Insider Risk: Theft of Trade Secrets Nets Thief Six Months

An interesting case of insider risk wrapped up recently in the Federal District Court in Massachusetts when U.S. Senior District Court Judge William G. Young handed down a lenient sentence to Haoyang Yu. Yu, a former employee of semiconductor company Analog Devices Inc (ADI), was convicted of stealing ADI’s designs and then forming his own competing company, Tricon MMIC LLC.

The Department of Justice reported that, “In all, before his arrest, Yu manufactured about 10,000 chips built with stolen ADI property and grossed about $235,000.”

AWS Builder Community Hub

Yu was originally indicted in June of 2019, subsequently found guilty by a jury in May 2022 and sentenced in June 2023. Judge Young sentenced Yu to six months in prison, three years of supervised release and levied a fine of $55,000 and an undetermined amount of restitution. The Department of Justice had requested 30 months in prison for Yu.

US Department of Justice Optics

In a post-sentencing statement, acting United States Attorney Joshua S. Levy noted the level of effort required to prosecute Yu.

“This prosecution demonstrates the Department of Justice’s commitment to protecting the integrity of the semiconductor market, as this technology plays a critical role in both our country’s industrial policy and geopolitical strategy. Mr. Yu stole intellectual property from his employer, plain and simple, and used that pilfered information to line his own pocket,” Levy said. “I commend the work of the Department of Commerce, the Department of Homeland Security, the FBI, and the Naval Criminal Investigation Service in their dedicated work to the investigation and prosecution of this matter.”

If insider risk managers were hoping that the book would be thrown at Yu, well, they’re likely disappointed. In this case, it appears the book sailed out the window and the opportunity to send a message of deterrence was squandered. That said, the Yu saga provides valuable lessons about insider risk and insider threat management.

Why Have an Insider Risk Program?

This case is a prime example of why a company should have an insider risk management program.

Let’s dig in.

Yu worked at ADI from July 2014 to July 2017 as a principal design engineer, designing and developing monolithic microwave integrated circuits (MMICs). As the principal designer, he had access to the development environment, which included schematics, design layout, modeling files, manufacturing and fabrication process files and testing procedures.

In March 2017, prior to his departure from ADI, he quietly formed Tricon. The original 2019 indictment tells us that the company was an “integrated circuit design and service … specialize[ing] in wide band MMIC amplifiers … defense and aerospace, test and instrumentation [and] satellite communications.”

Yu wasn’t sophisticated, but he was efficient. He copied ADI files to his private Google Drive and absconded with designs for more than 20 separate products worth millions of dollars. The DoJ sentencing document said, “he amassed a multi-million-dollar microchip library accessible from his kitchen table.”

When he left ADI in July 2017, he signed an attestation acknowledging he had “surrendered all proprietary information or data to ADI.” He lied. As evidence of his lack of sophistication, he used the same foundry in Taiwan used by ADI to produce Tricon’s chips.

From August 2017 through the indictment of 2019, Yu maintained status as a cleared U.S. defense contractor as he simultaneously exported controlled technologies abroad surreptitiously and fraudulently.

The victim, ADI, didn’t know they had lost their intellectual property until they found themselves competing against their own designs and seeing their revenue decrease. From theft to sentencing, ADI spent six years, paid expenses necessary to prosecute and continue to compete against their own designs in the marketplace. If that doesn’t convince you that you need to have an insider risk management program to avoid this scenario, I am not sure what will. And remember: The Taiwanese foundry didn’t take note and alert ADI that their designs also were being fabricated by Tricon. Would your vendor tell you if that happened to you?

This case should serve as a cautionary tale and remind you that it’s important to invest in protecting intellectual property and to put in place appropriate checks and balances to avoid finding your product in the marketplace with another company’s name on it.

Christopher Burgess

Christopher Burgess (@burgessct) is a writer, speaker and commentator on security issues. He is a former Senior Security Advisor to Cisco and served 30+ years within the CIA which awarded him the Distinguished Career Intelligence Medal upon his retirement. Christopher co-authored the book, “Secrets Stolen, Fortunes Lost, Preventing Intellectual Property Theft and Economic Espionage in the 21st Century”. He also founded the non-profit: Senior Online Safety.

burgesschristopher has 185 posts and counting.See all posts by burgesschristopher