When Jeffrey Chao was studying for his master’s in computer science in the early 1990s, he would sometimes spend so many hours in the lab that he would return to a locked dormitory. After climbing through his dorm room window at 2 a.m., Chao, who was then at Shanghai Jiao Tong University, would wake up at 8 and do it all again.

It was the beginning of a journey that led to the establishment of TP-Link, originally a Shenzhen-based manufacturer of computer networking equipment. The company would grow to become one of the world’s biggest makers of consumer routers used to connect households all over the world to the internet.

With success, however, has come suspicion. Chao must now convince the U.S. government, in a hostile geopolitical climate, that the internet routers made by TP-Link do not pose a risk to American national security. To do so Chao has taken a novel approach, moving the company’s headquarters, and his family, from China to California.

“He would sit there and show us plans on how he was moving here with his family and taking over the new U.S. business,” says Josh Kimnach, who worked in sales at TP-Link until 2024. He recalls Chao saying: “‘We are going to take all of the decisions that were being handled back at the manufacturer and headquarters, and they’ll be now made here in the U.S.’”

Over the past five years, Chao, 57, has split TP-Link from its corporate sister in Shenzhen, which is run by his older brother Cliff. TP-Link moved its headquarters to Irvine, California, in 2024 and restructured so that its parent firm is a Delaware LLC. TP-Link has also hired hundreds of people in the United States, though it still employed more than 10,000 workers in China as of last year. Jeffrey himself is seeking U.S. citizenship.

The moves have been controversial in Washington. Multiple federal agencies, including the Department of Commerce, have investigated TP-Link, according to people familiar with the matter.

The state of Texas is suing the company over concerns about its ties to China, while Florida has subpoenaed it for similar reasons. In March, the Federal Communications Commission banned the import of future models of all foreign-made consumer routers, citing national security risks.

The measure imperils TP-Link’s future in the United States, where analysts estimate that it controls the largest share of the market. The company has a smaller share of the business and government market segments, which were not covered by the FCC’s ban. 

“Although the language in the [FCC’s] determination is country-agnostic, the evidence clearly shows which foreign country has dominated the consumer-grade router market to date and poses an unacceptable risk to U.S. critical infrastructure security,” Senator Jim Risch (R-ID), who chairs the Senate Foreign Relations Committee and has called for a ban on U.S. sales of TP-Link products, told The Wire China. 

TP-Link is adamant that its routers do not pose any national security risks. In an emailed reply to questions, a company spokesperson said that “virtually all consumer-grade routers are made outside the United States … the entire router industry will be impacted by the FCC’s announcement.” The company did not make Jeffrey Chao available for an interview. 

The FCC rule illustrates how the Trump administration is still targeting firms with China links on national security grounds, even as it takes a softer approach to the country than many hawks had hoped. It also shows how corporate restructurings can prove insufficient to dispel worries about Beijing’s control over companies founded in China.

“The Chinese government is not interested in releasing control of their diaspora just because they incorporated a Delaware LLC,” says Dakota Cary, a consultant at cybersecurity firm SentinelOne. “I don’t think it does anything to allay concerns.”

For TP-Link, the scrutiny amounts to the most significant test in its 30-year history: can it overcome Washington’s fears about Chinese technology, or has its American makeover been all for naught? 

FROM HARDWOODS TO HARDWARE

Born to a farmer during the Cultural Revolution in Tongcheng, a small city in China’s eastern Anhui Province, the brothers Chao did not appear destined to become computer hardware moguls. But when their father pivoted from farming to selling timber, Jeffrey caught the bug for business, he recalled in a profile published by his Shanghai alma mater.

Before he even began college, at the prestigious Hefei University of Technology in Anhui’s capital, Jeffrey had decided to major in computer science. 

After graduating with his master’s in 1992, Chao moved to Shenzhen. The next year, he started a business trading computers and made 300,000 yuan in six months, a small fortune at the time, especially for an aspiring twenty-something entrepreneur. But after he lost much of his cash in a deal that went awry, Chao said in the profile, he left the business with the desire to start over. 

The Chinese government is not interested in releasing control of their diaspora just because they incorporated a Delaware LLC. I don’t think it does anything to allay concerns.

Dakota Cary, a consultant at cybersecurity firm SentinelOne

He invested what he had left in research and development of network cards, relatively simple pieces of hardware that help connect computers to the internet. In 1996, Jeffrey convinced his older brother to join him in starting a new company that would develop products to connect computers to the internet, which was then in its infancy. The Chao brothers christened their start-up TP-Link.

Their timing was perfect. In 1997, just 620,000 Chinese had used the internet, according to government statistics. Within two decades, China had 731 million internet users. 

TP-Link became one the largest players in its market. At the end of 2007, the company promoted itself as the “largest manufacturer of home and small / medium business networking products in China.” 

Jay Goldberg, an equity research analyst who covers the router industry, says TP-Link began as “one of a zillion of these companies” making so-called home routers. “Everyone knew them as the low-cost competitor.”

Between September 2006 and April 2007, TP-Link acquired 125,000 square meters of land — equivalent to around 23 football fields — to build two new factories in Shenzhen’s Guangming District, municipal records show. The new space would help the company expand abroad.

In 2008, TP-Link founded a subsidiary in California. Jeffrey moved to Hong Kong that year and was granted permanent residency status in the territory in 2015, according to the company spokesperson. 

On the side, he acquired two golf courses in England, UK corporate records show.

Jeffrey would go on to lead TP-Link’s international expansion while Cliff focused on the China market. The year 2021 would prove to be an annus mirabilis and horribilis for the company. By then its international sales had eclipsed its China sales. But the two brothers also went through an acrimonious split and began a multi-year process to divide the company.

Chao began showing up more often in the U.S. shortly thereafter, according to Kimnach, who says that he was let go after refusing to travel for work because his wife was gravely ill. (The TP-Link spokesperson said the company has policies “intended to allow our employees to care for and support their loved ones during medical emergencies or grave illnesses.” She declined to comment on individual cases, citing privacy concerns.)

Between 2019 and 2025, TP-Link’s share of the U.S. market for consumer routers grew from 10 percent to more than 60 percent, Rob Joyce, a former cybersecurity director at the National Security Agency, said in Congressional testimony last year. (On its website, TP-Link claims a North American market share of less than 10 percent in 2024 after factoring in routers given to consumers by internet service providers such as AT&T and Verizon. The TP-Link spokesperson cited a study showing a similar share.)

Meanwhile, hawks in Washington — pointing to Chinese hacking groups such as Volt Typhoon and Chinese laws that could require private companies to aid government intelligence operations — ramped up efforts to target TP-Link and other China-founded network firms. 

In his testimony, Joyce called for “eliminating TP-Link’s footprint from our nation.

“This is a threat we cannot ignore,” he added. “We cannot have the software for these prolific devices [routers] be written, updated, and controlled by a Chinese company.”

TP-Link has accused Joyce of publishing “false and misleading statements” on behalf of one of its American rivals, Netgear, which it is suing. TP-Link’s attorneys wrote in court filings that Netgear has “sought to expand its market share by capitalizing on anti-Chinese sentiment and fear of cyberattacks.” 

In response, Netgear’s attorneys wrote that TP-Link is engaged in a “futile effort to quell widespread media coverage and U.S. government scrutiny of its links to the People’s Republic of China and the implications of those ties on TP-Link’s business and market practices.” 

A lawyer for Netgear declined to comment, citing the ongoing case. Joyce did not respond to requests for comment. 

ENTER THE FCC

When Brendan Carr, then an FCC commissioner, arrived at Montana’s Malmstrom Air Force Base in 2019, he was surprised that beyond the wheat fields lay cell towers powered by Huawei equipment. Carr was promoted to head the agency by President Trump last year. 

“It’s not hard to see the threat that companies like Huawei and ZTE pose to our networks and to our national security,” Carr said in 2019. “Even a small amount of compromised equipment could be devastating.

“At the FCC, we are in a position to do something about this threat,” he added.

As an FCC commissioner, Carr spearheaded policies to “rip and replace” Huawei infrastructure from U.S. telecom networks — even as some remote communities had grown reliant on the company for internet connectivity. 

At the same time, the FCC began deploying a newly created tool known as the Covered List. Conceived during the first Trump administration, the list allows the FCC to enforce restrictions against companies, or their products, deemed threats to U.S. national security.

China was a focus from the start. In 2021, the Biden administration published the Covered List for the first time. It included equipment made by Huawei, ZTE and three other Chinese firms.

TP-Link was not on the initial list and was not owned by the Chinese government or any state entities. Jeffrey and Cliff each held 48.75 percent of it, according to corporate records accessed through WireScreen. 

In May 2024, the brothers finalized their corporate divorce. Cliff took his brother’s stake in the newly renamed TP-Link Technologies, focused on the China market, leaving him with more than 97 per cent of the company. Jeffrey took TP-Link Systems, which moved its headquarters to Irvine and named him as chief executive. (In this article, TP-Link refers only to TP-Link Systems.)

Three months after this reorganization, the House Select Committee on China called on the Commerce Department to investigate TP-Link, citing the “demonstrated willingness” of the Chinese government to “sponsor hacking attempts against the United States.”

The Commerce Department — which was concerned about potential surveillance of Americans as well as the possibility that routers could be weaponized in mass cyber attacks — subpoenaed TP-Link in December 2024, and last year an office within Commerce submitted an “initial determination” that would have recommended a ban on the company’s products to Jeffrey Kessler, Undersecretary of Commerce for Industry and Security, according to people familiar with the matter. (Such decisions do not always result in bans if the government and company come to terms on a mitigation agreement.)

The decision posed a challenge for the Trump administration, which is currently seeking to maintain a delicate trade truce with Beijing. Officials are worried about China’s ability to cripple U.S. industry by rolling out extensive export controls on rare earths, as it did last year. Kessler sat on the initial determination, and later privately expressed concern about upsetting the detente, according to a person familiar with the matter.

The TP-Link spokesperson said the company has not been informed of any initial determination and noted that “no one has produced any evidence” that its products pose a security threat.

In a similar instance, the Commerce Department sent a rule targeting Chinese drone companies to an interagency review process last fall, only for it to be paused after the Trump-Xi meeting in South Korea last October and later withdrawn, according to the person familiar with the deliberations.

When a company like TP-Link sues the U.S. government and sues the FCC, that’s where the rubber will meet the road.

Jack Burnham at the Foundation for Defense of Democracies

The Commerce Department’s Bureau of Industry and Security did not respond to requests for comment.

The FCC, however, has pressed ahead and instituted de facto import controls on Chinese tech firms, albeit without naming China specifically. The FCC declined to comment for this story.

“The Communist Party of China is engaged in a multi-prong effort to insert insecure devices into Americans’ homes & businesses,” Carr wrote on X last year.

In December, the FCC announced that it would add all foreign-manufactured drones to the Covered List. The Trump administration then made exceptions for several non-Chinese companies to continue exporting drones to the U.S. from abroad. It has not done the same for industry leader DJI and other Chinese firms.

The FCC is using the same tactic for routers. In March, the agency added all foreign-made routers to the Covered List. A month later, the Trump administration issued its first “conditional approvals,” to U.S. firms Netgear, Adtran and Amazon-owned Eero, allowing them to continue to sell foreign-made routers in the U.S. TP-Link has not been granted a waiver.

The Covered List “has undergirded…almost all of our national security initiatives,” Zenji Nakazawa, head of the FCC’s Public Safety and Homeland Security Bureau, said at an event hosted by the Hudson Institute last month. By using the list, Carr has “injected rocket fuel into the veins of this whole process,” Nakazawa said.

In a research note, analysts at investment bank Raymond Jones wrote that the routers measure “reflects the administration’s attempt to apply calibrated pressure on Beijing and preserve leverage ahead of the rescheduled Trump-Xi meeting without triggering a serious response that a named TP-Link ban would likely provoke.”

The FCC passed both the routers and drones rules with the support of the White House, according to two people familiar with the matter.

The FCC, however, does not have the authority to decide which companies or classes of technology to add to the Covered List itself. Instead it must rely on a national security determination made by another agency. It cannot even grant waivers to the list’s requirements — that is done by the Defense Department and the Department of Homeland Security. But it does have the regulatory power to enforce the list — and it is now flexing that muscle.

“The FCC traditionally didn’t view itself as a national security expert,” says Loyaan Egal, a former FCC enforcement chief. “That’s changed now.”

The FCC’s enforcement cudgel is a blunter weapon than those wielded by the Commerce Department. Whereas Commerce can negotiate binding mitigation agreements, the FCC cannot. But it can reverse-engineer them. For example, the FCC can take a broad view of production that would require, say, a company to design routers in the U.S.

Chinese companies are already challenging the FCC’s actions in the courts. DJI has hired a former chief of the FCC’s enforcement bureau to sue the agency in federal court over its drone order.

“When a company like TP-Link sues the U.S. government and sues the FCC, that’s where the rubber will meet the road,” says Jack Burnham at the Foundation for Defense of Democracies, a think tank with a hawkish stance toward China. 

CHINESE OR AMERICAN?

If TP-Link has any chance at winning “conditional approval” for its consumer routers, it will likely have to convince regulators that it has, as Chao has said, “chosen the U.S.” over China.

The company has transformed its corporate structure. As part of the ongoing suit against its rival Netgear, the firm disclosed that it is owned, through a subsidiary, by Delaware-incorporated JH-1 Zhao Holdings LLC. (Chao’s Chinese name is Zhao Jianjun.)

Limited liability companies registered in the state do not have to disclose their directors or shareholders, and TP-Link did not respond to questions about JH-1 Zhao Holdings. On its website, the company says that Chao and his wife, Jin Hong, are TP-Link’s sole owners. 

Last year, TP-Link’s lobbyists disclosed that the company was owned by Chao and Jin Hong.

TP-Link still has far more employees in China, where it has a Shenzhen R&D hub and three manufacturing centers, than in the U.S. As of January 2025, the company employed 13,165 people in China, according to a company sustainability report. The TP-Link spokesperson said it has 550 employees in California.

TP-Link says on its website that it has made products for the U.S. market in Vietnam since 2018. Court filings, however, suggest that its primary manufacturing base continued to be China until far later. 

In a suit against patent licensing firm Atlas Technologies, which a federal appeals court in Washington is currently hearing, TP-Link disclosed that its Chinese subsidiary, Shenzhen-based Lianzhou International, was still manufacturing products in China for the U.S. market at least until 2021. Lianzhou International in turn sold those products to TP-Link’s Hong Kong subsidiary, which forwarded them to the company’s office in Irvine. The filing from the Atlas suit does not mention Vietnam.

“TP-Link Hong Kong completes the sale and delivery of products to TP-Link USA in either Hong Kong or mainland China,” TP-Link’s attorneys wrote. “The products are then shipped to TP-Link USA’s California address.” 

The TP-Link spokesperson said that all of the company’s U.S.-bound products have been made in Vietnam since last year.

Corporate documents suggest TP-Link continues to do far more overall manufacturing in China than in Vietnam, however. The company had 2,106 employees at its Vietnam manufacturing center as of January 2025, compared to 8,866 at its manufacturing centers in China, according to its sustainability report.

A state-supported industry group in Guangdong Province, which includes Shenzhen, listed Lianzhou International as among the province’s top 60 manufacturing enterprises by revenue in 2024. Lianzhou generated more than $1.3 billion, according to the report. 

The TP-Link spokesperson declined to disclose the company’s U.S. revenues.

Two former TP-Link employees told The Wire that the company’s U.S. operations are still closely integrated with those in China. Kimnach, the former TP-Link sales manager, recalls plans to bring engineers over from China.

Let’s say they are founded in the U.S. by a U.S. citizen and they then set up their manufacturing in China through PRC-connected facilities, as opposed to a company founded by a Chinese citizen who sets up his company in the United States and purposely chooses not to manufacture in China. Which company is the better company?

Greg Guice, a TP-Link lobbyist and former FCC official

Another former U.S.-based TP-Link employee, who left the company last year and asked not to be named, said that his hiring involved a recruiter who said that the firm “tried to hire and get visas for engineers from the sister company in China but were having a lot of trouble.”

The TP-Link spokesperson did not comment on the second employee’s claim about possible visa issues.

According to the second employee, U.S. and Chinese engineers worked on shared code repositories that were originally developed in China: “The folks in China were pushing code to the repositories and we would pick up the latest changes.

“TP-Link U.S. was still very much connected to TP-Link in China while I was there,” the person added. “Direction still seemed to come from China.”

The company spokesperson said that TP-Link is directed from its Irvine headquarters. “All core product and data security functions across TP-Link Systems are overseen by a U.S.-based information security team, with clear accountability to U.S. leadership.”

TP-Link has also adopted the American way of doing business in Washington. It spent $1.85 million lobbying last year, according to OpenSecrets, nearly five times as much as it did in 2024. Netgear, by contrast, spent $260,000 last year, the same amount as it did in 2024.

In April, Greg Guice, a TP-Link lobbyist and former FCC official, met with staffers for Carr and the two other FCC commissioners, regulatory filings show. During the meetings, the company said that it plans to apply for “conditional approval” and that it is investing hundreds of millions of dollars in the U.S. to design and manufacture its routers domestically.

Guice told The Wire that the staff “did seem to understand our points that the ban has the potential to harm competition in the market and effect innovation.”

He argues that TP-Link’s strategy is good for the U.S. “Let’s say there is one company founded in the U.S. by a U.S. citizen and they then set up their manufacturing in China through PRC-connected facilities, as opposed to a company, like TP-Link, that is founded by a Chinese citizen who sets up his company in the United States and purposely chooses not to manufacture in China,” he told The Wire. “Which company is the better company?”

THE RIGHT FIX?

In May 2023, the Israeli cybersecurity firm Check Point Research detected a pattern in a series of cyberattacks on European embassies and diplomats. The common vector, its researchers said, was a backdoor in routers made by TP-Link. The perpetrator was a Chinese state-sponsored hacking group dubbed “Camaro Dragon.” 

“The router was a stepping stone,” says Itay Cohen, lead author of Check Point’s report. 

A congressional committee, the Texas Attorney General, and several others have since cited the hack as evidence of alleged vulnerabilities in TP-Link routers.

Cybersecurity researchers agree that routers, which sit at a network’s entry point, or “edge,” are tempting targets for intruders. In April, intelligence and law enforcement agencies in the U.S. and its Five Eyes allies (Canada, the UK, Australia and New Zealand) warned that Chinese state-sponsored hackers had developed “covert networks” that primarily exploited consumer routers. Weeks earlier, the U.S. Department of Justice and the UK’s National Cyber Security Centre accused Russian military intelligence of exploiting vulnerabilities in thousands of TP-Link routers to steal sensitive information.

The TP-Link spokesperson said all of the router models referenced by the U.S. and UK authorities had reached the end of their service lives several years ago and that the company has developed security updates for older models.

Many cybersecurity researchers are skeptical that banning TP-Link or any other router maker will deter sophisticated hackers, who have plenty of targets to choose from. In 2023, U.S. authorities found that Volt Typhoon, another Chinese state-sponsored hacking group, had infiltrated consumer routers made by Cisco and Netgear.

In targeting TP-Link, says Cary at SentinelOne, the U.S. is “choosing [a] simple, anti-competitive policy instead of doing the hard work of creating a process for evaluating foreign technologies for their security risks, mitigating those risks, and then facilitating competition in the market.

“The policies that we’re choosing to enact really fail to even address the security concerns.”

Indeed, the FCC’s rule only applies to consumer routers and not those used by businesses or the government. TP-Link is not a big player in the latter two market segments.

The FCC rule also applies only to new models and allows for TP-Link and other manufacturers to continue selling new models in the U.S. so long as they are made domestically.

To Willy Shih, an expert on global tech supply chains at Harvard Business School, the FCC rule “highlights the challenges in coming up with something that’s very coherent when you’re trying to shut out just one player.”

For its part, the FCC says that allowing routers produced abroad to “dominate the U.S. market” creates “unacceptable” risks, such as surveillance and unauthorized access to government networks. The agency said foreign-made routers had played a role in Chinese cyberattacks on U.S. critical infrastructure.

Yet researchers argue that making routers in the United States, as the FCC now requires, does not adequately address cybersecurity risks such as default passwords and software that is rarely updated. 

“A router made in Ohio with default credentials and outdated firmware is just as exploitable as one made in Shenzhen,” says Eugenio Benincasa, a cybersecurity researcher at ETH Zurich in Switzerland.

The home router, the thing sitting in everyone’s living room, is one of the most neglected parts of our collective cybersecurity posture. Until we fix that, the problem is not going anywhere, regardless of whether the box was made in China or the U.S.

Itay Cohen, former research lead at cybersecurity firm Check Point Research

Others counter that making routers in the U.S. at least reduces the risk that backdoors have been installed during the manufacturing process.

If Beijing directs Chinese companies to create backdoors, they may have no choice but to comply, says Chris McGuire, a senior fellow at the Council on Foreign Relations. “The exploitation risk is so high.”

Some observers cite the possibility that Chinese companies will report vulnerabilities to the government before patching them. China’s Cyberspace Administration, Ministry of Public Security and Ministry of Industry and Information Technology issued a joint rule in 2021 requiring companies to report vulnerabilities within two days of their discovery. Research by Cary suggests that information on some of those vulnerabilities is shared with the Ministry of State Security, China’s foreign intelligence service. The U.S. government has in turn accused the MSS of directing hacking campaigns against federal agencies and U.S.-based Chinese dissidents. 

Like all companies in China, TP-Link’s local subsidiaries have to comply with Chinese law. As part of its legal battle with Atlas Technologies, the firm’s Shenzhen-based subsidiary, Lianzhou International, cited China’s data security law as a reason for withholding documents during the discovery process, court filings show.

The TP-Link spokesperson said that “the Chinese government has not and cannot enlist TP-Link in cyberattacks.” She added that the U.S. headquarters oversees “the security of our products at every stage of development and manufacturing” and that no government has “access to or control over the design and production of our products.”

Until all router makers improve cybersecurity protections, Beijing’s hackers likely won’t need help from TP-Link — or anyone else. “Singling out one vendor is missing the forest for the trees,” says Cohen, who discovered the vulnerability in TP-Link routers in 2023.

“The home router, the thing sitting in everyone’s living room, is one of the most neglected parts of our collective cybersecurity posture,” he adds. “Until we fix that, the problem is not going anywhere, regardless of whether the box was made in China or the U.S.”

---