This story is over 5 years old.

Chinese Media Says Criminals Hacked OPM, Not Government Spies

That's the result of an "investigation," according to state media Xinhua.
Office of Personnel Management. Image: Shutterstock

Just when people were starting to forget about the catastrophic Office of Personnel Management (OPM) hack—which saw the details of at least 32 million spies and federal employees land in the laps of suspected Chinese government hackers—someone comes along and shakes things right up by saying that another group was responsible altogether.

On Wednesday, China's state-run media outlet Xinhua buried a massive, unsubstantiated claim in a report on recent talks with the US on combating cybercrime: that an "investigation" revealed the OPM hack was the work of criminals, rather than state-sponsored hackers.


"Among the cases discussed included the one related to the alleged theft of data of the US Office of Personnel Management by Chinese hackers," Xinhua claims, referring to a recent meeting between Chinese and US officials. "Through investigation, the case turned out to be a criminal case rather than a state-sponsored cyber attack as the US side has previously suspected." No further information about the investigation, such as who conducted it, is provided.

This might come as quite a shock to those who have been following the story of the OPM hack. It has been widely reported that the attack was carried out at the behest of the Chinese government, with the Washington Post citing anonymous US officials and private cybersecurity company iSight Partners.

And although members of the information security community have claimed to have found OPM records for sale on the dark web—which Motherboard debunked in July—and scammers have attempted to peddle other stolen data under the premise it was sourced from the OPM, no evidence has been presented that the hack was criminal in nature, rather than an act of espionage.

When asked for comment, Samuel Schumach, press secretary for the Office of Personnel Management, wrote in an email, "We'd have to refer you to the FBI for comment."

The FBI did not immediately respond.

"If OPM hack was criminal, China should investigate and identify perpetrators, then extradite to US for prosecution," tweeted Richard Bejtlich, a strategist from cybersecurity company FireEye. Previously, the two countries helping each other around cybersecurity issues would just be a fantasy, but in October, the Chinese government arrested several hackers at the request of the US, a rare sight.

The story of the OPM hack has progressively got more tragic, with the agency slowing revealing that more and more data was stolen. Now the story is just getting weirder.