Threat actors working on behalf the Chinese government reportedly have stolen tens of millions of dollars in US Covid relief benefits, including Small Business Administration loans and unemployment insurance funds in over a dozen states, since 2020, the US Secret Service revealed.

The agency has confirmed a report from NBC News that said that the hacker group believed to be behind the thefts is a China-linked threat actor tracked by the cybersecurity community as APT41.

Also known as Barium, Winnti, Wicked Panda, Wicked Spider, Axiom, Lead, or BlackFly, this APT is one of the most prolific state-sponsored groups linked to the Chinese government. Active since at least 2010, the threat actor is believed to be behind malicious campaigns aimed at a wide variety of sectors, including the healthcare, pharmaceutical, telecommunications, and video game industries across multiple countries, including the US, Japan, South Korea, India, Australia, and the UK.

Several members of APT41 were indicted in 2019 and 2020 by the US Department of Justice for spying on over 100 companies, including software development companies, telecommunications providers, social media firms, and video game developers. 

The theft of taxpayer funds by the Chinese hackers is the first instance of pandemic fraud tied to foreign, state-sponsored cybercriminals that the US government has acknowledged publicly, NBC noted. However, the Secret Service did not share the details about the scope of other investigations, saying there are more than 1,000 ongoing investigations involving transnational and domestic criminal actors defrauding public benefits programs, and APT41 is “a notable player.”