Recent reporting suggests that in March, four Chinese engineers may have flown into Kuala Lumpur carrying about 80 terabytes of artificial intelligence (AI) training data on hard drives. According to the Wall Street Journal, the engineers then rented roughly 300 Nvidia-powered servers at a local data center, ran AI training cycles there, and returned home with the results. Malaysia’s Ministry of Investment, Trade, and Industry (MITI) has since confirmed that it is currently reviewing the case to determine whether any domestic laws may have been breached.
This reported episode reflects both the strengths and the weaknesses of Malaysia’s appetite for digital investment. The country’s data center boom has been remarkable. Malaysia currently has a data center capacity of approximately 1.3 gigawatts (GW), with an additional 3 GW under development, positioning it among the fastest-growing markets in Asia.
This growth has been fueled by a combination of relatively low-cost infrastructure, favorable investment policies, and rising regional demand. Since 2021, data center-related investments have surpassed RM184.7 billion (around $43.6 billion). As these facilities continue to scale, their energy needs are becoming a major national consideration. Projections suggest that data centers could account for more than 50 percent of peninsular Malaysia’s electricity demand by 2035.
This very success has exposed a regulatory gap. Malaysia does not currently designate Nvidia-powered servers as controlled items under its Strategic Trade Act 2010. In principle, local operators are free to rent computing capacity to almost any client. For Chinese firms seeking to circumvent tightened U.S. export restrictions on advanced AI chips, Malaysia now appears as a jurisdiction of opportunity. Where once these companies sought to smuggle physical hardware through third countries, the newer workaround increasingly involves transporting training data abroad and renting offshore AI compute – a method that is much harder to detect and regulate. By carrying in their own hard drives and using servers in Malaysia, Chinese entities can effectively tap U.S.-origin technology to advance domestic AI efforts, even if physical chips do not cross into China.
That Malaysia is not regulating either servers or AI training services as dual-use technology is now coming under closer scrutiny. U.S. authorities have warned Malaysian companies to ensure that their technology is not facilitating sensitive Chinese AI development, whether through direct exports or indirect use. Hardware-based controls, though essential, are proving porous when data is mobile and cloud computing is decentralized. A country like Malaysia, which has positioned itself as a data and digital hub but lacks dedicated export controls for AI compute, could inadvertently become an enabler of broader export-control evasion.
Malaysia’s official stance so far remains cautiously neutral. MITI has stressed that data center operators are permitted normal commercial activity, that servers are not regulated, and that any entity found to have violated national or international laws would face action. Yet the government has not articulated any clear mechanisms for enforcing this position. The Data Centre Task Force under MITI and the Ministry of Digital focuses mainly on supporting industry growth and infrastructure development. It lacks a specific mandate for strategic export-controls, dual-use risk monitoring, or AI-specific compliance.
The underlying tension is not new but has now sharpened. Malaysia seeks to attract foreign direct investment, anchor itself as a leading regional AI hub, and avoid becoming entangled in the intensifying tech rivalry between the U.S. and China. However, these goals are not always compatible. If Malaysia’s open regulatory posture begins to attract accusations of being a loophole in the global AI supply chain, reputational and economic risks could follow, including secondary sanctions or restrictions on U.S. firms collaborating with Malaysia-based operations. Washington has already applied pressure for greater controls, as seen earlier in 2025 when it reportedly urged Malaysia to tighten semiconductor-related regulations in exchange for continued access to critical components and investment flows.
The Malaysian government now faces a difficult choice. If it intends to sustain long-term digital investment, it must develop credible tools to monitor and manage export-related risks in AI computers. This will likely require expanding the Strategic Trade Act or introducing new instruments to cover server-based AI training and high-end computer rental, with enforceable obligations on service providers. Data center operators should be required to verify client identities, log training data origins, and flag potentially sensitive use cases. Malaysia would also benefit from formal cooperation frameworks with key partners on export-control intelligence sharing and compliance.
None of this means embracing an overly restrictive stance that could undermine digital competitiveness. Indeed, any such measures must be carefully targeted by increased focus on high-end AI computers for sensitive applications, while maintaining Malaysia’s attractiveness for cloud services, enterprise IT, and domestic innovation. But a purely passive approach is no longer viable.
Should the ongoing MITI investigation conclude that no Malaysian laws were broken, it will still highlight the need for regulatory modernization. If it finds evidence of illicit activity, a firmer response will be unavoidable. Either way, the current frameworks are inadequate for the demands of an AI-driven world where data flows, compute power, and global strategic competition are increasingly interconnected.