Digital Audit: Temu (PDD Holdings Inc.)
Audit Phase: Digital (Digital / Technology Forensics) Subject Entity: Temu, operated by PDD Holdings Inc. (Nasdaq: PDD; formerly Pinduoduo Inc.) Registered Office: PDD Holdings Inc., Dublin, Ireland (operational headquarters historically in Shanghai, China) Audit Date: June 2026 Evidence Base: Published corporate disclosures, short-seller and independent security research, state attorney-general filings, US congressional reporting, European Commission enforcement decisions, think-tank analysis, and consumer/trade press. All factual claims are drawn from publicly available sources cited in the End Notes.
Scope and directionality note: Digital assesses the digital/technology nexus to Israel. The serious case is the provision of surveillance, digital, data, or cyber technology to the Israeli state, military, or security services. The reverse direction - Temu procuring technology from Israeli-origin vendors, or Israeli consumers using the Temu app - is a customer relationship and is recorded explicitly as such, weighted far lower than provision. No transitive guilt is imputed. US-entity relationships (e.g. Amazon Web Services, Cloudflare, Google) are not Israeli-origin and are noted only for completeness. Cyberattacks or malware findings reported against the company are recorded as context, not as provision.
Enterprise Technology Stack & Vendor Relationships
Strategic Technology Posture (Direction: in-house / China-centred)
PDD Holdings operates a predominantly proprietary, in-house technology model. Independent analysis of the Temu platform by the Center for Strategic and International Studies (CSIS) and by US congressional and state investigators frames Temu’s architecture and data practices in the context of Chinese ownership and PDD’s engineering base, not third-party vendor dependency.12 PDD’s commercial AI/ML capabilities (recommendation engines, logistics optimisation, dynamic pricing) are described as proprietary.1
Israeli-Origin Software, Cybersecurity & Enterprise Vendors (Direction: Temu as potential customer)
No public evidence identified. No corporate filing, procurement record, press release, or credible investigative report documents a licensing, subscription, or integration relationship between Temu/PDD Holdings and any Israeli-origin cybersecurity or enterprise-software vendor (e.g. Check Point, Wiz, SentinelOne, CyberArk, NICE, Verint, Claroty). Palo Alto Networks, although co-founded by Israeli-born Nir Zuk, is a US-domiciled and US-incorporated company and is not an Israeli-origin vendor; no Temu/PDD procurement relationship with it is publicly documented in any case.
Systems Integrators & Outsourcing Partners
No public evidence identified of a systems integrator or IT-outsourcing partner engaged by Temu/PDD Holdings deploying Israeli-origin technology as part of that engagement. Temu’s seller platform and logistics analytics are described in trade and security analyses as proprietary rather than third-party-vendor-dependent.1
Procurement Transparency Constraints
PDD Holdings’ disclosures (annual filings and investor materials) describe technology infrastructure in generic terms - proprietary systems, third-party cloud services, and data centres - without naming individual vendors.3 The full IT and security vendor stack is undisclosed; this is the principal evidence gap in this domain. No Israeli-origin vendor relationship was identified at any layer reviewed.
Surveillance, Biometrics & Retail Technology
App Data Collection & Alleged Spyware Behaviour (Direction: scrutiny of Temu)
The Temu mobile application has been the subject of substantial independent security scrutiny. In September 2023 short-seller Grizzly Research published a report alleging the Temu app exhibits “the full array of characteristics of the most aggressive forms of malware/spyware,” cataloguing 18 software functions it characterised as inappropriate and potentially hazardous and alleging excessive access to device location, contacts, microphone, and camera.45 CSIS summarised these concerns and noted the app’s data collection “go[es] far beyond what is necessary for an e-commerce platform,” framing the risk in terms of potential Chinese state data access under China’s National Intelligence Law.2 The US FBI has issued public warnings naming Temu (alongside other China-linked apps) over data-collection risk, including the ability to pull contact-list data.6 Each of these analyses frames the concern around Chinese ownership and the direction of data flows toward China; none attributes any analytical, surveillance, or data-processing layer to Israeli-origin vendors.246
Facial Recognition & Biometrics (Israeli-origin vendors)
No public evidence identified of Temu/PDD Holdings deploying facial recognition, biometric identification, behavioural analytics, or gait analysis of Israeli origin (e.g. Oosto/AnyVision, BriefCam, Trigo, Trax). Temu operates as an online-only marketplace with no physical retail estate, removing the primary in-store use cases for Israeli biometric retail technology. State attorney-general filings allege the app collects biometric data such as fingerprints from its own app users, but attribute this to the app’s own code, with no Israeli-origin vendor named.78
Predictive Analytics, Workforce & Social-Media Monitoring
No public evidence identified of Temu/PDD Holdings deploying Israeli-origin predictive-analytics, sentiment-analysis, social-media-monitoring, or workforce-surveillance tools. The data-collection concerns raised by researchers and regulators concern consumer behavioural data collected from the app’s global user base.247
Third-Party / Indirect Deployment
No public evidence identified of Israeli-origin surveillance or analytics technology reaching Temu indirectly via managed services, platform bundles, or sub-contracted deployments.
Cloud Infrastructure, Data Residency & Sovereign Cloud Participation
Data Centre Operations in Israel
No public evidence identified that Temu/PDD Holdings operates, leases, or co-locates data-centre infrastructure within Israel. PDD’s disclosures reference data centres in China and reliance on third-party cloud providers for international operations, with no identified Israeli data-centre presence.3 Public infrastructure profiling of Temu’s consumer-facing platform maps US-headquartered providers (Amazon Web Services for compute/storage, Cloudflare for CDN/DDoS protection, Google services for analytics) - none Israeli-origin.2
Israeli Consumer Market Entry (Direction: Israeli users as customers)
Temu entered the Israeli consumer market in 2023 as part of its global expansion, and Israeli usage grew sharply, with Temu reportedly overtaking Shein in monthly Israeli visits (rising from roughly 275,000 visits in September 2023 to 3.47 million in December 2023 and 4.76 million in January 2024).910 This is a customer relationship - Israeli consumers purchasing goods via the app - and does not constitute data-centre establishment, sovereign-cloud participation, or infrastructure provision within Israel.
Project Nimbus & Israeli State Cloud Infrastructure
Not applicable. Project Nimbus is the Israeli-government cloud contract whose prime contractors are publicly documented as Google Cloud and Amazon Web Services; PDD Holdings/Temu is neither a participant nor a sub-provider. No public evidence identified of Temu/PDD involvement in any Israeli state-backed digital-infrastructure programme.
Data-Sovereignty or Resilience Services to Israeli State Institutions
No public evidence identified. Temu/PDD Holdings does not operate as a technology or cloud-service provider to any state body, Israeli or otherwise.
Defence, Intelligence & Security Sector Technology Relationships
Military & Intelligence Contracts
No public evidence identified of any contract, partnership, or service agreement between Temu/PDD Holdings and the Israeli Ministry of Defence, the Israel Defense Forces (IDF), or Israeli intelligence agencies (Unit 8200, Shin Bet, Mossad). PDD’s disclosed corporate history and risk-factor disclosures contain no reference to Israeli state or defence-sector relationships.3
Provision of Technology / Data to the Israeli State or Military
No public evidence identified. This is the directionally serious Digital case, and no qualifying evidence was found of Temu/PDD providing surveillance technology, data, software, cloud capacity, or digital services to the Israeli state, military, or security services. The national-security framing applied to Temu in US congressional, state-AG, and think-tank proceedings concerns potential data flows toward China, not Israeli military or intelligence use.1211
Dual-Use Technology Provision
No public evidence identified of Temu’s commercial technology being reported or confirmed as deployed for military, intelligence, or law-enforcement surveillance applications in Israel or the Occupied Palestinian Territories.
Offensive Cyber Capability
No public evidence identified. Temu/PDD Holdings is a consumer e-commerce entity with no publicly documented offensive-cyber, zero-day, or digital-weapons activity. Separately - and recorded as context, not provision - Google suspended sibling app Pinduoduo from the Play Store in March 2023 after malware was found in off-Play versions of that app, following security-researcher analysis alleging exploitation of Android vulnerabilities; PDD denied the app contained malware.1213 This concerns scrutiny of PDD’s own software and has no nexus to provision of technology to Israel.
AI, Algorithmic & Autonomous Systems
AI/ML Provision to Israeli State Bodies
No public evidence identified of Temu/PDD Holdings providing AI, machine learning, computer vision, or autonomous decision-support systems to Israeli state, military, or security bodies. PDD’s AI/ML capabilities are publicly described as commercial consumer-retail applications (recommendation engines, demand forecasting, logistics routing, dynamic pricing).1
Training Data & Model Development Involving Israeli Population Data
No public evidence identified of Temu’s AI models being trained on, or granted access to, civilian population data, intercepted communications, or surveillance-derived datasets originating from Israel or the Occupied Palestinian Territories. The data-collection concerns raised by researchers relate to consumer behavioural data collected globally.24
Autonomous Systems & Lethality
No public evidence identified. PDD Holdings/Temu has no publicly documented involvement in autonomous target generation, automated threat assessment, or weapons-effect autonomous systems.
Internal Algorithmic Deployment - Israeli-Origin AI Tooling
No public evidence identified of any Israeli-origin AI vendor embedded in Temu’s stack. The undisclosed full vendor list means secondary embedding within managed services cannot be positively excluded, but no such instance was identified.
Technology Ecosystem & R&D Footprint
Israeli R&D Facilities
No public evidence identified that Temu/PDD Holdings operates any R&D facility, engineering office, innovation lab, accelerator, or fellowship scheme within Israel. PDD’s R&D operations are publicly described as concentrated in China.13
Acquisitions & Investments in Israeli Technology Companies
No public evidence identified of PDD Holdings acquiring, or taking a corporate-venture stake in, any Israeli technology company, venture fund, or university commercialisation vehicle. PDD’s documented M&A and investment activity centres on the Chinese e-commerce and agricultural-technology ecosystems.3
Patents & IP Co-Development with Israeli Institutions
No public evidence identified of patent portfolios, cross-licensing, or co-development arrangements between PDD Holdings/Temu and Israeli-domiciled entities or research institutions (Technion, Hebrew University/Yissum, Weizmann Institute).
Technology Supply-Chain Due Diligence Provisions
No public evidence identified that PDD Holdings publishes a technology-supply-chain due-diligence framework governing the national origin or geopolitical exposure of its technology vendors, software suppliers, or digital-infrastructure providers.
Civil Society Scrutiny & Regulatory History
NGO & Academic Scrutiny - Technology Supply Chain
No public evidence identified of an NGO investigation, academic study, or UN report addressing Temu’s technology relationships with the Israeli state, Israeli defence entities, or Israeli-origin vendors. Civil-society and investigative attention on Temu is substantial but directed at distinct issue clusters: app data-harvesting and alleged spyware behaviour (Grizzly Research, CSIS, FBI);246 and forced-labour supply-chain risk under the Uyghur Forced Labor Prevention Act, examined in the US House Select Committee on the CCP’s June 2023 interim findings on Temu and Shein, which concluded Temu was likely shipping forced-labour-linked goods and relied heavily on the de minimis exception.11
BDS Campaigns
No public evidence identified of an organised boycott, divestment, or sanctions campaign targeting Temu on grounds of technology provision to Israeli state entities. Temu/PDD Holdings does not appear on the BDS movement’s published company target lists reviewed.14 Consumer-press commentary notes Temu has taken no public political position on Israel and is not on BDS target lists.15
Regulatory & Legal Actions - Data and Platform Conduct (Direction: scrutiny of Temu)
Temu’s documented regulatory and legal exposure concerns its own conduct, not technology sales to Israeli state entities:
- US state attorneys general. Arkansas filed the first state lawsuit against Temu on 25 June 2024, alleging the app is “functionally malware and spyware” under the state Deceptive Trade Practices Act and Personal Information Protection Act.78 Nebraska (11 June 2025), Kentucky (17 July 2025), and Arizona (December 2025) filed comparable data-collection suits; Montana banned the app on government devices.1617 None references Israeli-origin technology.716
- App-store actions. Apple suspended Temu from its App Store in 2023 over alleged misrepresentations about data access/collection, per subsequent state-AG findings.16
- European Union. The European Commission opened a Digital Services Act investigation into Temu on 31 October 2024, issued preliminary findings in July 2025, and on 28 May 2026 fined Temu €200 million for failing to assess systemic risks of illegal products on its platform.18 This concerns product-safety risk assessment, not data provision to Israel.18
No public evidence identified of any export-control, sanctions, or regulatory action relating to Temu/PDD technology sales or services to Israeli state entities.
End Notes
Footnotes
-
https://www.csis.org/analysis/looking-beyond-tiktok-risks-temu ↩ ↩2 ↩3 ↩4 ↩5 ↩6
-
https://www.csis.org/blogs/strategic-technologies-blog/looking-beyond-tiktok-risks-temu ↩ ↩2 ↩3 ↩4 ↩5 ↩6 ↩7 ↩8
-
https://grizzlyreports.com/we-believe-pdd-is-a-dying-fraudulent-company-and-its-shopping-app-temu-is-cleverly-hidden-spyware-that-poses-an-urgent-security-threat-to-u-s-national-interests/ ↩ ↩2 ↩3 ↩4 ↩5
-
https://tech.yahoo.com/cybersecurity/articles/fbi-warns-tiktok-temu-could-160149316.html ↩ ↩2 ↩3
-
https://arkansasag.gov/news-release/attorney-general-griffin-sues-chinese-e-commerce-company-temu-for-deceiving-arkansans-illegally-accessing-their-personal-information/ ↩ ↩2 ↩3 ↩4
-
https://www.malwarebytes.com/blog/news/2024/06/temu-sued-for-being-dangerous-malware-by-arkansas-attorney-general ↩ ↩2
-
https://chinaselectcommittee.house.gov/sites/evo-subsites/selectcommitteeontheccp.house.gov/files/evo-media-document/fast-fashion-and-the-uyghur-genocide-interim-findings.pdf ↩ ↩2
-
https://www.cnn.com/2023/03/21/tech/china-google-pinduoduo-malware-app-intl-hk/index.html ↩
-
https://krebsonsecurity.com/2023/03/google-suspends-chinese-e-commerce-app-pinduoduo-over-malware/ ↩
-
https://silverbulletpros.com/blogs/does-temu-support-israel/ ↩
-
https://pirg.org/edfund/articles/does-temu-misuse-your-personal-data-more-state-attorneys-general-say-yes/ ↩ ↩2 ↩3
-
https://www.usnews.com/news/us/articles/2025-12-02/arizona-attorney-general-sues-chinese-online-retailer-temu-over-data-theft-claims ↩
-
https://digital-strategy.ec.europa.eu/en/news/commission-fines-temu-eu200-million-breaching-digital-services-act ↩ ↩2