{ "id": "2c72d2a9-e253-4872-9df4-ca00a7963c7a", "created_at": "2026-04-06T00:14:42.78537Z", "updated_at": "2026-04-10T13:13:07.243609Z", "deleted_at": null, "sha1_hash": "e5a65b9b7611ab5a8f958d5cb2990df0a1310869", "title": "Hackers linked to Chinese government stole millions in Covid benefits", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1912553, "plain_text": "Hackers linked to Chinese government stole millions in Covid\r\nbenefits\r\nBy By Sarah Fitzpatrick and Kit Ramgopal\r\nPublished: 2022-12-05 · Archived: 2026-04-05 16:51:35 UTC\r\nHackers linked to the Chinese government stole at least $20 million in U.S. Covid relief benefits, including Small\r\nBusiness Administration loans and unemployment insurance funds in over a dozen states, according to the Secret\r\nService.\r\nThe theft of taxpayer funds by the Chengdu-based hacking group known as APT41 is the first instance of\r\npandemic fraud tied to foreign, state-sponsored cybercriminals that the U.S. government has acknowledged\r\npublicly, but may just be the tip of the iceberg, according to U.S. law enforcement officials and cybersecurity\r\nexperts.\r\nThe officials and experts, most speaking on the condition of anonymity because of the sensitivity of the subject\r\nmatter, say other federal investigations of pandemic fraud also seem to point back to foreign state-affiliated\r\nhackers.\r\n“It would be crazy to think this group didn’t target all 50 states,” said Roy Dotson, national pandemic fraud\r\nrecovery coordinator for the Secret Service, who also acts as a liaison to other federal agencies probing Covid\r\nfraud.\r\nThe Secret Service declined to confirm the scope of other investigations, saying there are more than 1,000\r\nongoing investigations involving transnational and domestic criminal actors defrauding public benefits programs,\r\nand APT41 is “a notable player.”\r\nAnd whether the Chinese government directed APT41 to loot U.S. taxpayer funds or simply looked the other way,\r\nmultiple current and former U.S. officials say, the theft itself is a troubling development that raises the stakes. One\r\nsenior Justice Department official called it “dangerous” and said it had serious national security implications.\r\nhttps://www.nbcnews.com/tech/security/chinese-hackers-covid-fraud-millions-rcna59636\r\nPage 1 of 6\n\n“I’ve never seen them target government money before,” said John Hultquist, the head of intelligence analysis at\r\nthe cybersecurity firm Mandiant. “That would be an escalation.” \r\nThe Chinese Embassy in Washington did not respond to requests for comment.\r\n‘The horse is out of the barn’\r\nAs soon as state governments began disbursing Covid unemployment funds in 2020, cybercriminals began to\r\nsiphon off a significant percentage.\r\nThe Labor Department Office of Inspector General has reported an improper payment rate of roughly 20% for the\r\n$872.5 billion in federal pandemic unemployment funds, though the true cost of the fraud is likely\r\nhigher, administration officials from multiple agencies say.\r\nIn-depth analysis of four states showed 42.4% of pandemic benefits were paid improperly in the first six months,\r\nthe department’s watchdog reported to Congress last week.\r\nA Heritage Foundation analysis of Labor Department data estimated excess unemployment benefits payments of\r\nmore than $350 billion from April 2020 to May 2021.\r\n“Whether it’s 350, 400 or 500 billion, at this point, the horse is out of the barn,” said Linda Miller, the former\r\ndeputy executive director of the Pandemic Response Accountability Committee, the federal government’s Covid\r\nrelief fraud watchdog.\r\nhttps://www.nbcnews.com/tech/security/chinese-hackers-covid-fraud-millions-rcna59636\r\nPage 2 of 6\n\nMichael R. Sherwin, the acting U.S. attorney for the District of Columbia, speaks about charges and\r\narrests related to a computer intrusion campaign tied to the Chinese government by a group called\r\nAPT 41 at the Justice Department on Sept. 16, 2020.Tasos Katopodis / Pool via Getty Images file\r\nBy the time Covid relief funds appeared as a target of opportunity in 2020, APT41, which emerged more than a\r\ndecade ago, had already become the “workhorse” of cyberespionage operations that benefit the Chinese\r\ngovernment, according to cyber experts and current and former officials from multiple agencies. The Secret\r\nService said in a statement that it considers APT41 a “Chinese state-sponsored, cyberthreat group that is highly\r\nadept at conducting espionage missions and financial crimes for personal gain.”\r\nAmbassador Nathaniel Fick, the head of the State Department’s Bureau of Cyberspace and Digital Policy, said\r\ncyberespionage is a long-time Chinese national priority aimed at strengthening its geopolitical position.\r\n“The United States is target No. 1, because we are competitor No. 1,” Fick told NBC News. “It’s a really\r\ncomprehensive, multi-decade, well-considered, well-resourced, well-planned, well-executed strategy.”\r\nAmerican officials have blamed Chinese hackers for the Office of Personnel Management, the Anthem Health\r\nand the Equifax breaches, among others.\r\nThe experts and officials describe the Chinese model of “state-sponsored” hackers as a network of semi-independent groups conducting contract work in service of government espionage. The Chinese government may\r\ndirect a hacking group to attack a certain target. APT41, also known to cybersecurity firms as Winnti, Barium and\r\nWicked Panda, fits the model and is considered a particularly prolific Chinese intelligence asset, known to commit\r\nfinancial crimes on the side.\r\nDemian Ahn, a former assistant U.S. attorney who indicted five APT41 hackers in 2019 and 2020, said the\r\nevidence showed the group had tremendous reach and resources. The defendants, who were accused of infiltrating\r\nhttps://www.nbcnews.com/tech/security/chinese-hackers-covid-fraud-millions-rcna59636\r\nPage 3 of 6\n\ngovernments and companies around the world while conducting ransomware attacks and mining cryptocurrency,\r\ntalked “about having tens of thousands of machines at one time, as part of their efforts to obtain information about\r\nothers, and also to generate criminal profits.” None of the five Chinese nationals indicted have been extradited,\r\nand the cases remain open.\r\nAPT41’s intrusion methods have included hacking legitimate software and weaponizing it against innocent users,\r\nincluding businesses and governments. Another tactic involves tracking public disclosures about security flaws in\r\nlegitimate software. APT41 uses that information to target customers who don’t immediately update their\r\nsoftware, according to a former Justice Department official familiar with the group.\r\nThe primary purpose of APT41’s state-directed activity, the experts and officials say, is believed to be collecting\r\npersonally identifying information and data about American citizens, institutions and businesses that can be used\r\nby China for espionage purposes.\r\n“They have the patience, the sophistication and the resources to carry out hacking that has a direct impact on\r\nnational security,” said a former Justice Department official familiar with the group.\r\nLaw enforcement officials and counterintelligence experts have testified to Congress that by now, every adult\r\nAmerican has had all or most of their personal data stolen by the Chinese government. \r\n‘Wild West’\r\nBeijing has increasingly turned its focus to breaching U.S. critical infrastructure in recent years, say current and\r\nformer officials and China and cybersecurity experts, with worldwide campaigns driven by APT41.\r\nChina’s targets include state governments, which can have inadequate cybersecurity defenses. “The state\r\ngovernments don’t allocate a lot of cyber protection money to their state IT infrastructure,” said William Evanina,\r\nthe former director of the National Counterintelligence and Security Center, part of the Office of the Director of\r\nNational Intelligence. “So it’s really an unprotected Wild West.”\r\nhttps://www.nbcnews.com/tech/security/chinese-hackers-covid-fraud-millions-rcna59636\r\nPage 4 of 6\n\nThe Covid fraud scheme that the Secret Service has publicly linked to APT41 began in mid-2020 and spanned\r\n2,000 accounts associated with more than 40,000 financial transactions.\r\n“Where their sophistication comes in is the ability to work heavily and quickly,” the agency's Dotson said.\r\nThe agency said it has been able to recover about half of the stolen $20 million in the APT41 case.\r\nOverall, the Secret Service said that as of August it had seized more than $1.4 billion in fraudulently obtained\r\nCovid relief funds and helped return about $2.3 billion to state unemployment insurance programs.\r\nBut while Evanina and other officials and experts consider APT41’s breach of state systems a national security\r\nissue, they aren’t convinced that stealing Covid funds was a goal of the Chinese government. Such thefts increase\r\nthe risk of criminal prosecution and make it harder for China to obscure the state’s role. They believe that the\r\nChinese government may have simply tolerated the hackers making a profit off their labors.\r\nMany believe the hackers are still inside state information technology systems.\r\nMandiant, which contracts with more than 75 state and local government organizations and agencies, issued a\r\nreport in March that the APT41 had infiltrated six — and likely more — state governments using back doors in\r\npopular software and was exfiltrating data on citizens.\r\nHultquist said in an interview that Mandiant analysts discovered at least two occasions involving interactions with\r\nservers associated with state benefits after May 2021.\r\nCurrent officials would not comment about whether APT41 still had access to state government networks after\r\nbeing discovered last year. \r\nhttps://www.nbcnews.com/tech/security/chinese-hackers-covid-fraud-millions-rcna59636\r\nPage 5 of 6\n\nThe Labor Department, the Small Business Administration, the Cybersecurity and Infrastructure Security Agency\r\nand the White House all declined to comment and referred NBC News to the Justice Department. The FBI and the\r\nJustice Department declined to comment. The Department of Homeland Security did not respond to requests for\r\ncomment.\r\n“Once you are in these systems with intent to promulgate theft\" of personally identifying information, Evanina\r\nsaid, \"you’re in forever,” noting that at the state and local levels, many disparate systems share an interconnected\r\ndomain. “Unless,” he said, “you tear down the systems and replace everything.”\r\nState agencies across the country continue to struggle against invisible online attackers, many lacking the proper\r\nfunding and expertise to secure their online benefits systems. \r\n“If we can come together and really have open and honest conversations about what works well and what went\r\nvery wrong, we would just be in a much better place to stop this,” said Maryland Labor Secretary Tiffany\r\nRobinson, who said her state’s system is still bogged down by thousands of fraudulent applications and phone\r\ncalls each week. “Because this is not over.”\r\nFederal officials acknowledge they are nowhere close to fully accounting for what really happened to benefits\r\nprograms in the pandemic. \r\n“A lot of these criminals, we’ll never be able to indict and locate,” said a federal law enforcement official with\r\ndirect knowledge of fraud investigations involving China-based hackers. “With the internet and the dark web, it’s\r\nborderless.”\r\nSource: https://www.nbcnews.com/tech/security/chinese-hackers-covid-fraud-millions-rcna59636\r\nhttps://www.nbcnews.com/tech/security/chinese-hackers-covid-fraud-millions-rcna59636\r\nPage 6 of 6\n\nWicked Panda, fits financial crimes on the model and is considered the side. a particularly prolific Chinese intelligence asset, known to commit\nDemian Ahn, a former assistant U.S. attorney who indicted five APT41 hackers in 2019 and 2020, said the\nevidence showed the group had tremendous reach and resources. The defendants, who were accused of infiltrating\n Page 3 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.nbcnews.com/tech/security/chinese-hackers-covid-fraud-millions-rcna59636" ], "report_names": [ "chinese-hackers-covid-fraud-millions-rcna59636" ], "threat_actors": [ { "id": "49822165-5541-423d-8808-1c0a9448d588", "created_at": "2022-10-25T16:07:23.384093Z", "updated_at": "2026-04-10T02:00:04.575678Z", "deleted_at": null, "main_name": "Barium", "aliases": [ "Brass Typhoon", "Pigfish", "Starchy Taurus" ], "source_name": "ETDA:Barium", "tools": [ "Agent.dhwf", "Agentemis", "Barlaiy", "BleDoor", "Cobalt Strike", "CobaltStrike", "Destroy RAT", "DestroyRAT", "Kaba", "Korplug", "POISONPLUG", "PlugX", "RbDoor", "RedDelta", "RibDoor", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Winnti", "Xamtrav", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "c7d9878a-e691-4c6f-81ae-84fb115a1345", "created_at": "2022-10-25T16:07:23.359506Z", "updated_at": "2026-04-10T02:00:04.556639Z", "deleted_at": null, "main_name": "APT 41", "aliases": [ "BrazenBamboo", "Bronze Atlas", "Double Dragon", "Earth Baku", "G0096", "Grayfly", "Operation ColunmTK", "Operation CuckooBees", "Operation ShadowHammer", "Red Kelpie", "SparklingGoblin", "TA415", "TG-2633" ], "source_name": "ETDA:APT 41", "tools": [ "9002 RAT", "ADORE.XSEC", "ASPXSpy", "ASPXTool", "AceHash", "Agent.dhwf", "Agentemis", "AndroidControl", "AngryRebel", "AntSword", "BLUEBEAM", "Barlaiy", "BlackCoffee", "Bladabindi", "BleDoor", "CCleaner Backdoor", "CHINACHOPPER", "COLDJAVA", "China Chopper", "ChyNode", "Cobalt Strike", "CobaltStrike", "Crackshot", "CrossWalk", "CurveLast", "CurveLoad", "DAYJOB", "DBoxAgent", "DEADEYE", "DEADEYE.APPEND", "DEADEYE.EMBED", "DEPLOYLOG", "DIRTCLEANER", "DUSTTRAP", "Derusbi", "Destroy RAT", "DestroyRAT", "DodgeBox", "DragonEgg", "ELFSHELF", "EasyNight", "Farfli", "FunnySwitch", "Gh0st RAT", "Ghost RAT", "HDD Rootkit", "HDRoot", "HKDOOR", "HOMEUNIX", "HUI Loader", "HidraQ", "HighNoon", "HighNote", "Homux", "Hydraq", "Jorik", "Jumpall", "KEYPLUG", "Kaba", "Korplug", "LATELUNCH", "LOLBAS", "LOLBins", "LightSpy", "Living off the Land", "Lowkey", "McRAT", "MdmBot", "MessageTap", "Meterpreter", "Mimikatz", "MoonBounce", "MoonWalk", "Motnug", "Moudour", "Mydoor", "NTDSDump", "PACMAN", "PCRat", "PINEGROVE", "PNGRAT", "POISONPLUG", "POISONPLUG.SHADOW", "POTROAST", "PRIVATELOG", "PipeMon", "PlugX", "PortReuse", "ProxIP", "ROCKBOOT", "RbDoor", "RedDelta", "RedXOR", "RibDoor", "Roarur", "RouterGod", "SAGEHIRE", "SPARKLOG", "SQLULDR2", "STASHLOG", "SWEETCANDLE", "ScrambleCross", "Sensocode", "SerialVlogger", "ShadowHammer", "ShadowPad Winnti", "SinoChopper", "Skip-2.0", "SneakCross", "Sogu", "Speculoos", "Spyder", "StealthReacher", "StealthVector", "TERA", "TIDYELF", "TIGERPLUG", "TOMMYGUN", "TVT", "Thoper", "Voldemort", "WIDETONE", "WINNKIT", "WINTERLOVE", "Winnti", "WyrmSpy", "X-Door", "XDOOR", "XMRig", "XShellGhost", "Xamtrav", "ZXShell", "ZoxPNG", "certutil", "certutil.exe", "cobeacon", "gresim", "njRAT", "pwdump", "xDll" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "f9806b99-e392-46f1-9c13-885e376b239f", "created_at": "2023-01-06T13:46:39.431871Z", "updated_at": "2026-04-10T02:00:03.325163Z", "deleted_at": null, "main_name": "Watchdog", "aliases": [ "Thief Libra" ], "source_name": "MISPGALAXY:Watchdog", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "945a572f-ebe3-4e2f-a288-512fe751cfa8", "created_at": "2022-10-25T16:07:24.413971Z", "updated_at": "2026-04-10T02:00:04.97924Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "G0044", "Leopard Typhoon", "Wicked Panda", "Winnti Group" ], "source_name": "ETDA:Winnti Group", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "FunnySwitch", "RbDoor", "RibDoor", "RouterGod", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434482, "ts_updated_at": 1775826787, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e5a65b9b7611ab5a8f958d5cb2990df0a1310869.pdf", "text": "https://archive.orkl.eu/e5a65b9b7611ab5a8f958d5cb2990df0a1310869.txt", "img": "https://archive.orkl.eu/e5a65b9b7611ab5a8f958d5cb2990df0a1310869.jpg" } }