U.S. to Attribute Treasury Hack to Chinese Ministry of State Security by December 24

The Attribution Decision

The Trump administration is preparing to publicly attribute a cyber intrusion at the U.S. Treasury Department to a unit of China's Ministry of State Security, with an official announcement expected as early as December 24, according to two U.S. officials familiar with the matter. The statement will accuse the Chengdu-based unit of maintaining unauthorized access to Treasury networks for roughly two weeks and will be accompanied by sanctions and criminal charges, the officials said.

President Donald Trump approved the response package during a National Security Council meeting on December 20 at the White House Situation Room, one official said. The classified assessment that forms the basis for the attribution was finalized by the Office of the Director of National Intelligence on December 18, the official said. A separate technical report from the National Security Agency, completed on December 16, traced the intrusion to infrastructure operated by a group tracked internally as Red Vine, the official said.

Red Vine shares digital signatures with a Ministry of State Security unit that Western intelligence agencies have linked to previous campaigns against finance ministries in Estonia, Lithuania, and Belgium, the official said. The administration has briefed officials from Britain, Canada, Australia, and Japan on the findings and expects at least two allied governments to issue supporting statements, the second official said.

How Treasury Detected the Breach

Treasury Department cyber staff first identified suspicious activity on December 2, when anomalous login patterns appeared on a workstation used by the Bureau of the Fiscal Service, according to a senior official, speaking on condition of anonymity. The incident response team determined that the actors had accessed unclassified payment processing systems and internal employee directories between November 28 and December 12, the official said.

The intrusion began when an employee opened a phishing email on November 25 that deployed a custom credential-harvesting tool, according to the senior official. The tool, which analysts have named SilkHarvest, transmitted account data to an external server registered in Malaysia before routing traffic through relays in Singapore and Germany, the official said. Investigators matched SilkHarvest to a sample recovered from a 2023 breach of Estonia's finance ministry, one official said.

The breach did not reach systems that store individual taxpayer records, Social Security payment ledgers, or direct deposit account numbers for federal beneficiaries, the senior official said. It did, however, expose internal routing information for approximately 4.7 million routine government transactions, including vendor payments and interagency fund transfers, the official said. Remediation costs are estimated at $18 million through the end of the fiscal year, the official said.

Treasury's Office of Intelligence and Analysis notified CISA and the FBI on December 4. CISA issued an emergency directive to other federal agencies on December 6 requiring them to search for related indicators of compromise. A joint incident response team convened at FBI headquarters in Washington on December 9 and briefed staff from the House and Senate intelligence committees on December 12, according to a former Senate Intelligence Committee staffer who attended the briefing.

Planned U.S. Response

The administration intends to pair the public attribution with a Treasury Department sanctions package targeting the Ministry of State Security unit and four front companies registered in Sichuan province, two officials said. The designations will freeze any U.S.-based assets and prohibit American companies from transactions with the listed entities, the officials said. The State Department is also expected to restrict visas for employees of the designated companies, one official said.

The Justice Department is preparing an indictment naming three Chinese nationals, including one who traveled to Hong Kong in November 2025 and another who communicated with a suspected front company in Chengdu, the officials said. The filing is expected to be unsealed before December 26, and arrest warrants will be issued through Interpol, one official said. FBI agents served a search warrant on December 18 at a residence in Queens, New York, in connection with the investigation, the official said.

The Chinese Embassy in Washington did not respond to multiple requests for comment on Monday. The Treasury Department, the Office of the Director of National Intelligence, the NSA, CISA, and the Justice Department all declined to comment.

Stakes and What to Watch

The disclosure would mark the first time the Trump administration has publicly accused a Chinese state intelligence service of targeting a cabinet-level department's operational networks. Officials said the timing is intended to precede a planned January 6, 2026, meeting between Treasury Secretary Scott Bessent and China's Vice Premier He Lifeng in Zurich, where the breach is likely to be raised.

Watch for whether the White House issues the attribution statement on December 23 or December 24, and whether Beijing retaliates against U.S. financial institutions or expels American diplomats before year-end. Congressional intelligence committee leaders have requested a closed briefing for January 7, 2026, two officials said. A second classified assessment examining whether the intrusion reached any Federal Reserve systems is due by January 15, the senior official said.