Texas sues TP-Link over Chinese hacking risks, user deception

Source: Bleeping Computer

Lawsuit details

Texas sued networking giant TP‑Link Systems, accusing the company of deceptively marketing its routers as secure while allowing Chinese state‑backed hackers to exploit firmware vulnerabilities and access users’ devices. The complaint follows an investigation launched in October and cites a PDF of the lawsuit itself.

Allegations

• TP‑Link allegedly misled buyers by labeling its products “Made in Vietnam” while sourcing nearly all components from China.
• Under Chinese law, companies with Chinese supply‑chain ties can be compelled to cooperate with government intelligence requests and hand over user data.
• The suit points to a history of security failures, including firmware vulnerabilities exploited by Chinese hacking groups and the company’s routers being used in a large‑scale credential‑theft botnet later linked to password‑spray attacks.

Attorney General statement

“This week, my office is launching a coordinated series of actions against CCP‑aligned companies to send a clear message that in the Lone Star State we will always put Texas and America First,” said Texas Attorney General Ken Paxton.
“TP‑Link will face the full force of the law for putting Americans’ security at risk. Let this serve as a clear warning to any Chinese entity seeking to compromise our nation’s security.”

“Despite its claims of privacy and security, TP‑Link’s products have been used by People’s Republic of China’s (PRC) state‑sponsored hacking entities to launch multiple cyber‑attack operations against the United States,” Paxton added.

“With nearly all of its products’ parts imported from China, TP‑Link’s deliberate deception towards Texans regarding the nationality, privacy, and security capabilities of its networking devices is not just illegal—it is also a national security threat that enables the secret surveillance and exploitation of Texas consumers.”

Security findings

• As reported by Microsoft, the botnet (tracked as Quad7, CovertNetwork‑1658, or xlogin) was built from hacked home and small‑business routers—primarily TP‑Link devices—and operated by Chinese threat actors. See the Microsoft article (Oct 2024).
• The Cybersecurity and Infrastructure Security Agency (CISA) currently lists half a dozen TP‑Link security flaws in its catalog of known‑exploited vulnerabilities: CISA catalog.

TP‑Link response

A TP‑Link spokesperson was not immediately available for comment. The company told The Record that the allegations are “without merit”, asserting that neither the Chinese government nor the Chinese Communist Party (CCP) exercises control over the company, its products, or user data. TP‑Link also stated that all U.S. user data is stored on domestic Amazon Web Services servers. (The Record article)

Government actions

• Federal agencies have previously flagged actively exploited flaws in TP‑Link hardware.
• In December 2024, the U.S. government was reportedly considering banning TP‑Link routers, with the Departments of Justice, Commerce, and Defense investigating the issue and at least one Commerce Department office having subpoenaed the company. (BleepingComputer report)
• In December 2025, the Texas Attorney General sued five major television manufacturers (Sony, Samsung, LG, Hisense, and TCL) for allegedly collecting user data via Automated Content Recognition (ACR) technology. (BleepingComputer article)