View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
December 7, 2022

Chinese hackers stole $20m of US Covid-19 relief funds. The UK has likely suffered a similar fate.

The money was pilfered from funds designed to help small businesses as hackers took advantage of the chaos caused by the pandemic.

By Claudia Glover

Hackers backed by the Chinese government stole at least $20m from Covid-19 relief funds in the US, officials in Washington believe. Other countries such as the UK are likely to have been hit with similar attacks, a security researcher told Tech Monitor.

Has the UK government unwittingly handed over taxpayers’ money to overseas, state-backed cybercrime gangs? (Photo by

A Chinese APT group known as APT41 is behind the raid which saw at least $20m stolen, a US Secret Service spokesperson has told NBC.

The theft was uncovered as part of a wider investigation into pandemic funds fraud carried out by the US Secret Service, which announced on Friday that it had recovered $286m in Covid-19 relief funds. 

Covid-19 relief funds targeted by Chinese hackers APT41

It is thought APT41 targeted small business administration loan money, designed to help companies get through the pandemic, and unemployment insurance funds in more than a dozen US states. 

Though the US is the first company to report that its pandemic funds were targeted by international hackers, others are likely to follow says Allan Liska, cybersecurity lead at security company Recorded Future. 

“There were a lot of funds that were sent out, and in many countries there wasn’t a lot of oversight,” Liska says. “Both cybercriminals and now nation-state actors were able to take advantage of that to redirect funds. The same thing will have happened in other countries as well.”

In February the UK government announced that up to £16bn was lost due to “fraud and error” in Covid-19 loan schemes. Some of this lost cash is likely to have been taken by cybercriminals, Liska says. “This would be right in line with the kind of thing that nation-state hackers, particularly from countries like North Korea, like to engage in, in order to steal funds,” he says. “We just haven’t seen the evidence yet.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Hackers could have easily used stolen data from the dark web to fake an application to one of the schemes, Liska adds. “Even if the governments had good cybersecurity practices in place, because there are so many stolen credentials that are available in underground markets, it would be really easy to fake a Covid application using someone else’s name,” he says.

Who are APT41?

Over the past seven years APT41, also known as BARIUM, has targeted countries in Europe, South East Asia and the US. It has been found to target political, economic and military organisations, according to a report from security company SOCRadar. 

In 2020, the FBI released an international “most wanted” poster showing the faces of four indicted members of the group, who faced charges including racketeering, money laundering, fraud, identity theft and access device fraud. 

These charges stem from hacking activities carried out while employed by Chengdu 404 Network Technology Company. According to the poster, “the defendants allegedly conducted supply chain attacks to gain unauthorised access to networks throughout the world, targeting hundreds of companies in Australia, Brazil, Germany, India, Japan and Sweden.”

The US Secret Service has told NBC that there are more than 1,000 ongoing investigations involving transnational criminal actors involving benefit scams, and that APT41 is a key player in this space. 

Read more: Will OpenAI’s ChatGPT help hackers create malware?

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.