Hackers lurked in Treasury OCC’s systems since June 2023 breach

April 9, 2025

Unknown attackers who breached the Treasury's Office of the Comptroller of the Currency (OCC) in June 2023 gained access to over 150,000 emails, according to anonymous sources familiar with the matter.

The OCC is an independent bureau of the U.S. Department of the Treasury that oversees banks and federal savings associations and ensures they comply with applicable laws and regulations, treat customers fairly, and provide fair access to financial services.

As Bloomberg first reported, the threat actors gained the ability to monitor employees' emails after breaking into an email system administrator's account, as OCC disclosed in February 2025.

At the time, it reported the attack to the U.S. Cybersecurity and Infrastructure Security Agency as a "cybersecurity incident" involving its email system and multiple email accounts, with no impact on the financial sector.

"The Office of the Comptroller of the Currency (OCC) this month identified, isolated and resolved a security incident involving an administrative account in the OCC email system," the U.S. banking regulator said.

"The OCC's investigation analyzed all email logs since 2022 for due diligence. The OCC identified a limited number of affected email accounts that have since been disabled."

While the OCC initially said the breach only affected a limited number of accounts, people familiar with the investigation told Bloomberg that the attackers had access to more email accounts than previously thought and to around 100 bank regulators' emails.

Major information security incident

On Tuesday, April 8, the banking regulator notified the U.S. Congress of a "major information security incident" discovered on February 11. The regulator said the system administrative account compromised in the breach was disabled one day later, on February 12.

The OCC added that "the unauthorized access to a number of its executives' and employees' emails included highly sensitive information relating to the financial condition of federally regulated financial institutions used in its examinations and supervisory oversight processes."

In early January, the Treasury Department also disclosed that its network was breached using a stolen Remote Support SaaS API key to compromise a BeyondTrust instance used by the agency.

That attack has since been linked to a Chinese state-backed hacking group tracked as Silk Typhoon. The threat actors specifically targeted the Office of Foreign Assets Control (OFAC), which administers trade and economic sanctions programs, and the Committee on Foreign Investment in the United States (CFIUS), which reviews foreign investments for national security risks.

Silk Typhoon hackers also breached the Treasury's Office of Financial Research systems, but the impact of this incident is still being assessed.

Update April 08, 13:45 EDT: Added details on OCC's Tuesday press release.