Cyber Incident Victim: US COVID-relief funds
Date:
Jun 2020
Location:
United States of America
Summary
A Chinese state-sponsored hacking group stole at least $20 million from US COVID-relief funds by targeting Small Business Administration loans and unemployment insurance programs across over a dozen states. The campaign, linked to APT41, compromised thousands of accounts and financial transactions starting mid-year, with broader estimates indicating nearly one-fifth of federal pandemic unemployment funds were improperly paid. While half the stolen amount was recovered, the incident reflects significant systemic vulnerabilities in relief disbursement efforts. APT41 has previously engaged in financially motivated cyber operations, blending espionage tools with activities for personal gain, though the exact coordination behind this theft remains unclear.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In mid-2020, Chinese state-sponsored advanced persistent threat group APT41 conducted a cyber campaign targeting U.S. COVID-19 relief funds, specifically Small Business Administration loans and unemployment insurance programs across more than 12 states. The U.S. Secret Service attributed the theft of at least $20 million to this Chengdu-based group, marking the first known instance of a nation-state actor systematically stealing pandemic relief funds. The attackers compromised approximately 2,000 accounts linked to over 40,000 financial transactions during their operation. APT41's involvement was confirmed through investigative work by the Secret Service, which noted the group's history of blending state-sponsored espionage with financially motivated cybercrime. Prior activities included deploying ransomware against gaming companies and attacking cryptocurrency exchanges for personal profit in 2019, as documented by cybersecurity firm FireEye. The Secret Service maintained over 1,000 active investigations into pandemic-related fraud at the time of disclosure, suggesting the true scale of APT41's campaign might extend beyond confirmed cases. Investigative officials publicly speculated that all 50 states could have been targeted given the group's operational reach.
The theft formed part of a broader pattern of pandemic relief fraud, with a U.S. Labor Department Office of Inspector General audit revealing approximately 19% of $872.5 billion in federal unemployment funds were improperly distributed. While the Secret Service successfully recovered roughly $10 million of the $20 million stolen by APT41, this amount represented only a fraction of total pandemic fraud losses. The group's operational methodology leveraged tools typically associated with cyber-espionage operations for financial gain, demonstrating unusual versatility among state-aligned threat actors. No conclusive evidence established whether Chinese government authorities directly ordered the theft or tacitly permitted the activity. Response efforts focused on financial transaction tracing and interagency collaboration, with the Secret Service appointing a national pandemic fraud recovery coordinator to oversee investigations. The incident highlighted systemic vulnerabilities in rapidly deployed relief programs that processed unprecedented volumes of financial transactions under emergency conditions.