understanding is that DeepSeek has about fifty thousand H100s.
— Alexandr Wang, then CEO of Scale AI, now Chief AI Officer of Meta, speaking to CNBC [16]
Wang added that Chinese labs could not discuss such chips openly because doing so would confirm violations of U.S. export controls. Crucially, as Al Jazeera and other outlets noted at the time, Wang did not provide public evidence for the claim [15]. That contradiction — between official technical disclosure and unproven industry suspicion — is precisely where Silicon Laundering becomes a breakthrough research topic. The world can benchmark a model’s performance in an afternoon. It cannot verify the compute history behind that performance at all.
The deeper issue is not whether one company used one chip, or whether one shipment passed through one airport. The deeper issue is that artificial intelligence has created a new category of strategic commodity: portable power without visible smoke, military relevance without uniformed soldiers, economic value without traditional factories, and geopolitical consequence without formal borders. A GPU cluster can sit in a warehouse, a cloud region, a laboratory, a sovereign AI campus, or an offshore datacenter. Its output may be code, synthetic data, cyber capability, military planning assistance, biological design assistance, language intelligence, robotics control, surveillance automation, or economic productivity. Its physical location matters — but so does the identity of the model developer, the nationality of the parent company, the end user, the training objective, the data flow, and the inference market.
The economic stakes have never been larger. Nvidia reported record revenue of $215.9 billion for its fiscal year 2026, and in May 2026 announced first-quarter fiscal 2027 revenue of $81.6 billion — up 85 percent from a year earlier — with Data Center revenue of $75.2 billion, up 92 percent [35][36]. Buried in the same filing was a geopolitical footnote with the weight of a treaty clause: no shipments of Data Center Hopper products to China occurred during the quarter, compared with $4.6 billion in the first quarter of the prior fiscal year, and the company’s $91 billion revenue outlook for the following quarter assumed no Data Center compute revenue from China at all [35]. A market measured in the tens of billions of dollars per quarter has been zeroed out of the world’s largest chipmaker’s official guidance — and yet the chips keep appearing on the wrong side of the border. Gray-market analysts estimate that an Nvidia GPU selling for $25,000 to $30,000 through legitimate channels can command $40,000 to $60,000 or more from buyers with access to Chinese demand [40]. The House Select Committee on the Chinese Communist Party has cited estimates that a median of 140,000 advanced chips were smuggled to PRC-linked recipients in 2024 alone [29]. Where legal supply is zero and demand is a national strategic priority, the arbitrage does not disappear. It goes underground, offshore, and upstream.
This paper argues that the world has entered the age of Silicon Laundering: a new phase of AI geopolitics in which restricted compute is disguised, relocated, rented, proxied, or operationally separated from its ultimate beneficiary. It is not traditional smuggling alone. It is not merely black-market trade. It is the fusion of export-control evasion, cloud arbitrage, transit-state ambiguity, corporate opacity, and the extraordinary economic pressure created by frontier AI competition.
In the industrial age, nations guarded oil fields, ports, railways, canals, steel mills, and uranium. In the AI age, nations must learn to guard something stranger: the ability of a model to think at scale because enough chips, memory, electricity, and data were assembled somewhere the law could not fully see.
That is Silicon Laundering. The remainder of this paper proceeds in seven movements. It first sets out a signature analytical framework — the Seven Layers of Silicon Laundering — that maps where restricted compute can be concealed across the AI stack. It then examines the transformation of export control into compute control (Section 1), dissects the anatomy of laundering practices and introduces a working vocabulary for them (Section 2), analyzes the DeepSeek shock and the Wang allegation as the defining case study of compute opacity (Section 3), maps the transit-state problem across Malaysia, Singapore, Taiwan, and the Gulf (Section 4), explains why hardware-only controls are structurally incomplete (Section 5), and proposes a policy architecture for compute provenance (Section 6), before concluding with the strategic implications for corporations, startups, and governments.

Core Framework: The Seven Layers of Silicon Laundering
Every laundering system — financial, industrial, or computational — works by exploiting the seams between institutions. Money laundering works because banks, casinos, real-estate markets, and shell-company registries each see only their own slice of a transaction. Silicon Laundering works the same way: no single actor in the AI supply chain sees the whole picture, and the whole picture is precisely where the strategic diversion lives. The framework below decomposes the problem into seven layers, each of which represents both a point of value creation and a point of potential concealment. Regulators tend to focus on Layer 1 because chips are countable. Launderers thrive in Layers 3 through 6 because access, identity, and outputs are not.
| Layer | Name | What Moves | Where Concealment Happens |
| 1 | Restricted Chip Layer | Physical accelerators (A100, H100, H200, B200/Blackwell, MI-series), HBM, networking | Misdeclaration, relabeling, threshold-gaming, downgraded variants |
| 2 | Server-Integration Layer | Chips embedded in servers, racks, supercomputers | “Server masking”: controlled silicon hidden inside broader system shipments |
| 3 | Transit Jurisdiction Layer | Cargo through free-trade zones and re-export hubs | Malaysia, Singapore, Thailand, UAE as legal/logistical intermediaries |
| 4 | Corporate Identity Layer | Ownership, parentage, invoicing, beneficial control | Local subsidiaries of restricted-country parents; shell buyers; nominee end users |
| 5 | Cloud Access Layer | Rented compute, colocation, remote training capacity | Restricted actors renting rather than owning; end-use blindness |
| 6 | Model Output Layer | Weights, APIs, open-source releases, distilled models | The artifact separates from its infrastructure history |
| 7 | Strategic Diffusion Layer | Military, economic, surveillance, scientific advantage | Capability spreads after the hardware trail has gone cold |
Layer 1 — The Restricted Chip Layer
This is the physical accelerator layer: the Nvidia A100, H100, and H200; the Blackwell-class B200, GB200, and GB300 systems; AMD’s MI-series accelerators; high-bandwidth memory; advanced networking fabrics; and the server-integrated systems built around them. The key regulatory issue is not only raw chip performance but whether export rules define a given chip as controlled, licensable, downgraded, or permissible — a definition that changes as both the rules and the silicon evolve. The January 2026 BIS rule illustrates the point precisely: chips below defined thresholds of total processing performance and DRAM bandwidth now qualify for case-by-case review to China, while Blackwell-class parts above those thresholds remain under a presumption of denial [8][9]. The line between “strategic contraband” and “reviewable commerce” is a set of numbers in the Federal Register — and every engineer designing a China-market variant, and every smuggler pricing a gray-market pallet, reads those numbers closely.
The line also moves because the technology moves. Research from MIT’s FutureTech group at CSAIL, led by Neil Thompson with coauthors Emanuele Del Sozzo, Martin Fleming, and Kenneth Flamm, compiled a comprehensive dataset of Nvidia datacenter GPUs from the mid-2000s through 2025 and found that FP16 and FP32 dense computational performance has been doubling roughly every 1.4 and 1.7 years respectively, while off-chip memory size and bandwidth have improved more slowly, doubling approximately every 3.3 to 3.4 years [19]. The same study quantified the stakes of policy design directly: if export controls were implemented completely and successfully, the potential performance gap between controlled and permitted hardware would be dramatic — and the researchers found that recently proposed changes to export controls would shrink that potential gap from roughly 23.6x to 3.54x [19][20]. Export control, in other words, is a moving target twice over: the chip that is restricted today becomes the benchmark for workaround design tomorrow, and the relaxation that seems marginal today can collapse an order-of-magnitude advantage into a small multiple.
Layer 2 — The Server-Integration Layer
Many advanced chips do not move as loose components. They move inside servers, GPU clusters, supercomputers, or full rack-scale systems, wrapped in sheet metal, cabling, and legitimate-looking product documentation. That makes enforcement harder in a very practical sense: the controlled object can appear in customs paperwork as a broader computing system rather than as a bare accelerator, and a pallet of “servers” invites far less scrutiny than a case of export-controlled GPUs. This is why the DOJ’s November 2025 allegations are significant beyond their dollar value: two of the four charged exports involved not loose chips but ten HPE supercomputers containing Nvidia H100 GPUs [3]. It is also why the Malaysia seizure involved 72 server units rather than trays of silicon [1], why the Singapore prosecutions center on servers built by Dell and Supermicro rather than on chips as such [32][34], and why the December 2025 conviction involved GPUs relabeled under an invented brand name before shipment [5]. The enforcement target has become the entire compute-bearing system — and the system is designed, by its very commercial nature, to look boring.
Layer 3 — The Transit Jurisdiction Layer
This is where Malaysia, Singapore, Thailand, Taiwan, the United Arab Emirates, and other trade corridors enter the story. A transit country may never be the ultimate destination of restricted compute, but it can become the legal, logistical, or commercial intermediary through which compute is redirected — sometimes with the knowledge of local actors, often without. Free-trade zones are engineered for velocity, not scrutiny; goods can land, be re-documented, and depart within hours. The KLIA seizure is important precisely because it shows a transit jurisdiction converting itself into an enforcement chokepoint: Malaysian officers acted under Malaysia’s own Strategic Trade Act, applying export-permit requirements that Kuala Lumpur adopted in 2025 under U.S. pressure [1][2]. The U.S. cases point in the same direction from the other side of the ledger: the Florida network allegedly routed GPUs to China through Thailand and Malaysia [4], and separate U.S. charges in 2025 involved AI chips shipped from an El Monte, California company to China through freight forwarders in Malaysia and Singapore [2]. Section 4 develops this layer in depth, because the transit state is rapidly becoming the central diplomatic battlefield of AI governance.
Layer 4 — The Corporate Identity Layer
This layer asks the questions that invoices are designed to obscure: Who is the buyer? Who is the parent company? Who controls the subsidiary? Who pays? And who ultimately benefits from the compute? BIS’s May 31, 2026 guidance targets this layer directly, confirming that the license requirement first established in November 2023 continues to apply, worldwide, to advanced computing items destined for entities headquartered in — or whose ultimate parent company is headquartered in — Country Group D:5 or Macau, regardless of where the receiving entity is physically located [11][13]. Legal analysts immediately noted the operational consequence: exporters must now conduct ultimate-beneficial-ownership analysis on their customers, not merely check shipping addresses, and the underlying control operates on a strict-liability basis under the relevant regional-stability provisions of the Export Administration Regulations [13]. The Singapore fraud cases show why the layer matters in practice: prosecutors allege that officers of a group of local companies misrepresented to Dell and Supermicro that their own firms would be the end users of AI servers that were in fact shipped onward to Malaysia — corporate identity deployed as camouflage [32][33][34].
Layer 5 — The Cloud Access Layer
A company may not need to physically possess restricted GPUs at all if it can rent equivalent compute abroad. This creates the hardest policy question in the entire stack: is the export-controlled object the chip, the server, the cloud account, the model-training service, or the resulting capability? Traditional export control was built for objects that cross borders in crates. Cloud compute crosses borders as authenticated API sessions. If the chip stays in an allowed country but the training benefit flows to a restricted actor, the policy problem shifts from hardware movement to compute access governance — and existing law covers it only partially and awkwardly. Washington has begun to respond: in early 2026 the House of Representatives passed the Remote Access Security Act by a vote of 369 to 22, legislation aimed squarely at closing the cloud GPU rental loophole [42], and the January 2026 BIS rule requires license applicants to list remote end users located in — or whose ultimate parent company is headquartered in — China and other restricted jurisdictions [8]. But statutory architecture for compute access remains embryonic compared with the mature machinery governing physical shipments. Layer 5 is, today, the widest seam in the wall.
Layer 6 — The Model Output Layer
A model trained on restricted or indirectly accessed compute may become open-source, downloadable, API-based, embedded in products, or deployed in robotics and industrial systems. Once the model exists, the original hardware trail becomes progressively harder to police, and eventually irrelevant to the model’s diffusion. Weights are files; files replicate. DeepSeek’s success amplified this concern enormously, because its technical efficiency appeared to challenge the assumption that restricting access to frontier GPUs would preserve a wide U.S. model-performance lead. Stanford’s 2026 AI Index quantified how narrow that lead has become: as of March 2026, the top U.S. model led the best Chinese model by just 2.7 percent on the Arena leaderboard the Index tracks — down from performance gaps of 17.5 to 31.6 percentage points across major benchmarks in 2023 — even as U.S. private AI investment of $285.9 billion in 2025 exceeded China’s tracked private investment more than 23-fold [21][22]. Whatever combination of efficiency, stockpiles, and diversion produced China’s frontier models, the models themselves are now public, capable, and in several cases open-weight. The output layer does not forget slowly. It forgets instantly.
Layer 7 — The Strategic Diffusion Layer
The final layer is geopolitical: who gains military, economic, industrial, surveillance, scientific, or diplomatic advantage from the model? Compute access has ceased to be a private technology-industry issue and has become a macroeconomic and development variable in its own right. The International Monetary Fund now describes AI as the defining driver of the global economic conversation, with AI-related investment accounting for a large share of U.S. GDP growth and estimates suggesting that datacenters worldwide may require $6.7 trillion in capital expenditure by 2030 to match demand [23]. The IMF’s 2026 World Economic Outlook identifies the technology-investment cycle — datacenters and AI specifically — as one of the critical uncertainties shaping global growth itself [24]. The World Bank, for its part, has made AI readiness a core pillar of its digital strategy, emphasizing that countries need the “four Cs” — connectivity, compute, context, and competency — and is actively financing datacenter and cloud markets in emerging economies, including a hyperscale campus in Johor Bahru, Malaysia, that will rank among the largest in emerging markets [25][26].
In the AI era, compute is the ‘new electricity.’
— World Bank, Digital Progress and Trends Report 2025 [26]
When multilateral development institutions treat compute as electricity, the strategic conclusion writes itself: whoever controls, verifies, or launders the flow of compute is exercising a form of power that the twentieth century reserved for oil ministries and nuclear regulators. Layer 7 is where all the concealment in Layers 1 through 6 finally cashes out — in capability, in leverage, and in the balance of power.
Sidebar: The DeepSeek Question — Was It Efficiency, Hidden Compute, or Both?
The following interview-style exchange distills the analytical core of the DeepSeek controversy. The “Analyst” voice synthesizes the documentary record cited throughout this paper.
Interviewer: When Alexandr Wang — now Chief AI Officer of Meta, previously CEO of Scale AI — said DeepSeek may have had access to about 50,000 Nvidia H100s, why did that claim matter so much?
Analyst: It mattered because it challenged the public story that DeepSeek’s breakthrough was mainly about radical efficiency under hardware constraint. DeepSeek’s own technical report said DeepSeek-V3 was trained on a cluster of 2,048 Nvidia H800 GPUs — the export-compliant variant with reduced interconnect bandwidth — and reported 2.788 million H800 GPU hours for full training, which the authors priced at $5.576 million assuming $2 per GPU hour [14]. Wang’s claim, made on CNBC at Davos within days of DeepSeek-R1’s release, suggested that the visible technical disclosure might not capture the full infrastructure picture [16][17]. Coming from the head of a company that supplied training data to most leading American labs, the assertion could not simply be dismissed as noise.
Interviewer: Was Wang’s claim ever proven?
Analyst: No — and that is the analytically crucial point. Al Jazeera, reporting on the controversy, noted explicitly that Wang did not provide evidence for the claim [15]. Elon Musk amplified it with a one-word reply — “Obviously” — which is virality, not verification [15]. A serious paper should not write “DeepSeek smuggled H100s.” It should write that Wang’s claim became important because it exposed a credibility gap at the heart of AI geopolitics: model capability can be public, benchmarked, and reproduced, while the compute trail behind it remains fundamentally opaque. There is also countervailing technical evidence. Gregory Allen of CSIS, testifying before Congress, pointed to analysis showing that many of DeepSeek’s algorithmic and architectural choices are exactly what one would design to maximize performance under the limited interconnect bandwidth of H800s — which is evidence for the company’s stated hardware, not against it [30].
Interviewer: So what is the right research question?
Analyst: The right question is not simply, “Did DeepSeek smuggle chips?” The better question is: How can policymakers verify the compute provenance behind frontier models when chips, servers, cloud access, subsidiaries, and training data can be separated across jurisdictions? Today the honest answer is that they cannot. There is no audit standard, no disclosure regime, and no trusted third party capable of resolving the dispute between DeepSeek’s paper and Wang’s suspicion. That institutional vacuum — not any single company’s conduct — is the finding.
Interviewer: Why is DeepSeek such a powerful case study?
Analyst: Because it sits at the intersection of three competing explanations, all of which are at least partially plausible. First, DeepSeek may have achieved genuine model-efficiency gains through its mixture-of-experts architecture, multi-head latent attention, FP8 training, and hardware-software co-design — the technical report is detailed and internally consistent [14]. Second, it may have benefited from lawfully acquired legacy compute: DeepSeek’s founder, Liang Wenfeng, said in a 2023 interview that the firm had stockpiled 10,000 Nvidia A100s before those chips were banned for export [15]. Third, industry critics, including Wang, suspect access to more advanced compute than publicly disclosed — a suspicion sharpened by the U.S. government’s own probe into whether DeepSeek obtained restricted chips through third parties in Singapore and Malaysia [33][34]. The policy problem is that governments currently lack any transparent way to distinguish among those explanations in real time.
Interviewer: How does this connect to chip smuggling?
Analyst: Chip smuggling is the physical version of the same problem. The DOJ cases, the $160 million Hao Global conviction, the Supermicro arrests, and the Malaysia seizure show that controlled AI hardware moves through commercial channels at scale [3][5][6][1]. DeepSeek shows the model-level consequence: once a capable model appears, outsiders can only ask whether it came from efficiency, stockpiles, hidden hardware, rented cloud, distillation of other models’ outputs — or some blend of all of them. The smuggling cases prove the supply exists. The DeepSeek dispute proves that the demand side can absorb that supply invisibly.
Interviewer: What does this mean for U.S. export controls?
Analyst: It means export controls must evolve from a shipment-control regime into a compute-provenance regime. That includes hardware identity, buyer identity, subsidiary ownership, datacenter usage, cloud access verification, location attestation, and model-scale auditability. Section 6 of this paper develops that architecture.
Interviewer: Does this mean export controls are useless?
Analyst: No — and that conclusion would be as wrong as complacency. It means hardware-only export controls are incomplete. They raise adversary costs, slow access, force inferior substitutes, and shape incentives; even skeptical assessments concede that Chinese AI firms themselves cite chip scarcity as their primary constraint [31]. But controls also generate rerouting, stockpiling, substitution, domestic-chip acceleration, and efficiency innovation as second-order effects. The strongest policy is not simply “block the chip.” It is “govern the compute lifecycle.”

Section 1 — From Export Control to Compute Control
Export control began, in this domain, as a hardware restriction. It is becoming something larger and stranger: a system of compute governance. Understanding that transformation requires seeing why the old model worked, why it is now leaking, and what the January and May 2026 policy moves reveal about where Washington believes the leak is.
The export-control system inherited from the Cold War was designed for a world in which strategic goods could be found, counted, inspected, and stopped. A lithography machine is the paradigm case: as the economic historian Chris Miller of the Fletcher School at Tufts University has observed, an advanced ASML tool requires multiple airplanes to transport, ships in quantities measured in the dozens per year, and needs vendor staff on site to operate — a set of properties that makes it nearly impossible to smuggle [44]. Advanced AI accelerators are the anti-paradigm: produced by the millions, small enough to hand-carry, embedded in servers that look like every other server, and valuable enough that gray-market margins rival narcotics trafficking [40]. The same legal machinery governs both. The results diverge accordingly.
The United States restricted advanced AI chips because compute is now a strategic input to model capability — arguably the strategic input. Research summarized by the World Bank notes that before the deep-learning revolution around 2010, the compute required for training doubled roughly every 24 months, in line with Moore’s Law; since 2010, training compute has doubled approximately every six months [26]. MIT FutureTech’s measurements show the hardware itself compounding relentlessly beneath those training curves, with dense FP16 performance doubling in well under two years [19]. When capability compounds on compute, and compute compounds on silicon, controlling silicon looks like controlling capability. That was the elegant logic of October 7, 2022.
But the traditional export-control model assumes that goods cross borders visibly and that the border crossing is the strategically meaningful event. AI compute violates both assumptions. It can be decomposed into chips, servers, cloud time, datacenter access, and model outputs — and each decomposition changes which legal regime, if any, applies. A GPU shipped to Shenzhen is an export. The same GPU installed in Johor and rented by the hour to a Shenzhen-headquartered developer is, under most historical practice, a datacenter transaction. The same GPU’s outputs — a trained model — posted as open weights is speech. The strategic effect of all three can be identical.
The 2026 policy sequence shows the U.S. government internalizing this. The January 13 rule is destination policy: it recalibrates what may go to China, moving H200-class hardware to case-by-case review under a lattice of conditions — the 50 percent domestic-supply cap, mandatory third-party performance testing in U.S. labs before export, KYC obligations on ultimate consignees to prevent unauthorized remote access, and continued presumption of denial for reexports and for Blackwell-class parts [7][8][9]. The May 31 guidance is identity policy: it reasserts that who receives advanced computing items matters everywhere on Earth, confirming license requirements for entities headquartered in, or ultimately owned from, China or Macau regardless of physical location, while offering a temporary safe harbor to “bona fide operators” of datacenters already holding such items [11][12][13]. Read together, the two documents mark a doctrinal migration from destination-based rules toward entity-identity rules — from geography to genealogy.
1.1 Four Years, Five Doctrines: The Regulatory Chronology, 2022–2026
The doctrinal migration is easiest to see as a chronology, because each phase of the regime embodied a different theory of the problem. Phase one (October 2022) was destination denial: the landmark rules barred the most advanced accelerators from China outright, on the theory that capability follows hardware and hardware can be stopped at the border [47]. Phase two (2023–2024) was threshold refinement: BIS chased the China-market variants — A800, H800, H20 — that Nvidia engineered just beneath each performance line, added the November 2023 end-user control reaching entities headquartered in, or ultimately owned from, Country Group D:5 wherever located, and in December 2024 extended controls to high-bandwidth memory and additional manufacturing equipment while adding 140 companies to the Entity List [11][46]. Phase three (January 2025) was global allocation: the outgoing administration’s Framework for Artificial Intelligence Diffusion attempted to ration advanced compute worldwide through country tiers — a destination-based system of planetary scope [46]. Phase four (May 2025) was retrenchment: the new administration announced it would not enforce the Diffusion Rule’s new compliance requirements, creating a year of genuine legal uncertainty about which obligations survived — uncertainty compounded in May 2026 when the Government Accountability Office determined that the non-enforcement announcement itself constituted a “rule” under the Congressional Review Act that had never been properly submitted to Congress [12]. Phase five (December 2025–May 2026) is the current settlement, and it is deliberately two-handed: a reopened, conditioned legal channel for H200-class hardware to vetted Chinese customers with a 25 percent payment to the United States [7][9], paired with an emphatic reassertion that entity identity — headquarters and ultimate parentage — governs worldwide, on strict liability, no matter what the Diffusion Rule’s fate [11][13].
The fifth phase is also politically contested in ways the first four were not. Within days of the January 2026 rule, the House Foreign Affairs Committee voted 42–2 to advance legislation granting Congress a thirty-day window to review and block advanced-chip sales to adversary countries — arms-sale-style oversight applied to silicon — while its chairman publicly derided the notion that Nvidia’s commercial assurances could substitute for statutory safeguards [39]. The White House’s own AI adviser amplified criticism of the congressional tracking bill as a handicap on strategic flexibility, and the committee chairman retorted that the talking points matched Nvidia’s [39]. The significance for this paper is not the partisan choreography but the structural fact beneath it: for the first time, the legal channel to China is large enough — up to 900,000 H200-equivalents by one estimate [10] — that the boundary between authorized diffusion and Silicon Laundering has become the single most consequential line in technology policy. A regime that sells chips to China under conditions must be able to verify the conditions. That is a provenance problem, and it is now everyone’s problem.
1.2 The Enforcement Deficit
The new policy question is therefore not only “Where did the chip go?” but “Who ultimately used the compute?” — and, one step further, “What was ultimately made with it?” This is a profound expansion of regulatory ambition, and it collides with the practical reality that the agency charged with enforcement remains startlingly small. As Gregory Allen of the Wadhwani AI Center at CSIS has documented, the Bureau of Industry and Security polices trillions of dollars in dual-use trade worldwide with fewer than 600 employees and a budget of under $200 million, while investigative reporting has identified at least eight distinct Chinese AI-chip smuggling networks each transacting more than $100 million [30][31].
China is betting that “its network of smugglers and shell companies can find the leaks.”
— Gregory C. Allen, Director, Wadhwani AI Center, Center for Strategic and International Studies [30]
The strong paragraph of this section, then, is this: the export-control system was designed for a world in which strategic goods could be found, counted, inspected, and stopped. But AI compute does not behave like ordinary industrial equipment. A GPU can be shipped as a component, embedded inside a server, leased through a cloud provider, operated by a subsidiary, or converted into a model whose output circulates globally. Once compute has been transformed into model capability, the original border crossing becomes historically important but operationally invisible. Compute control is the attempt to keep that transformation visible from end to end. Everything else in this paper is an elaboration of how hard — and how necessary — that attempt has become.

Section 2 — The Anatomy of Silicon Laundering
Silicon Laundering is not one activity. It is a chain of concealment, separation, and plausible deniability, and like its financial namesake it has recognizable stages: placement (getting restricted hardware or access into the system), layering (obscuring its origin and ownership through jurisdictions and intermediaries), and integration (converting it into a clean-looking asset — a datacenter, a cloud contract, or a published model). This section dissects the chain into six operational modes, then proposes a working vocabulary for the field.
2.1 Hardware Laundering
Physical chips or servers are misdeclared, redirected, or routed through intermediary jurisdictions. This is the classic mode, and 2025–2026 supplied a criminal-docket’s worth of examples: GPUs relabeled under a fictional brand to defeat inspection [5]; a fake Tampa real-estate company buying A100s through an Alabama electronics supplier for shipment via Thailand and Malaysia [4]; 72 servers declared as “computer components” in a Malaysian free-trade zone [1][2]; and an alleged $2.5 billion diversion of branded AI servers through a sham Southeast Asian company [6]. Hardware laundering exploits Layer 1 and Layer 2 of the framework simultaneously: the chip hides inside the server, and the server hides inside the manifest.
2.2 Corporate Laundering
A buyer appears local, but its parent company, controlling shareholder, funder, or ultimate beneficiary sits in a restricted jurisdiction. This is exactly the pattern the May 2026 BIS guidance was written to reach: foreign subsidiaries of Chinese-headquartered companies receiving controlled items without licenses merely because they are incorporated elsewhere [11][12]. Legal commentators emphasized that the control applies on a strict-liability basis and demands ultimate-beneficial-ownership diligence from exporters [13]. Corporate laundering is the cheapest mode, because it requires no smuggling at all — only paperwork that tells the truth narrowly.
2.3 Cloud Laundering
The controlled hardware remains in an allowed country, but the model-training benefit flows to a restricted actor through rented compute. Gregory Allen posed the canonical thought experiment years before it became policy doctrine: imagine Chinese cloud giants purchasing 10 percent more AI chips than needed at dozens of hyperscale datacenters outside China [47]. The House’s 369–22 passage of the Remote Access Security Act, and the remote-end-user disclosure requirements embedded in the January 2026 licensing rule, show Washington racing to give this mode a legal name [42][8]. Cloud laundering is the mode most likely to dominate the next five years, because it converts a smuggling problem into a billing problem — and billing crosses borders frictionlessly.
2.4 Workload Laundering
Training jobs are divided, disguised, or described as ordinary enterprise workloads rather than frontier model development. A cluster running a 30-day dense training run for a foundation model produces telemetry patterns quite different from a cluster serving inference or business analytics — but no regulator currently collects, and no provider currently must attest to, workload classification. Workload laundering is the least litigated mode today precisely because the law has no vocabulary for it; it lives entirely inside Layer 5.
2.5 Model Laundering
A model trained through questionable compute access is later released as open source, offered via API, or embedded in commercial products, separating the artifact from its infrastructure history. Once weights circulate, provenance questions become archaeology. The House Select Committee’s DeepSeek report — which concluded that the company used advanced Nvidia chips restricted from export to the PRC — arrived months after DeepSeek’s models had already been downloaded worldwide and integrated into countless downstream systems [27]. Whatever one believes about the underlying facts, the sequencing is the lesson: the model diffused faster than the investigation could conclude.
2.6 Data Laundering
Training data, synthetic data, or model outputs move physically or digitally to jurisdictions where compute is available — the mirror image of cloud laundering. If the chips cannot come to the data, the data goes to the chips. Distillation adds a further twist: a restricted actor can train a smaller model on the outputs of a frontier model it could never have trained itself, importing capability while importing neither hardware nor raw data. Analysts noted early in the DeepSeek episode that access to leading U.S. models’ outputs may itself have been an ingredient of the breakthrough [48]. Data laundering demonstrates that even a perfectly sealed hardware border leaves capability channels open.
A Working Vocabulary
Fields acquire analytical power when they acquire names. The following coined terms are offered as a working glossary for researchers, compliance officers, and policymakers.
| Term | Definition |
| Ghost Clusters | GPU clusters whose beneficial user is unclear — legally owned by one entity, strategically operated for another |
| Transit Compute | Compute capacity accessed through intermediary jurisdictions that neither produce the chips nor host the ultimate beneficiary |
| Model Provenance Gap | The structural inability to verify the compute history behind a published model |
| Cloud End-Use Blindness | The policy gap in which cloud access substitutes for chip possession without triggering equivalent controls |
| Server Masking | The concealment of strategic chips inside broader server or system shipments |
| Compute Beneficiary Risk | The risk that the legal buyer of hardware or capacity is not its strategic user |
| Silicon Laundering | The umbrella practice: disguising, relocating, renting, proxying, or operationally separating restricted compute from its ultimate beneficiary |
Two observations close the anatomy. First, the six modes are complements, not substitutes: a sophisticated actor chains them, using corporate laundering to receive hardware, transit compute to position it, workload laundering to exploit it, and model laundering to cash it out. Second, every mode exploits an information asymmetry rather than a physical gap. Chips are not invisible; their beneficiaries are. That is why the remedy proposed in Section 6 is built on visibility — identity, attestation, and provenance — rather than on ever-higher walls alone.

Section 3 — The DeepSeek Shock and the Wang Allegation
DeepSeek became the symbolic test case for whether export controls can contain frontier capability — and, more subtly, for whether the world possesses any institutional machinery to know whether they did. This section treats the episode with the balance it deserves. The correct sentence is not “DeepSeek smuggled H100s.” The correct sentence is: DeepSeek became the central case study in compute opacity because public technical disclosures, industry suspicion, and geopolitical incentives did not align — and no mechanism existed to reconcile them.
3.1 What Happened
On December 26, 2024, DeepSeek — a Hangzhou lab founded barely a year and a half earlier out of the quantitative hedge fund High-Flyer — published the DeepSeek-V3 technical report, describing a 671-billion-parameter mixture-of-experts model with 37 billion parameters activated per token, pre-trained on 14.8 trillion tokens using a cluster of 2,048 Nvidia H800 GPUs, at a total of 2.788 million GPU hours priced at $5.576 million [14]. On January 20, 2025 — the day of the U.S. presidential inauguration — the company released its R1 reasoning model. Within a week, DeepSeek’s app had overtaken ChatGPT atop Apple’s U.S. App Store, Marc Andreessen had pronounced it AI’s “Sputnik moment,” and U.S. technology stocks suffered one of their largest single-day wipeouts in memory, with Nvidia alone shedding more than $600 billion in market value in a day [30][48]. The Stanford AI Index would later record the structural shift: in February 2025, DeepSeek-R1 briefly matched the top U.S. model, and the once-double-digit U.S. performance lead compressed to 2.7 percent by March 2026 [21][22].
Into that shock stepped Alexandr Wang. In a CNBC interview from Davos, Wang — whose company Scale AI supplied training data and model evaluation to OpenAI, Google, and Meta, and who months later would be appointed Meta’s first Chief AI Officer overseeing Meta Superintelligence Labs after Meta’s $14.3 billion investment in Scale [18] — asserted that Chinese labs “have more H100s than people think,” that his understanding was that DeepSeek held about 50,000 of them, and that the company could not discuss the chips because doing so would admit violations of U.S. export controls [16][17]. Wang provided no evidence, as contemporaneous reporting emphasized [15]. But given his vantage point at the data layer of nearly every frontier lab, the claim landed with force in Washington, contributing to the U.S. investigation into whether DeepSeek sourced restricted chips through third parties in Singapore — an investigation that would soon intersect with actual arrests [33][34].
3.2 Three Competing Explanations
Explanation 1 — Genuine Efficiency. DeepSeek’s architecture — mixture-of-experts with auxiliary-loss-free load balancing, multi-head latent attention, multi-token prediction, FP8 mixed-precision training, and the DualPipe pipeline schedule engineered specifically to overlap computation and communication under constrained interconnect — reduced training cost in ways the technical report documents in unusual detail [14]. Independent technical analysis found the claimed 2.788 million GPU hours plausible: the figure is close to what scaling arithmetic from comparable open models would predict, and the architectural choices are exactly those an engineering team would make to compensate for the H800’s bandwidth limitations relative to the H100 [30]. On this reading, export controls did not fail; they redirected Chinese ingenuity toward efficiency — and efficiency, once discovered, benefits everyone who trains models anywhere.
Explanation 2 — Lawful Legacy Compute. DeepSeek and its parent may have had access to substantial pre-ban or export-compliant hardware. Liang Wenfeng stated in a 2023 Chinese media interview that the firm had stockpiled 10,000 Nvidia A100s before U.S. restrictions took hold [15], and the H800 itself was designed as a compliant China-market variant during the window when such variants were legal. On this reading, the headline training-cost figure is real but radically incomplete as a measure of the resources behind the model: as hedge-fund analyst Gavin Baker noted, the $5.576 million covers a single final run and excludes the prior research, ablations, and infrastructure that the paper itself brackets out — meaning a lab could only achieve such a run after spending vastly more [48][14].
Explanation 3 — Hidden or Indirect Compute. Industry figures, Wang foremost among them, suggested access to more advanced GPUs than publicly acknowledged [16]. Circumstantially, the suspicion draws on a documented smuggling ecosystem — at least eight networks each transacting over $100 million, per reporting cited in congressional testimony [30] — and on the Singapore prosecutions, in which investigators believed Dell and Supermicro servers containing suspected Nvidia chips, papered for Malaysia, may have been diverted onward, with domestic media connecting the fraud to U.S.-bound export-control evasion and, speculatively, to DeepSeek itself [33]. The House Select Committee on the CCP went furthest, concluding in its April 2025 report that DeepSeek used advanced Nvidia chips restricted from export to the PRC [27]. Yet no public adjudication has confirmed the 50,000-H100 figure, and the technical evidence in Explanation 1 cuts against the strongest versions of the claim.
3.3 The Governance Reading
The DeepSeek controversy matters less as a courtroom allegation than as a governance crisis. It revealed that the world can observe a model’s performance far more easily than it can observe the infrastructure history behind that performance. That asymmetry creates the central dilemma of Silicon Laundering: the model is public; the compute trail is private. Every subsequent frontier release from a restricted jurisdiction now arrives pre-wrapped in the same unanswerable question, and every efficiency claim — true or not — doubles as cover. A verification regime that could distinguish Explanation 1 from Explanation 3 would be worth more to strategic stability than another round of thresholds; its absence converts every benchmark chart into a geopolitical Rorschach test. Section 6 returns to what such a regime would require. What the episode already proves is that in the absence of provenance infrastructure, the debate defaults to dueling assertions between a technical report no outsider can audit and an industry claim no outsider can verify — with trillion-dollar markets and national strategies swinging on the difference.

Section 4 — The Transit-State Problem
Export control now depends on third countries that are not the strategic adversary but have become essential corridors — and, increasingly, essential partners, suspects, and swing states all at once. The transit state is not merely a loophole. It is the new diplomatic frontier of AI governance. A country may want investment from datacenters, cloud providers, logistics firms, and AI startups, while also avoiding the reputational and strategic cost of becoming a compute-diversion hub. This creates a new bargain, and it is the organizing thesis of this section: countries that host AI infrastructure must also host AI compliance capacity.
The past eighteen months have produced an extraordinary enforcement record across the corridor states. The table below assembles the key events.
| Date | Jurisdiction | Event | Significance |
| Feb–Mar 2025 | Singapore | Three men charged with fraud over Dell/Supermicro servers papered for Malaysia; probe follows U.S. inquiry into DeepSeek’s chip sourcing [32][34] | First major transit-state prosecution of the AI era |
| Aug 2025 | United States | Two Chinese nationals charged for shipping AI chips from El Monte, CA via freight forwarders in Malaysia and Singapore [2] | U.S. case explicitly naming both corridor states |
| Nov 2025 | United States | Four charged: 400 A100s exported via Thailand/Malaysia; HPE supercomputers with H100s and 50 H200s interdicted [3][4] | Fake-front-company playbook documented in an indictment |
| Dec 2025 | United States | First “AI diversion” conviction: $160M in H100/H200s, relabeled hardware, guilty plea by Hao Global [5] | Proof that prosecutions can conclude, not just begin |
| Jan 2026 | United States | BIS moves H200/MI325X to case-by-case review for China with testing, KYC, and volume caps [7][8] | Legal channel reopened — raising the stakes of policing the illegal one |
| Mar 2026 | United States | Supermicro cofounder arrested over alleged $2.5B server-routing scheme via sham Southeast Asian company [6] | Diversion allegations reach the executive suite of a major OEM |
| Apr 2026 | Singapore | Fourth individual charged with fraud against Dell in the server case [43] | Case widens; Singapore signals persistence |
| May 31, 2026 | United States | BIS guidance: licenses required worldwide for China-headquartered or China-parented entities [11] | Corporate identity layer formally closed on paper |
| Jun 5, 2026 | Malaysia | 72 AI-chip servers (RM52.9M) seized at KLIA Free Trade Zone under Strategic Trade Act [1][2] | Transit state enforcing its own 2025 controls |
| Jul 1–2, 2026 | Taiwan / Singapore | Taiwan detains Supermicro managers in first criminal probe of chip diversion; Singapore seizes S$55M bungalow as suspected proceeds [40][41][33] | Corridor enforcement goes simultaneous and multinational |
4.1 Malaysia: From Corridor to Chokepoint
Malaysia sits at the epicenter of the transit problem by geography and by industrial history: it is a major node in semiconductor assembly, testing, and packaging, a booming datacenter destination, and one of the world’s busiest re-export economies. The June 2026 KLIA seizure crystallized its double bind. On one side, Kuala Lumpur adopted export controls on U.S.-origin high-performance chips in 2025 under American pressure, and its customs service demonstrated in June that those controls have teeth — acting on the Strategic Trade Act, seizing the 72 servers, and publicly naming the “computer components” misdeclaration tactic [1][2]. On the other side, Malaysia is simultaneously courting the very industry whose products it must police: the World Bank Group’s IFC helped de-risk a 300-megawatt hyperscale datacenter campus in Johor Bahru — among the largest in emerging markets — precisely to position Malaysia as a regional digital-infrastructure hub [25]. The same free-trade zones, port capacity, and logistics sophistication that attract legitimate compute investment attract diversion syndicates, because both customers value the identical thing: frictionless throughput. Malaysia’s June enforcement action should therefore be read not as an embarrassment but as an audition — a demonstration to Washington that hosting compute and hosting compliance can coexist, and a warning to syndicates that the corridor is no longer unwatched. Notably, Malaysia had investigated reports in 2025 that a Chinese company in the country was using Nvidia-equipped servers for AI development and found no evidence of illegal semiconductor trade [2] — a reminder that transit-state enforcement must distinguish lawful Chinese-linked datacenter activity from diversion, which is exactly the distinction the May 2026 BIS guidance now forces everyone to formalize.
4.2 Singapore: The Reputation Economy Meets the Gray Market
Singapore’s exposure is different in kind: it is not primarily a physical corridor but a commercial one — a regional headquarters, invoicing, and procurement hub whose name appears on contracts for hardware that may never touch the island. Nvidia’s filings illustrate the phenomenon: Singapore-billed customers accounted for 18 percent of revenue in fiscal 2025, while actual shipments to Singapore were under 2 percent — a gap the company attributes to customers centralizing purchasing through Singapore entities, and which Singaporean officials note by pointing out that only about 1 percent of Nvidia’s chips physically arrive for local deployment [43][34]. That gap is commercially innocent in most cases and strategically explosive in a few. The fraud prosecution that began in February 2025 — officers of the Aperia group of companies and an associated firm allegedly misrepresenting themselves as end users of Dell and Supermicro servers shipped onward to Malaysia — has become the reference case, expanding in April 2026 with a fourth defendant and in July 2026 with money-laundering charges and the seizure of a S$55 million Good Class Bungalow as suspected proceeds [32][41][33][43].
The open question, in his words, was “whether Malaysia was a final destination or from Malaysia it went to somewhere else.”
— K. Shanmugam, Minister for Law and Home Affairs, Singapore [34]
Singapore’s response has been characteristically institutional: no denial of the problem, aggressive prosecution of the named individuals, and explicit framing of enforcement as reputation defense — the police declaring a “zero-tolerance stance” toward offenses that threaten the country’s standing as a trusted hub governed by the rule of law [33]. For Singapore, compute compliance is not a concession to Washington; it is an asset class.
4.3 Taiwan: The Manufacturing Chokepoint’s Legal Gap
Taiwan occupies a paradoxical position: it manufactures nearly every leading AI chip on Earth — the Stanford AI Index notes that a single foundry, TSMC, fabricates almost all of them [21] — yet until 2026 it had never brought a criminal case over AI-chip diversion, and it still lacks a statute directly criminalizing the export of AI chips to China. The July 2026 detentions of Supermicro’s Taiwan branch managers and a distributor executive, in an investigation spanning nine suspects and twelve searched locations, therefore proceed on document-forgery and false-customs-declaration charges rather than on the diversion itself [40][41]. The gap matters for the whole system: if the jurisdiction that assembles the world’s AI servers can prosecute only the paperwork and not the act, then the multilateral export-control architecture rests, at its most critical node, on the narrowest possible legal footing. Taipei has moved to align in other ways — adding Huawei and SMIC to its own strategic export entity list in 2025 — and scholars have argued that Taiwan’s deeper strategy is deliberate alignment with U.S.-led “silicon statecraft” as a security bet [37]. But the Supermicro case exposes the distance between strategic alignment and statutory readiness.
4.4 The Gulf States: Sovereign AI and the Diffusion Dilemma
The United Arab Emirates and Saudi Arabia present the transit problem in its most ambitious form: not covert diversion but negotiated diffusion. Gulf sovereign AI programs are purchasing compute at national scale, building gigawatt-class campuses, and positioning themselves as a third pole of AI infrastructure between Washington and Beijing. The Stanford AI Index registers the region’s momentum from the demand side — the UAE shows generative-AI adoption of 64 percent of its population, among the highest on Earth [21][22]. For U.S. policy, the Gulf is the test of whether large-scale chip exports can be made diversion-proof by contract: security agreements, U.S.-operator requirements, and monitoring provisions in place of blanket denial. Skeptics note that every GPU placed in a third country becomes, arithmetically, a GPU that must be tracked forever; proponents answer that refusing the Gulf’s demand merely gifts the market to Chinese vendors. The Chip Security Act’s location-verification logic — discussed in Section 6 — was designed in significant part to make exactly this kind of trusted-partner export scalable: proponents argue that verifiable chips could be sold to countries like Malaysia or Indonesia “without fear of further transfer to China” [45][28].
4.5 Thailand and the Corridor Economy
Thailand rounds out the Southeast Asian picture, appearing in the U.S. enforcement record as both a routing geography and a paperwork geography. The November 2025 indictment describes A100 shipments moving to China through Thailand and Malaysia [3][4]; the May 2026 Fortune investigation documents an earlier alleged scheme in which orders for hundreds of GPU-packed servers were routed through phony buyers in Thailand, with fake end-user certifications standing in for the export licenses that could never have been obtained [6]. Thailand has since faced the same U.S. pressure as its neighbors, with Washington weighing additional measures to limit re-exports from both Malaysia and Thailand into China. The deeper point generalizes beyond any single country: Southeast Asia’s corridor economy — free-trade zones, transshipment ports, freight-forwarding depth, and datacenter ambitions — is a single integrated system, and diversion demand treats it as such, arbitraging whichever national node offers the least scrutiny that week. The IMF’s 2026 outlook captures the same region from the demand side, noting that Korea, Malaysia, Thailand, and Vietnam sit “at the center of the chip and AI boom” even as energy importers [24]. The corridor states are not bystanders to the AI economy; they are load-bearing members of it, which is precisely why their customs services, prosecutors, and legislatures have become instruments of global compute governance whether they sought the role or not.
4.6 Allies and the Coordination Imperative
Finally, the transit-state problem folds into an alliance problem. U.S. unilateral rules are porous by construction: when Washington restricted semiconductor manufacturing equipment in October 2022, the Netherlands and Japan took months to align, and Financial Times analysis of Chinese customs data showed SME imports surging from $2.9 billion to $5 billion across the gap — a stockpiling window opened by the mere sequencing of allied rulemaking [46]. The lesson generalizes to chips and servers: every jurisdictional seam is a schedule for arbitrage. USC’s Center on Public Diplomacy has described the emerging order as one of “silicon statecraft,” in which coordinated export controls, resilient supply chains, and hyperscale computing infrastructure become instruments of diplomacy as consequential as treaties [37]. In that order, Malaysia’s customs directors, Singapore’s prosecutors, Taiwan’s legislators, and Emirati datacenter regulators are not peripheral actors. They are the front line.

Section 5 — Why Hardware-Only Controls Are Not Enough
Chip restrictions can slow adversaries. They can also generate substitution, efficiency innovation, domestic-chip acceleration, and open-model diffusion. Both statements are true simultaneously, and honest policy must hold both. This section marshals the technical, economic, and institutional evidence — from MIT, Stanford, the IMF, the World Bank, and the enforcement record — for the conclusion that hardware-only controls are a necessary but structurally incomplete instrument.
5.1 The Technical Argument: The Target Moves Twice
MIT FutureTech’s measurements establish the baseline physics of the problem. Nvidia datacenter GPU performance in the precisions that matter for AI training has doubled roughly every one-and-a-half years for two decades, while memory bandwidth — the binding constraint for many workloads — doubles only every three-plus years, and price and power move slower still [19][20]. Two consequences follow. First, any fixed performance threshold in an export rule depreciates automatically: the “controlled” tier of one year becomes the mid-range of the next, and hardware sold legally before a rule takes effect remains strategically useful for years — which is why stockpiling has been China’s first response to every rules update [46]. Second, the effective stringency of the regime is exquisitely sensitive to where the thresholds sit: the FutureTech team calculated that proposed threshold changes would shrink the potential controlled-versus-permitted performance gap from 23.6x to 3.54x [19] — a reminder that a single rulemaking can quietly trade away an order of magnitude of the very advantage the regime exists to protect. The January 2026 H200 decision, whatever its diplomatic merits, was exactly such a trade: the Institute for AI Policy and Strategy estimated that up to 900,000 H200-equivalents of compute could flow to China under the new policy before accounting for future U.S. sales [10].
5.2 The Efficiency Argument: Constraint Breeds Capability
Export controls assume that capability scales with hardware. DeepSeek demonstrated that capability also scales with cleverness under constraint: architectures co-designed for bandwidth-starved chips, precision reduced to FP8, communication overlapped with computation [14]. The efficiency dividend, once published, is not containable — it lowers the compute bar for every actor worldwide, including the restricted ones. Stanford’s 2026 AI Index supplies the macro-verdict: the U.S.–China frontier-model performance gap collapsed from double digits in 2023 to 2.7 percent by March 2026, even as U.S. private AI investment of $285.9 billion outran China’s tracked $12.4 billion by more than 23 to 1 — a ratio the Index itself cautions likely understates Chinese spending, given an estimated $184 billion channeled to AI firms through government guidance funds [21][22]. Spending 23 times more to hold a 2.7 percent lead is not evidence that controls achieved nothing — the counterfactual gap might be smaller still, or inverted — but it is decisive evidence that hardware denial alone does not purchase durable capability separation.
5.3 The Substitution Argument: Every Wall Funds a Ladder
Denial creates demand for domestic alternatives, and China has answered with a whole-of-nation semiconductor self-sufficiency drive whose progress — Huawei’s Ascend line, advances at SMIC, packaging workarounds — is documented across the policy literature [31]. Analysts differ on how far and how fast domestic substitution can go without EUV lithography; Gregory Allen’s assessment is that China may remain stuck at low-yield 7- and 5-nanometer production for years, which would leave it behind as frontier compute demand rises another tenfold [31]. But the directional incentive is undisputed: every year of restriction is a year of subsidized, politically mandated catch-up. The strategic wager of export controls is that the U.S. lead compounds faster than Chinese substitution — a wager on relative velocity, not on absolute denial.
5.4 The Economic Argument: The Stack Is Too Big to Embargo
AI is no longer a sector; it is becoming the growth model. The IMF describes AI-related investment as the defining driver of the global economic conversation, fueling demand for servers, datacenters, software, and power, with datacenter capital expenditure requirements estimated at $6.7 trillion by 2030 [23], and its 2026 World Economic Outlook treats the technology-investment cycle as one of two critical uncertainties for global growth itself [24].
Artificial intelligence is the defining driver of global economic conversation.
— Marcello Estevão, International Monetary Fund, Finance & Development [23]
The World Bank, meanwhile, frames AI readiness as a development imperative built on connectivity, compute, context, and competency, and is deliberately financing datacenter and cloud markets across low- and middle-income countries [25][26]. The macro-institutions are, in effect, working to spread compute at the very moment security agencies are working to contain it. That tension is not hypocrisy; it is the honest shape of the problem. A technology this central to growth cannot be governed like a munition, because the same pallet of servers is simultaneously a development asset in Johor and a diversion risk in a KLIA warehouse — sometimes in the same week [25][1].
5.5 The Enforcement Argument: Arithmetic Against the Agency
Finally, the institutional ledger. BIS polices the world’s dual-use trade with fewer than 600 employees and a budget under $200 million; the documented smuggling ecosystem includes at least eight networks each transacting more than $100 million; congressional estimates put median 2024 chip smuggling at 140,000 units; and gray-market margins on a single GPU can approach 100 percent [31][30][29][40]. The Fortune investigation of May 2026 traced encrypted-message negotiations moving Nvidia hardware toward China, Russia, and Iran through fake end-user certificates and phony Thai buyers [6]. Against that adversary, a licensing bureaucracy — however well-drafted its rules — is structurally outmatched unless it acquires intelligence support, technological modernization, and multiplied resources, as Allen has argued in congressional testimony [30][31]. Rules without enforcement capacity do not merely fail; they impose all the commercial costs of restriction while delivering none of the strategic benefits — the worst quadrant of the policy matrix [31].
5.6 The Market Argument: What Nvidia’s Ledger Reveals
Corporate earnings are the regime’s most candid scoreboard, and Nvidia’s fiscal disclosures through the first quarter of fiscal 2027 (reported May 20, 2026) read like an export-control seismograph. Fiscal 2026 closed with record revenue of $215.9 billion, up 65 percent, on Data Center revenue of $62.3 billion in the fourth quarter alone [36]. The first quarter of fiscal 2027 then delivered $81.6 billion in revenue — up 85 percent year over year — with Data Center revenue of $75.2 billion, up 92 percent, and a record $13.5 billion sequential increase [35]. Yet inside that triumph sits the China-shaped hole: zero shipments of Data Center Hopper products to China during the quarter, against $4.6 billion a year earlier, and forward guidance of $91 billion that explicitly assumes no Data Center compute revenue from China at all [35]. Three lessons follow. First, the controls demonstrably bind at the level of lawful corporate conduct: a top-five global market has been written down to zero in the world’s most valuable company’s guidance. Second, the demand did not die — it was orphaned, and orphaned demand at gray-market premiums of 60 to 100 percent per unit [40] is the financial engine of every laundering mode catalogued in Section 2. Third, the asymmetry between a $75 billion legal quarter and a $160 million criminal case [5] shows why enforcement statistics flatter the regime: interdicted diversion is measured in the hundreds of millions while the incentive pool is measured in the tens of billions. The IMF’s description of a two-speed global economy racing on AI investment [23], and the Stanford Index’s record of $285.9 billion in U.S. private AI capital chasing a 2.7 percent model lead [21][22], complete the picture: the economic gravity acting on every restricted chip has never been stronger, and gravity, unlike regulation, never pauses for comment periods.
5.7 The Synthesis
If AI were only software, export controls would be too late. If AI were only hardware, export controls would be enough. But AI is neither. It is a stack: chips, energy, datacenters, models, applications, data, labor, cloud markets, and state policy. Silicon Laundering exploits the seams between these layers — between the chip and the server, the server and the jurisdiction, the jurisdiction and the corporate parent, the parent and the cloud account, the account and the model, the model and the strategic outcome. Hardware-only controls guard exactly one seam. The remaining six are governed, today, by little more than paperwork and luck. The answer is not to abandon the wall but to add windows: visibility mechanisms that travel with the compute itself. That is the work of Section 6.

Section 6 — The Policy Response: Compute Provenance
The solution is not only more restriction; it is better visibility. What money laundering was to 1980s banking, Silicon Laundering is to 2020s compute — and the remedy will rhyme: know-your-customer became know-your-compute; suspicious-activity reporting becomes suspicious-workload reporting; beneficial-ownership registries become beneficial-compute registries. This section proposes eight pillars of a compute-provenance regime, each anchored in instruments that already exist in embryo.
Pillar 1 — Chip Identity
Advanced AI chips should carry verifiable identity: cryptographically attestable device identifiers, shipment history, and authorized-ownership records that travel with the silicon from fab to rack. The relabeling tactic in the Hao Global case — export-controlled GPUs shipped under a fictional brand [5] — succeeds only in a world where the artifact cannot authenticate itself. Device identity is the foundation on which every subsequent pillar stands; without it, location verification attests to nothing in particular and ownership registries record claims rather than facts.
Pillar 2 — Location Verification
The Chip Security Act — introduced in May 2025 by the leadership of the House Select Committee on the CCP as a direct response to the committee’s DeepSeek findings, and passed by the House Foreign Affairs Committee in March 2026 — would require the Commerce Department to mandate that covered advanced chips carry a security mechanism, in software, firmware, or hardware, implementing location verification before export, with mandatory reporting when a chip surfaces in an unauthorized place [27][28]. Companion Senate legislation would task the Defense Department with studying further safeguards [28]. Proponents — including a coalition of tracking-technology firms — argue that verification is precisely what would allow larger, faster shipments to trusted partners such as Malaysia or Indonesia without diversion fear [45]; critics warn that tracking mechanisms create spoofing and cybersecurity attack surfaces and burden compliant firms more than smugglers [45]. Both can be right: the design bar is high. But the strategic logic is sound, and the bill’s own framing captures it — security mechanisms “opening the door” to streamlined exports for partners [28]. Verification is not the enemy of diffusion; it is diffusion’s license.
Chinese companies are “buying what they legally can … and stealing what they cannot.”
— Rep. John Moolenaar, Chairman, House Select Committee on the Chinese Communist Party [45]
Pillar 3 — Beneficial Compute Ownership
Regulators should examine not only the buyer but the parent, the customer of the customer, the workload sponsor, and the ultimate beneficiary. The May 2026 BIS guidance already establishes the legal principle — headquarters and ultimate parentage govern, worldwide, on a strict-liability basis [11][13]. What is missing is the informational infrastructure to apply it: a beneficial-compute-ownership registry, analogous to the beneficial-ownership registries that anti-money-laundering law forced onto shell companies, so that exporters and datacenter operators can screen counterparties against verified corporate genealogies rather than self-declarations. Until such a registry exists, the strict-liability standard transfers sovereign-scale due-diligence burdens onto private compliance departments — an arrangement that guarantees uneven results.
Pillar 4 — Cloud Compute Controls
Cloud access to frontier-scale clusters should require end-user verification for restricted actors, closing the seam where rented compute substitutes for owned chips. The direction of travel is set: the House passed the Remote Access Security Act 369–22 [42], and the January 2026 licensing rule obliges applicants to enumerate remote end users linked to restricted jurisdictions and to prevent unauthorized remote access through KYC procedures [8]. The unfinished work is definitional and technical — thresholds for what constitutes frontier-scale access, attestation standards for who is at the other end of an API key, and workload-classification norms that can distinguish a foundation-model training run from routine enterprise computing without turning every cloud provider into a surveillance agency. Getting this pillar wrong in either direction is expensive: too loose, and cloud laundering swallows the regime; too tight, and the U.S. cloud industry’s global competitiveness — itself a strategic asset — erodes.
Pillar 5 — Transit-State Partnerships
Countries such as Malaysia, Singapore, Taiwan, South Korea, Japan, and the UAE need compliance support, customs training, shared intelligence, and — crucially — statutory modernization assistance. The 2025–2026 record shows willing partners with uneven tools: Malaysia enforcing a young Strategic Trade Act regime at KLIA [1]; Singapore prosecuting vigorously under general fraud and money-laundering law [33]; Taiwan discovering mid-investigation that it has no statute criminalizing the underlying diversion at all [40]. A serious partnership program would pair market access and investment — the very datacenter financing the World Bank Group is already catalyzing in places like Johor [25] — with capacity benchmarks: entity-screening infrastructure, free-trade-zone inspection protocols, and mutual legal assistance tuned to compute cases. The bargain should be explicit and dignified: compliance capacity is the admission ticket to the trusted-compute economy, not a tax imposed on it.
Pillar 6 — Model Provenance Disclosure
Frontier model developers should disclose broad compute categories — chip classes, order-of-magnitude training scale, and major infrastructure partners — without revealing sensitive trade secrets. The DeepSeek episode is the argument: a paragraph of standardized, auditable compute disclosure would have converted an unresolvable transpacific suspicion into a checkable claim [14][15]. The trendline runs the wrong way: Stanford’s Foundation Model Transparency Index fell from 58 to 40 in a year, with most frontier models disclosing nothing about their training infrastructure [21][22]. Disclosure needs teeth on both sides of the Pacific — as a listing or procurement condition in the United States and allied markets, and as a diplomatic ask in any future U.S.–China AI dialogue. A world in which every frontier model ships with a compute bill of materials is a world in which the Model Provenance Gap begins to close.
Pillar 7 — An Allied Compute Compact
The United States should build a trusted compute alliance rather than merely impose unilateral controls. The stockpiling episode of 2022–2023 — billions in equipment flowing through the months-long gap between U.S. and allied rulemaking [46] — is the standing proof that unilateralism is self-defeating on a networked supply chain. A compact worthy of the name would harmonize control lists and effective dates; pool licensing intelligence; mutually recognize chip-identity and location-verification standards under Pillars 1 and 2; and coordinate the treatment of chokepoint economies — Taiwan, South Korea, Japan, the Netherlands — whose own scholars are already sketching networked frameworks for orchestrated export-control collaboration [37]. USC’s public-diplomacy scholarship names the destination: a “Pax Silica,” an economic-security order in which advanced technology and national defense are treated as inseparable, and influence flows through computational infrastructure as surely as it once flowed through sea lanes [37].
Pillar 8 — Enforcement Capacity as Strategy
Every pillar above is a promissory note drawn on enforcement, and the account is overdrawn. BIS’s sub-$200-million budget against $100-million-per-network smuggling economics is not a gap; it is an invitation [31][30]. A provenance regime requires the machinery of one: data-analysis modernization inside BIS, dedicated compute-enforcement units, intelligence-community tasking against diversion networks as a standing priority, and prosecution capacity in the transit states themselves. The December 2025 conviction and the July 2026 Taiwan detentions prove that cases can be made [5][40]; the question is whether they can be made at the tempo of the adversary. Speed, Allen observes, is itself a policy variable — smugglers and shell companies decide quickly, while regulators have historically updated once a year [46]. A compute-provenance regime that moves at the speed of the Federal Register will be laundered around. One that moves at the speed of the network it polices has a chance.
The Design Principle
Across all eight pillars runs a single principle: shift the regime’s center of gravity from denial to verification. Denial is binary, brittle, and blind — it works until the first successful diversion and learns nothing from it. Verification is graduated, resilient, and cumulative — every attested chip, screened parent company, classified workload, and disclosed training run adds information to a system whose power compounds. The twentieth century learned this lesson in nuclear governance, where safeguards and inspections, not embargoes alone, made civilian diffusion compatible with military restraint. Compute is harder — smaller, faster, more commercial — but the architecture rhymes. The age of Silicon Laundering will end not when the last smuggler is caught, but when laundering stops paying because provenance is cheaper to prove than to fake.

Conclusion: Naming the Cracks
Silicon Laundering is not simply a story about smuggled chips. It is a story about a world whose most valuable strategic resource has become harder to see.
In the twentieth century, power announced itself through visible infrastructure. Oil tankers crossed oceans. Steel mills burned. Nuclear plants required containment domes. Aircraft carriers moved across the sea. Factories employed thousands of workers and left physical evidence in the landscape. Strategic capacity had weight, smoke, noise, and geography — and the institutions built to govern it, from COCOM to the IAEA, could at least in principle find what they were meant to control.
AI compute is different. It can sit behind a warehouse wall, inside a colocation facility, beneath a cloud contract, within a server shipment, or behind the legal identity of a foreign subsidiary. Its presence may only become visible later, when a model appears that should not have been possible under the assumptions of existing policy. By then, the chips may have moved, the invoices may have been rewritten, the training run may be complete, and the model may already be circulating across open-source repositories, APIs, military workflows, robotics systems, and enterprise applications. This is the central lesson of Silicon Laundering: the strategic value of compute is created before the world sees the model, but the political controversy begins only after the model appears.
The DeepSeek episode revealed this asymmetry with unusual clarity. DeepSeek’s public technical claims described remarkable efficiency on H800 GPUs — 2.788 million GPU hours, $5.576 million for the official run [14]. Industry skeptics, most prominently Alexandr Wang, questioned whether the company had access to far more advanced compute than it disclosed, though no public evidence proved the allegation [15][16]. The point is not to resolve that dispute in a single sentence. The point is to recognize that modern AI governance lacks a trusted method for resolving such disputes at all. The world can benchmark the model but cannot verify the compute history behind it. That is the Model Provenance Gap, and it will reopen with every significant model release from every contested jurisdiction until provenance infrastructure exists to close it.
The Malaysia seizure, the DOJ prosecutions from Florida to Texas, the Singapore fraud and money-laundering cases, the Taiwan detentions, and the January and May 2026 BIS actions show that governments are beginning to understand the problem — and beginning, in fits, to act on all seven layers at once [1][3][5][33][40][7][11]. But the challenge is expanding faster than the old toolkit. Export control cannot remain only a customs function. It must become a system of compute intelligence: fluent in chips and servers, cloud regions and corporate genealogies, workload telemetry and energy footprints, and the political economy of every transit jurisdiction from Sepang to Jebel Ali.
For private corporations, the message is unambiguous: compliance can no longer stop at the sales contract. AI hardware companies, cloud providers, datacenter operators, logistics firms, and enterprise customers must know not only who buys the equipment, but who benefits from the compute. The May 2026 guidance makes ultimate parentage a strict-liability question [13]; the Supermicro cases show diversion allegations reaching OEM executive suites and branch offices [6][40]; and Nvidia’s own guidance now assumes zero China datacenter revenue even as its global quarter tops $81 billion [35] — a configuration in which every gray-market pallet is simultaneously a legal risk, a reputational risk, and a policy provocation. The next generation of compliance will require chip identity, location verification, workload classification, end-user monitoring, and escalation procedures for suspicious demand — the private-sector half of the eight pillars.
For startups, the lesson is more strategic. Compute access is no longer merely an operating expense; it is a geopolitical dependency. The startup that builds its model on cheap, opaque, or indirectly sourced compute may gain speed in the short term but inherits legal, reputational, and national-security risk that compounds with its own success — because success is exactly what triggers the provenance question. In the age of Silicon Laundering, clean compute provenance may become as important as clean data provenance, and for the same reason: the artifact carries the sins of its supply chain.
For state and federal leaders, the implication is broader still. The United States cannot win the AI race only by restricting adversaries. It must also build faster at home, coordinate genuinely with allies, expand energy and datacenter capacity, finance trusted compute infrastructure in partner states, and write rules that are enforceable without becoming self-defeating. If restrictions are too weak, strategic compute leaks — the enforcement docket of 2025–2026 is the proof [3][5][6]. If restrictions are too blunt, they accelerate foreign substitution and hand the growth markets that the IMF and World Bank are actively cultivating to rival suppliers [23][25]. The answer is neither naive openness nor total technological closure. The answer is disciplined compute governance: verification-centered, alliance-anchored, and resourced at the scale of the thing it governs.
The future of AI power will belong not only to the nation with the best models, but to the nation — and the alliance system — that can connect five capabilities: chip design, manufacturing scale, energy abundance, datacenter capacity, and verifiable governance. Without the fifth capability, the first four can leak through the cracks.
Silicon Laundering names those cracks.
And once we can name them, we can begin to close them.

Endnotes:
[1] The Star (Malaysia), “Customs Dept seizes 72 servers with AI chips worth RM53mil,” June 26, 2026. https://www.thestar.com.my/news/nation/2026/06/26/customs-dept-seizes-72-servers-with-ai-chips-worth-rm53mil
[2] Free Malaysia Today (with Reuters reporting), “Customs dept seizes AI chips worth nearly RM53mil at KLIA,” June 26, 2026. https://www.freemalaysiatoday.com/category/nation/2026/06/26/customs-dept-seizes-ai-chips-worth-nearly-rm53mil-at-klia
[3] U.S. Department of Justice, Office of Public Affairs, “U.S. Citizens and Chinese Nationals Arrested for Exporting Artificial Intelligence Technology to China,” November 20, 2025. https://www.justice.gov/opa/pr/us-citizens-and-chinese-nationals-arrested-exporting-artificial-intelligence-technology
[4] Fortune, “Four accused in black-market scheme to smuggle hundreds of Nvidia GPUs to China—while raking in millions,” November 20, 2025. https://fortune.com/2025/11/20/nvidia-chips-china-smuggle-ai/
[5] CNBC, “U.S. uncovers scheme to reroute Nvidia GPUs worth $160 million to China despite export bans,” December 9, 2025. https://www.cnbc.com/2025/12/09/us-attorneys-office-southern-district-of-texas-prosecutors-nvidia-chips-h200-h100-smuggle-china.html
[6] Fortune, “Encrypted texts reveal how Nvidia chips and U.S. tech are being smuggled to China and Russia,” May 13, 2026. https://fortune.com/2026/05/13/nvidia-chip-smuggling-china-russia-iran-export-controls-supermicro/
[7] U.S. Bureau of Industry and Security, “Department of Commerce Revises License Review Policy for Semiconductors Exported to China,” press release, January 2026. https://www.bis.gov/press-release/department-commerce-revises-license-review-policy-semiconductors-exported-china
[8] Federal Register, “Revision to License Review Policy for Advanced Computing Commodities,” Doc. 2026-00789, effective January 15, 2026. https://www.federalregister.gov/documents/2026/01/15/2026-00789/revision-to-license-review-policy-for-advanced-computing-commodities
[9] Covington & Burling LLP, “U.S. Commerce Department Revises License Review Policy for Exports of Certain Advanced Computing Commodities to China and Macau,” January 2026. https://www.cov.com/en/news-and-insights/insights/2026/01/us-commerce-department-revises-license-review-policy-for-exports-of-certain-advanced-computing-commodities-to-china-and-macau
[10] Institute for AI Policy and Strategy (IAPS), “New BIS Licensing Policy for H200s: Tough Guidelines, Weak Enforcement,” January 16, 2026. https://www.iaps.ai/research/bis-licensing-policy-for-h200s
[11] U.S. Bureau of Industry and Security, “Guidance Regarding Enforcement of License Requirements for Advanced Computing Items for Entities Headquartered in Country Group D:5 and Macau,” May 31, 2026. https://www.bis.gov/media/documents/bis-guidance-may-31-2026.pdf
[12] Holland & Knight LLP, “BIS Publishes Guidance Regarding License Requirements for Advanced Computing Items,” June 5, 2026. https://www.hklaw.com/en/insights/publications/2026/06/bis-publishes-guidance-license-requirements-advanced-computing-items
[13] Baker McKenzie, Global Sanctions and Export Controls Blog, “BIS Clarifies That License Requirements for Advanced Computing Items to Country Group D:5- and Macau-Headquartered Entities Remain in Force,” June 2026. https://sanctionsnews.bakermckenzie.com/bis-clarifies-that-license-requirements-for-advanced-computing-items-to-country-group-d5-and-macau-headquartered-entities-remain-in-force-despite-ai-diffusion-rule-non-enforcement/
[14] DeepSeek-AI, “DeepSeek-V3 Technical Report,” arXiv:2412.19437, December 27, 2024. https://arxiv.org/abs/2412.19437
[15] Al Jazeera, “China’s DeepSeek faces questions over claims after shaking up global tech,” January 29, 2025. https://www.aljazeera.com/news/2025/1/29/ai-game-changer-or-overhyped-deepseek-faces-scrutiny-over-bold-claims
[16] Fortune, “AI selloff: Claims from China’s DeepSeek too good to be true?” January 27, 2025. https://fortune.com/2025/01/27/china-deepseek-ai-claims-true/
[17] Wccftech, “Chinese AI Lab DeepSeek Has 50,000 NVIDIA H100 AI GPUs, Says AI CEO,” January 2025. https://wccftech.com/chinese-ai-lab-deepseek-has-50000-nvidia-h100-ai-gpus-says-ai-ceo/
[18] Meta Platforms, “Alexandr Wang, Chief AI Officer,” corporate leadership page. https://www.meta.com/about/leadership/alexandr-wang/
[19] Emanuele Del Sozzo, Martin Fleming, Kenneth Flamm, and Neil Thompson (MIT FutureTech, CSAIL), “How Much Progress Has There Been in NVIDIA Datacenter GPUs?” arXiv:2601.20115, January 2026. https://arxiv.org/abs/2601.20115
[20] MIT FutureTech, Research publications portal, Massachusetts Institute of Technology. https://futuretech.mit.edu/research
[21] Stanford Institute for Human-Centered Artificial Intelligence (HAI), “The 2026 AI Index Report,” April 13, 2026. https://hai.stanford.edu/ai-index/2026-ai-index-report
[22] Stanford HAI, “Inside the AI Index: 12 Takeaways from the 2026 Report,” April 2026. https://hai.stanford.edu/news/inside-the-ai-index-12-takeaways-from-the-2026-report
[23] Marcello Estevão, “AI Can Lift Global Growth,” IMF Finance & Development, March 2026. https://www.imf.org/en/publications/fandd/issues/2026/03/point-of-view-ai-can-lift-global-growth-marcello-estevao
[24] International Monetary Fund, “World Economic Outlook, April 2026: Global Economy in the Shadow of War,” April 14, 2026. https://www.imf.org/en/publications/weo/issues/2026/04/14/world-economic-outlook-april-2026
[25] World Bank Group, “Building Data Infrastructure for AI Readiness,” Results Brief, May 6, 2026. https://www.worldbank.org/en/results/2026/05/06/data-infrastructure-for-ai
[26] World Bank, “Digital Progress and Trends Report 2025: Strengthening AI Foundations,” December 2025. https://www.worldbank.org/en/publication/dptr2025-ai-foundations
[27] House Select Committee on the Chinese Communist Party, “House Committee Passes Chip Security Act,” March 26, 2026. https://chinaselectcommittee.house.gov/media/press-releases/house-committee-passes-chip-security-act
[28] U.S. Congress, H.R. 3447 — Chip Security Act, 119th Congress (2025–2026), bill text. https://www.congress.gov/bill/119th-congress/house-bill/3447/text
[29] House Select Committee on the Chinese Communist Party, “Protecting U.S. Tech: China Committee and Bipartisan, Bicameral Leaders Unite to Stop CCP AI Chip Smuggling,” December 2025. https://chinaselectcommittee.house.gov/media/press-releases/protecting-us-tech-china-committee-and-bipartisan-bicameral-leaders-unite-to-stop-ccp-ai-chip-smuggling
[30] Gregory C. Allen, “DeepSeek: A Deep Dive,” Congressional Testimony, Center for Strategic and International Studies (CSIS), April 2025. https://www.csis.org/analysis/deepseek-deep-dive
[31] Gregory C. Allen, “Mismatch of Strategy and Budgets in AI Chip Export Controls,” CSIS, December 2024. https://www.csis.org/analysis/mismatch-strategy-and-budgets-ai-chip-export-controls
[32] TechCrunch, “Singapore arrests alleged Nvidia chip smugglers,” March 3, 2025. https://techcrunch.com/2025/03/03/singapore-arrests-alleged-nvidia-chip-smugglers/
[33] The Diplomat, “Singaporean Police Seize $42M Bungalow in Nvidia Chip Smuggling Probe,” July 2026. https://thediplomat.com/2026/07/singaporean-police-seize-42m-bungalow-in-nvidia-chip-smuggling-probe/
[34] Fortune Asia (Bloomberg reporting), “Singapore probes potential fraud in Nvidia AI chip shipments,” March 3, 2025. https://fortune.com/asia/2025/03/03/singapore-probes-potential-fraud-in-nvidia-ai-chip-shipments/
[35] NVIDIA Corporation, CFO Commentary on First Quarter Fiscal 2027 Results, Form 8-K, U.S. Securities and Exchange Commission, May 20, 2026. https://www.sec.gov/Archives/edgar/data/0001045810/000104581026000051/q1fy27cfocommentary.htm
[36] NVIDIA Corporation, “NVIDIA Announces Financial Results for Fourth Quarter and Fiscal 2026,” Form 8-K, SEC, February 25, 2026. https://www.sec.gov/Archives/edgar/data/1045810/000104581026000019/q4fy26pr.htm
[37] USC Center on Public Diplomacy, “Silicon Statecraft and the Reconfiguration of Global Diplomacy,” University of Southern California, March 2026. https://uscpublicdiplomacy.org/blog/silicon-statecraft-and-reconfiguration-global-diplomacy
[38] CNBC (Squawk Box), “‘Chip War’ author Chris Miller on the battle of AI chip export controls,” December 12, 2025. https://www.cnbc.com/video/2025/12/12/chip-war-author-chris-miller-on-the-battle-of-ai-chip-export-controls.html
[39] CNBC, “Congress takes on Nvidia, White House as it pushes for chip export limits,” February 26, 2026. https://www.cnbc.com/2026/02/26/congress-pushes-back-on-nvidia-white-house-with-chip-export-limits.html
[40] Tech Times, “Taiwan Detains Super Micro Execs: Forgery Charges Fill $2.5B Export-Law Void,” July 4, 2026. https://www.techtimes.com/articles/319674/20260704/taiwan-detains-super-micro-execs-forgery-charges-fill-25b-export-law-void.htm
[41] The Register, “Trouble keeps finding Supermicro as strange server shipments attract police attention in Taiwan and Singapore,” July 2, 2026. https://www.theregister.com/legal/2026/07/02/trouble-keeps-finding-supermicro-as-strange-server-shipments-attract-police-attention-in-taiwan-and-singapore/5265520
[42] Introl, “BIS Export Policy Shift: H200 and MI325X Case-by-Case Review,” February 2026. https://introl.com/blog/bis-export-policy-h200-mi325x-china-case-by-case-2026
[43] CNBC, “Singapore charges one more individual with AI chip fraud,” April 2, 2026. https://www.cnbc.com/2026/04/02/singapore-charges-one-more-individual-with-ai-chip-fraud-.html
[44] Chris Miller, “Interview: Chris Miller, historian and author of ‘Chip War,’” Fletcher Russia and Eurasia Program, Tufts University. https://sites.tufts.edu/fletcherrussia/interview-chris-miller-historian-and-author-of-chip-war/
[45] NBC News, “Chips Security Act gains industry support: letter,” June 2026. https://www.nbcnews.com/tech/tech-news/chips-security-act-gains-industry-support-letter-rcna350500
[46] Gregory C. Allen, “Understanding the Biden Administration’s Updated Export Controls,” CSIS, December 2024. https://www.csis.org/analysis/understanding-biden-administrations-updated-export-controls
[47] Gregory C. Allen, “Choking off China’s Access to the Future of AI,” CSIS, October 2022. https://www.csis.org/analysis/choking-chinas-access-future-ai
[48] Fortune, “AI selloff: DeepSeek skeptics, Gavin Baker analysis of training-cost claims,” January 28, 2025 (companion coverage to [16]). https://fortune.com/2025/01/27/china-deepseek-ai-claims-true/



