US seizes millions in stolen COVID relief funds by China-backed hackers

China flag is depicted on the screen in program code
(Image credit: Shutterstock)

A total of $20 million in US government funds intended for coronavirus relief were stolen by Chinese state-sponsored hackers, according to the US secret service.

It believes that the threat group, tracked as APT41, operated more than 2,000 accounts across its fraud operation, which began in 2020. The group is known for taking advantage of victims who have not yet implemented crucial security updates, especially after their details have been shared by public bodies such as the Cyber security and Infrastructure Security Agency (CISA).


The long road ahead to ransomware preparedness

Getting to the bigger truth


Money intended for businesses and unemployed workers through a variety of government programmes was found to have been stolen by the fraudsters, the first time fraud of this nature has been linked, directly or indirectly, to a foreign state.

The discovery has raised serious questions around national security, and whether or not the group acted for profit or with government backing.

The total amount of money stolen through improper payouts of government COVID funds is unknown. Estimates range from $80 billion to more than $500 billion, of which only a small amount has been recovered or accounted for at the time of writing.

More than a thousand investigations are ongoing, with APT41 and other international actors under scrutiny.

NBC News cited anonymous officials as having indicated that state-backed hackers are seemingly involved in a number of ongoing federal fraud investigations, while investigators have previously indicated that a majority of the stolen funds were taken overseas and will therefore be difficult to track.

In August, the US secret service announced that it had recovered around $286 million, and the agency has since stated that a total of $1.4 billion in illicitly-acquired funds intended for small businesses have been accounted for.

The variety of pandemic schemes for businesses, including the Economic Injury Disaster Loans (EIDL) and Paycheck Protection Program (PPP), increases the difficulty in recovering the funds due to the varied sources.

Five Chinese nationals have been indicted as part of the investigation efforts, though no extradition process has been undertaken.

APT41 is a widely tracked threat actor with a long record of incidents. Cyber security firm Mandiant, for example, this year discovered that APT41 compromised six US government networks since the start of 2021, utilising vulnerabilities such as the Log4Shell flaw.

At the time, researchers were unable to establish a specific motive, but noted that the group has worked for profit in the past. In 2020, the US Department of Justice (DoJ) charged APT41 members with computer intrusions into more than 100 victims in the United States and overseas. These included: software development companies, hardware manufacturers, video game companies, and more.

Concerns over breaches by groups such as APT41 have led to a tightening of security across US government agencies. CISA now requires agencies to patch recent exploits within two weeks of being discovered, and Congress has passed a bill that would ban the Department of Defense (DoD) from vulnerable software.

“If we can come together and really have open and honest conversations about what works well and what went very wrong, we would just be in a much better place to stop this,” Maryland labour secretary Tiffany Robinson told NBC News. “Because this is not over.”

Cyber crime increased noticeably across the pandemic, as fraudsters and threat actors took advantage of newfound hybrid working patterns, the increase of online deliveries, and government funding schemes for their own means. Account takeover fraud rose 2.8 times across the pandemic, and delivery fraud became the most common form of smishing.

Fraud detection and prevention is a rapidly-growing market, and according to a report by Acumen Research and Consulting its value is due to hit $176 billion by 2030.

Rory Bathgate
Features and Multimedia Editor

Rory Bathgate is Features and Multimedia Editor at ITPro, overseeing all in-depth content and case studies. He can also be found co-hosting the ITPro Podcast with Jane McCallion, swapping a keyboard for a microphone to discuss the latest learnings with thought leaders from across the tech sector.

In his free time, Rory enjoys photography, video editing, and good science fiction. After graduating from the University of Kent with a BA in English and American Literature, Rory undertook an MA in Eighteenth-Century Studies at King’s College London. He joined ITPro in 2022 as a graduate, following four years in student journalism. You can contact Rory at or on LinkedIn.