What just happened? TP-Link, still the most popular router brand in the US, is being sued by the state of Texas over allegations that it allowed state-sponsored Chinese hacking groups to access its devices. The company has been under the spotlight for years now over its claimed ties to Beijing as some lawmakers call for a US sales ban.
Texas Attorney General Ken Paxton first opened an investigation against TP-Link in October 2025. He wrote that the company was potentially aiding the Chinese government in accessing and abusing American consumers' data.
Now, Paxton has launched a lawsuit against TP-Link over claims it is deceptively marketing its networking devices and allowing the Chinese Communist Party to access American consumers' devices in their homes.
"Despite its claims of privacy and security, TP Link's products have been used by People's Republic of China's ("PRC") state-sponsored hacking entities to launch multiple cyber-attack operations against the United States," Paxton wrote.
TP-Link, founded in 1996 by brothers Zhao Jianjun and Zhao Jiaxing, established its US arm in 2008 to handle marketing and support in North America, though ownership and operations remained tied to its Shenzhen-based parent.
In 2024, TP-Link USA merged with the company's non-Chinese operations to form TP-Link Systems Inc., headquartered in Irvine, California – a move intended to create an "organizational separation," with distinct ownership, governance, R&D, and supply chains on each side.
But Paxton isn't convinced that the separation is clear enough. The AG's lawsuit states that TP-Link's ownership and supply-chain are tied to China, meaning the company is subject to the Asian nation's national data laws. These require companies to comply with requests from Chinese intelligence agencies to divulge Americans' data.
Paxton also takes aim at TP-Link placing "Made in Vietnam" stickers on all of its products, alleging that nearly all of the components found inside its devices are imported from China.
"TP-Link omits material facts to deceive consumers into thinking its Vietnamese-assembled products are unaffiliated with China. The reality is that TP-Link continues to operate its supply-chain deep inside of China, with China's support, and through Chinese exports," the complaint alleges.
There are also accusations of TP-Link violating Texas laws by engaging in "false, misleading, and deceptive trade practices." Texas Governor Greg Abbott prohibited state employees from using TP-Link products in January.
Paxton is calling for fines against TP-Link. He also says it should no longer be allowed to use the "Made in Vietnam" labelling, but instead show the Chinese origins of its products.
The company's routers have a history of vulnerabilities: a CVSS-10 flaw hit the Archer C5400X in May 2024, and 2023 reports tied Chinese state actors to custom malware installed on TP-Link routers. The latter incident arrived soon after the US government said Mirai Botnet operators were using TP-Link routers for DDoS attacks.
In October 2024, Microsoft exposed "CovertNetwork-1658," a Chinese-run botnet siphoning credentials from Azure since August 2023 via password-spray attacks. The network marshalled 16,000 hijacked SOHO routers, cameras and other IoT nodes – chiefly TP-Link models.
Republican lawmakers urged the Commerce Department to ban sales of TP-Link products last May. The move came several months after investigations were opened into the firm over national security concerns. The company's pricing strategies are also under the spotlight.
According to Reuters, the Trump administration paused plans to ban the company's routers in early February, just before President Donald Trump and President Xi Jinping met.
TP-Link responded to the lawsuit with the following statement:
The claims made by the Texas Attorney General's office are without merit and will be proven false. TP-Link Systems Inc. is an independent American company. Neither the Chinese government nor the CCP exercises any form of ownership or control over TP-Link, its products, or its user data. TP-Link's founder and CEO, Jeffrey Chao, resides in Irvine, CA, and is not and never has been a member of the CCP. To ensure the highest level of security, our core operations and infrastructure are located entirely within the United States, and all U.S. users' networking data is stored securely on Amazon Web Services servers. We will continue to vigorously defend our reputation as a trusted provider of secure connectivity for American families.