U.S. to Sanction Chinese Cyber Unit After Treasury Payment Hack, Officials Say

The Finding

The United States will impose sanctions on a Chinese military cyber unit and a front company in Guangzhou by January 6, according to two U.S. officials familiar with the matter. The move follows a breach of a Treasury Department payment system detected on December 27, 2025, which investigators have linked to hackers affiliated with the People's Liberation Army Strategic Support Force, the officials said.

The intrusion targeted the Bureau of the Fiscal Service's payment processing environment, the back office that handles roughly $5 trillion in federal disbursements each year. The attackers diverted roughly $2.3 million in transactions before automated fraud controls froze further outbound movement, according to a senior official, speaking on condition of anonymity. The official said the stolen funds were routed through accounts at a small lender in Hong Kong and then to a cryptocurrency exchange registered in the Seychelles.

A classified Joint Intelligence Bulletin, numbered 2026-001 and circulated to U.S. financial regulators on December 30, attributed the operation to a unit previously associated with campaigns against defense contractors and telecommunication firms, the senior official said. The bulletin described the Treasury compromise as the first known instance in which a state-linked actor moved funds out of a federal payment system rather than merely collecting data.

Forensic analysts found that the attackers used stolen contractor credentials obtained through a phishing message sent to a Treasury information technology vendor on December 18, the officials said. The vendor, which supports cloud infrastructure in Ashburn, Virginia, reported the phishing attempt internally but did not flag it to Treasury until December 26, one official said. By then, the attackers had established persistence inside the payment environment and had begun testing small transactions.

Investigators matched the tools used in the intrusion, including a custom web shell and a command-and-control domain registered on December 12, to activity tracked since 2023 by a private threat intelligence firm in Reston, Virginia, according to the former Senate Intelligence Committee staffer. The staffer said the domain was registered through a reseller based in Kuala Lumpur and pointed to an IP address in Guangdong province.

The Sanctions Decision

The President's national security principals met in the White House Situation Room at 9 a.m. on Friday to review response options, two officials familiar with the meeting said. The group, which included the national security adviser, the deputy attorney general, and the acting Treasury secretary, agreed to a package of Treasury sanctions, visa restrictions, and a Justice Department indictment naming two officers, the officials said.

The sanctions will target the cyber unit, a front company operating from the 18th floor of an office tower in Guangzhou's Tianhe District, and a cryptocurrency mixer used to launder proceeds, according to one official. The designations are scheduled for publication in the Federal Register on January 6 and will freeze any U.S.-linked assets, bar transactions with American persons, and restrict export licenses to the front company.

The front company, registered in Guangzhou in March 2024, lists itself as a logistics firm but holds no known commercial clients, according to corporate records reviewed by a congressional aide. Its registered address matches the office tower in Tianhe District, the aide said.

The Justice Department is preparing a sealed indictment to be unsealed alongside the sanctions, according to a former Senate Intelligence Committee staffer briefed on the matter. The indictment will accuse two named officers of wire fraud and conspiracy to commit computer intrusion, the staffer said. Federal prosecutors in the Eastern District of Virginia have handled the filing, which is expected to include evidence from intercepted chat messages and blockchain analysis, the staffer added.

CISA, the FBI, and the NSA have formed a joint task force with Treasury to remediate the compromise, the officials said. The team expects to complete a forensic review by January 10 and will brief the House and Senate intelligence committees during the week of January 12. One official said Treasury has restored the affected environment to a clean backup taken on December 22 and has rotated credentials for roughly 14,000 users.

The administration has not yet decided whether to publicly attribute the intrusion directly to Beijing or to describe the unit as acting with state direction, the senior official said. That question is likely to be settled during a second principals meeting scheduled for Sunday evening, the official added.

What to Watch

The administration plans to notify allies before the January 6 announcement and is expected to call for parallel designations from the United Kingdom, Australia, and Japan, the senior official said. State Department cables sent on January 1 asked embassies in those capitals to request coordination meetings by January 4, the official said. Canadian officials were briefed separately on December 31, one official said.

Congressional Republicans have scheduled a closed hearing before the House Intelligence Committee for January 8, two congressional aides briefed on the plan said. The aides said the hearing will focus on whether Treasury's fraud controls failed to detect the diversion quickly enough and whether similar payment systems at the Defense Department and the Department of Health and Human Services carry comparable risk.

Major news outlets are expected to confirm the sanctions and the breach once the designations are published. Until then, the administration has held the details under close hold, with one official describing the matter as the most sensitive cyber incident of the fiscal year so far. The Alamo Post first reported the planned response on January 2.