FBI Arrests Three Silicon Valley Engineers for Stealing Google Trade Secrets and Transferring Data to Iran

Breached Company

Breached Company

5 min read
FBI Arrests Three Silicon Valley Engineers for Stealing Google Trade Secrets and Transferring Data to Iran

The FBI arrested three Silicon Valley engineers yesterday following a federal grand jury indictment charging them with conspiring to steal trade secrets from Google and other leading technology companies — and allegedly transferring that confidential data to Iran. The case, prosecuted by the U.S. Attorney's Office for the Northern District of California, represents one of the most significant insider threat cases targeting American technology companies in recent memory.

0:00
/0:42

Who Was Arrested

Samaneh Ghandali, 41, her sister Soroor Ghandali, 32, and Samaneh's husband Mohammadjavad Khosravi (also known as Mohammad Khosravi), 40, were all arrested on February 19, 2026. All three are residents of San Jose, California. They made their initial appearances before U.S. Magistrate Judge Susan van Keulen in federal district court in San Jose the same day.

The charges include conspiracy to commit trade secret theft, theft and attempted theft of trade secrets, and obstruction of justice — a combination that carries severe potential penalties. If convicted on all counts, each defendant faces up to 10 years per trade secret charge and up to 20 years for the obstruction of official proceedings count, along with fines of up to $250,000 per count.

What the Indictment Alleges

According to the indictment unsealed February 19, the defendants used their positions as engineers at major Silicon Valley technology companies to gain access to highly sensitive and confidential information focused specifically on mobile computer processors.

Both Samaneh and Soroor Ghandali worked at Google before transitioning to another technology company identified in the indictment as "Company 3." Khosravi worked at a separate firm identified as "Company 2." The family arrangement gave the trio access to confidential data across multiple companies simultaneously.

The alleged exfiltration method is telling from a security perspective. Rather than relying solely on conventional file transfers — which are increasingly monitored — the defendants allegedly transferred hundreds of files, including Google trade secrets, to a third-party communications platform using channels bearing each defendant's first name. This is a classic insider threat tactic: using legitimate, authorized communication tools to move data to locations outside the company's visibility.

The stolen materials reportedly included trade secrets related to processor security, cryptography, and other advanced technologies — areas with obvious implications for both commercial competitive advantage and national security.

The Cover-Up: Where It Gets Interesting

The obstruction elements of this case are arguably more instructive for security professionals than the initial theft. Once Google's internal security systems detected Samaneh Ghandali's suspicious activity and revoked her access in August 2023, the defendants allegedly shifted tactics dramatically.

Samaneh Ghandali signed a false affidavit claiming she had not shared Google's confidential information with anyone outside the company. Almost immediately after, she and Khosravi began searching online for how to delete communications and how long cell phone providers retain messages — including, according to the indictment, searching for information about "messages to print out for court."

Perhaps most operationally interesting: the defendants began manually photographing computer screens containing confidential documents rather than digitally transferring files. This approach was deliberate — designed to circumvent the DLP (data loss prevention) and file monitoring systems that had already flagged Samaneh's earlier activity. Photographing a screen produces no file transfer log, no clipboard event, no network traffic. It's a low-tech countermeasure to high-tech monitoring, and it's a technique security teams need to account for.

On the night before Samaneh Ghandali and Khosravi departed for Iran in December 2023, she allegedly photographed approximately 24 screens of Khosravi's Company 2 work computer containing trade secret information. Once in Iran, a personal device associated with Samaneh accessed those photographs, and Khosravi accessed additional Company 2 trade secret data.

The Iran Connection and National Security Implications

The transfer of cutting-edge processor security and cryptography research to Iran elevates this case well beyond a typical corporate espionage matter. Iran remains under extensive U.S. export controls and sanctions. Advanced semiconductor and processor technology falls squarely under export control restrictions, and the potential for this information to benefit Iranian government or military programs is a core concern.

U.S. Attorney Craig H. Missakian stated: "As alleged, the defendants exploited their positions to steal confidential trade secrets from their employers. Our office will continue to lead the way in protecting American innovation and we will vigorously prosecute individuals who steal sensitive advanced technologies for improper gain or to benefit countries that wish us ill."

FBI Special Agent in Charge Sanjay Virmani emphasized the insider threat dimension: "The alleged actions outlined in this indictment reflect a calculated betrayal of trust by individuals accused of stealing trade secrets from the very tech companies that employed them. According to the allegations, the method in which confidential data was transferred by the defendants involved deliberate steps to evade detection and conceal their identities."

The investigation was conducted by the FBI, with prosecution handled by the National Security and Special Prosecutions Section of the U.S. Attorney's Office for the Northern District of California.

Security Takeaways for CISOs and Security Teams

This case is a textbook insider threat scenario with several lessons that translate directly to enterprise security programs:

Insider threat is a family business risk. When multiple family members work across competing or related companies, the risk of coordinated data exfiltration increases significantly. Insider threat programs should flag and monitor for these relationship patterns, particularly where employees have access to sensitive IP.

Third-party communication platforms are a significant exfiltration vector. The defendants allegedly used a third-party messaging platform to stage stolen files. Organizations that haven't implemented controls around Telegram, Discord, Signal, WhatsApp, and similar platforms in corporate environments are leaving a major channel unmonitored.

Screen photography defeats most DLP. This is a well-known gap in data loss prevention programs, but it's one that few organizations have practical controls for. Options include physical security controls in sensitive areas, clean-desk policies, camera restrictions for high-sensitivity roles, and behavioral monitoring that looks for unusual hours of access or repeated access to sensitive documents without corresponding business activity.

Signed affidavits don't end the threat. Once Google revoked access and obtained a signed affidavit, the defendants allegedly continued accessing stored copies of the stolen data and began a parallel exfiltration operation using screen photography. The lesson: revocation of access is not the same as revocation of data already stolen. Incident response plans need to account for the reality that exfiltrated data may already be in motion before detection occurs.

Behavioral signals matter. Searches for "how to delete messages" and "how long does a carrier keep messages for court" are exactly the kind of behavioral signals that endpoint monitoring and UEBA (User and Entity Behavior Analytics) solutions should flag. Post-incident, these searches paint a damning picture; ideally, they'd be flagged in near-real-time.

Travel to sanctioned countries is a risk indicator. The defendants' December 2023 travel to Iran — accompanied by an alleged screen-photography exfiltration session the night before departure — underscores why many high-clearance organizations treat travel to certain countries as a mandatory security review trigger.

What Comes Next

The defendants are scheduled to continue appearing in court as the case proceeds. They are presumed innocent until proven guilty. The case will be prosecuted by the National Security and Special Prosecutions Section, signaling that the government views this as a national security matter, not merely a corporate IP dispute.

For the broader tech industry, the case is a reminder that the most sophisticated persistent threat in Silicon Valley isn't always an external nation-state actor — sometimes it's the engineer sitting three desks away.

Read the full DOJ press release at: https://www.justice.gov/usao-ndca/pr/silicon-valley-engineers-charged-stealing-trade-secrets-leading-tech-companies-and

Note: All defendants are presumed innocent until proven guilty beyond a reasonable doubt.

Read more

Operation Leak: FBI and Global Partners Dismantle LeakBase, One of the World's Largest Cybercriminal Data Forums

Operation Leak: FBI and Global Partners Dismantle LeakBase, One of the World's Largest Cybercriminal Data Forums

March 4, 2025 — In one of the most sweeping international cybercrime enforcement actions of the year, the Federal Bureau of Investigation, Europol, and law enforcement agencies spanning 14 countries have dismantled LeakBase — a massive open-web forum where cybercriminals bought, sold, and traded stolen data from breaches targeting American corporations, individuals,

By Breached Company