Over the last several months, the United States has pursued criminal cases against foreign infiltrators in an effort to protect U.S. national and economic security. Jinchao “Patrick” Wei, a naturalized citizen and United States Navy sailor, was sentenced to 16 years in January following an August 2025 trial for espionage and conspiracy, for providing photos and other information related to the defensive weapons aboard the USS Essex to Chinese intelligence. In November 2025, a former engineer at a Southern California company and dual U.S. and Chinese citizen, was sentenced to just under four years in prison for stealing trade secrets and technologies developed by his employer for the U.S. government to support missile defense, including the detection of nuclear missile launches, the tracking of ballistic and hypersonic missiles, and allow for U.S. fighter jets to evade heat-seeking missiles. Finally, late last month, the U.S. Attorney’s Office for the Northern District of California has issued grand jury subpoenas into allegations of spying and trade secret theft arising from a lawsuit between two U.S.-based human resource (HR) technology companies, in which one firm is accused of planting an employee to spy on its’ competitor.

The ongoing legal dispute between the HR technology companies Deel and Rippling, features allegations of a strategic, systematic, corporate espionage scheme that ran for several months. The lawsuit has significant national security implications. For example, both companies manage global workforce data, including payroll and personal identifying information (PII) of clients’ employees spread worldwide. As discussed below, the matter also highlights the vulnerabilities of modern critical data infrastructure, and the potential susceptibility of cloud-based human-capital management systems to infiltration and human manipulation. There are several reasons to pay attention to these cases as they wind their way through the civil and criminal processes. Importantly, there are lesson to be learned for those preparing to engage with the Committee on Foreign Investment in the United States (CFIUS) in advance of a transaction or in connection with a mitigation agreement.

Rippling vs. Deel

Some background on the Rippling – Deel lawsuit to set the scene. According to his affidavit, Keith O‘Brien was hired by Rippling in 2023, in their global payroll and compliance department in Dublin. In March 2024, O’Brien applied for a similar role at Deel that he had identified on LinkedIn, however he was not given offer. However, while also on LinkedIn, he connected with Deel’s founder and chief executive officer, Alex Bouzizi, and sought feedback for his rejection. Bouaziz indicated he was a good candidate, but that he fell short of others.

In the fall of 2024, O’Brien, while still an employee of Deel, launched a consultancy called Global Payroll Geeks, to provide payroll consulting services to corporate entities. O’Brien contacted Bouaziz to tell him about the new business, with the hopes of securing Deel as a client. In late September 2024, O’Brien let Bouaziz know that he was considering leaving Rippling, however, Bouaziz, according to O’Brien’s affidavit, came up with another idea – remaining at Rippling and spying on the company for Deel.

O’Brien and Bouaziz, as well as Bouaziz father, Phillippe Bouaziz, came to terms and in October 2024, O’Brien began spying on his employer, Rippling, for the benefit of Deel, at the rate of $6,000 per month. All financial arrangements were done by Telegram, while the initial payment was a cash transfer from Deel’s chief operating officer’s wife, while subsequent monthly payments were made via Ethereum to O’Brien’s Blockchain.com currency wallet.

O’Brien would spend his “spy time” conducting searches through Rippling’s Slack, Salesforce and Google Drive, for information of potential interest to Bouaziz. O’Brien would send Bouaziz screenshots of interest, and eventually started sending screen recordings. Things that interested Bouaziz included customer specific information, sales leads, information on “superstar” Rippling employees to poach, and at times specific information on certain customers.

As time progressed, Bouaziz would ask for O’Brien to undertake specific searches using provided key words, such as “Iran,” “sanctioned countries,” “Russia,” and other terms, with the idea of catching Deel’s competitor providing services to entities in sanctioned countries.

While O’Brien assumed he was being careful to cover his tracks and delete the information he was conveying to Bouaziz in the Telegram chat, some of the screen recordings O’Brien had provided to Bouaziz had been backed up to his iCloud account, which had been discovered by Rippling. In late February 2025, Rippling, according to its complaint against Deel in the underlying lawsuit, had a lawyer send a letter to Deel stating that Rippling employees were exchanging information about Deel in a Slack chat called “d-defectors,” and that should the information be discovered or made public, it would be extremely embarrassing to Deel. The “honeypot” was set.

Bouaziz could not refuse the bait and instructed O’Brien to undertake searches within the “d-defectors” Slack channel. A few days later, O’Brien went into his office at Rippling and was met by lawyers who greeted him with a court order to turnover his devices for analysis. O’Brien turned over his laptop, fled the offices with his cellphone, which he factory wiped and reset.

Days passed and O’Brien remained in contact with Bouaziz and a lawyer for Deel. O’Brien affirmed in his affidavit that representatives of Deel tried to convince him to suggest that Rippling was retaliating against him for being a whistleblower for reporting that Rippling engaged in sales with Russia, a fact known to be false. O’Brien eventually hired his own counsel and decided to cooperate with law enforcement.

Lesson Learned and CFIUS

CFIUS mitigation agreements continue to be laser-focused on preventing the exfiltration of personally sensitive data, protected technologies, and other intellectual property, trade secrets and data that impacts U.S. economic security (herein “Protected Data”). The Ripple – Deel case highlights the vulnerabilities inherent in the systems – both technology and people – that maintain Protected Data. Here are some takeaways from the case that present risks to be addressed in anticipation of a transaction with potential for national security scrutiny.

1. Software as a Service (SaaS) can present unique challenges. The consolidation of HR and payroll data of global entities in one location is unique, and creates not just a valuable HR administrative tool, but a vault of economic intelligence that requires extra security measures to safeguard. Using such collaboration tools to communicate confidential information makes these channels prime targets for insiders. The ability to segregate confidential information and other intellectual property from other operational tools, such as collaboration tools like Slack, Teams, and Salesforce is an imperative.
2.  Technical monitoring and data protection. A company’s systems need not be left unchecked and vulnerable. There are a variety of tools available to monitor employee behavior that will additionally provide a digital paper trail of evidence in the event of a breach. In addition to data loss prevention tools (DLP), which would block the transfer of sensitive data to personal emails, USB drives or unauthorized cloud storage, and search logging technology to monitor internal search queries on collaboration platforms like Slack, there are more sophisticated tools that incorporate user and entity behavior analytics that include AI learning to flag anomalous behavior within company systems. In instances in which confidential information must be shared with subcontractors or other necessary third parties, utilize tools, such as Tradelok, that allows for the safe sharing of confidential information, by allowing for file access limiters, and the tracking and recovery of intellectual property if the information is shared beyond intended purpose.
3.  Access controls and the principle of “least privilege.” It is difficult to predict at the outset which insiders may eventually cause the enterprise harm. Therefore, approaching every new employee as a potential risk makes sense. In that regard, employee access to information should be restricted on a need-to-know or role-based basis. For example, an engineer need not have access to the company’s sales pipeline. In the event that unusual access is required, that access should be granted on a “just-in-time” basis, which would limit access to a specific purpose and for a delineated timeframe.
4. Personnel management and safeguards. Securing Protected Data is as much about people and processes as it is about software and technology, so it is important to focus resources to address employee-centric vulnerabilities. Depending upon access to Protected Data and other sensitive information, background checks should go beyond criminal record checks and include through vetting of candidates’ potential conflicts of interest, including past employment or affiliations with competitors, as well as unexplained gaps in employment histories. In addition to onboarding, attention should be paid to offboarding, including ensuring that access to repositories where Protected Data exists, as well as to collaboration spaces and tools, are restricted from soon-to-be former employees. In addition, employees that have given notice of their departure should not be permitted to work before or after regular work hours.
5. Conduct regular insider threat audits to continually refine processes and procedures. Develop and deploy auditing procedures to test the above on a quarterly basis. The audits should include a review of access, DLP, and document repository search logs. Examine search terms applied to Slack and other collaboration tools for suspicious activity. Test “least privilege” by comparing job descriptions of employees with their granted access. Examine physical access logs, including identifying and analyzing guests that may be suspicious, especially those that provide personal email accounts in guest logs. Examine exfiltration logs for bulk downloads that approach thresholds for possible bad actors.

Conclusion

While a lawsuit between two domestic HR technology companies may not come to mind as the likely place where national security concerns would arise, the evolving nature of the industry and the growing importance of critical infrastructure and the necessity of safeguarding PII means the sector should and will garner growing scrutiny. Add a layer of alleged economic espionage and bitcoin payments, and the story becomes the posterchild for national security and insider risk mitigation warnings. Only a transaction involving investors or buyers from countries that CFIUS has deemed of concern would add to the intrigue and heighten national security concerns. The lessons learned from the Rippling – Deal lawsuit transfer readily to the CFIUS context. Being prepared for a CFIUS transaction requires taking the steps necessary to avoid being a player in a legal battle such as this. Addressing the apparent technological and people vulnerabilities that surfaced in the Rippling – Deel case would go a long way to preparing for a CFIUS filing or addressing a CFIUS mitigation agreement.

If you have any questions or would like to discuss how StoneTurn can help, reach out to David Holley.

To receive StoneTurn Insights, sign up for our newsletter.