At least $20 million in U.S. COVID-19 relief money was stolen by hackers linked to the Chinese government, the first government-acknowledged instance of pandemic fraud by state-sponsored foreign hackers.
China-based hacking group APT41, described as a prolific “workhorse” of cyberattacks, stole the funds from Small Business Administration loans and unemployment insurance in over a dozen states, the Secret Service exclusively revealed to NBC News.
The operation began in mid-2020 and involved more than 40,000 transactions on 2,000 accounts, NBC reported. About half of the funds have been recovered, according to the Secret Service.
But the hackers may still be inside state systems. A cybersecurity firm in March reported that APT41 had breached and was siphoning data from at least six state governments.
And they may always be there, according to William Evanina, former director of the National Counterintelligence and Security Center.
“Once you are in these systems with intent to promulgate theft, you’re in forever,” Evanina told NBC, because many systems are linked together at state and local levels. He said the only way around that is to “tear down the systems and replace everything.”
While one senior Justice Department official told NBC the attack was “dangerous” and a potential “escalation,” it isn’t clear that China directed the hack.
NBC describes APT41 as one of many semi-independent groups that take on contracts for government espionage. The Secret Service said it considers APT41 a “Chinese state-sponsored” group that also conducts “financial crimes for personal gain.”
Even if the Chinese government didn’t order the hack, its reveal highlights the flood of fraud that accompanied the government unleashing trillions of dollars during the pandemic. The $20 million apparently stolen by Chinese hackers is a drop in the bucket of COVID-19 relief money lost to fraud or error.
NBC previously reported that credible estimates of stolen COVID-19 funds range as high as $400 billion, most of which likely went to foreign criminals. The government recently sampled the pandemic-boosted unemployment payouts in only four states and estimated that 42 percent – or $30.4 billion – had been improperly paid there.
The Paycheck Protection Program has been called the “biggest fraud in a generation” with as much as $80 billion stolen. Another $80 billion was lost in a separate Small Business Administration loan program, the Times Union reported.
“A lot of these criminals, we’ll never be able to indict and locate,” a federal law enforcement official told NBC. “With the internet and the dark web, it’s borderless.”