Chinese authorities-linked hacker Xu Zewei, accused of playing a central role in the notorious Silk Typhoon (HAFNIUM) cyber campaign, has been extradited from Italy to the United States, marking a significant development in ongoing efforts to combat state-sponsored cyber espionage.
Xu, 34, a Chinese national, appeared before a U.S. District Court in Houston following his extradition over the weekend.
He faces a nine-count indictment tied to a series of cyber intrusions conducted between February 2020 and June 2021.
U.S. prosecutors allege that Xu participated in large-scale hacking operations targeting American universities, law firms, and COVID-19 research institutions during a critical period of the global pandemic.
According to court documents, Xu operated under the direction of China’s Ministry of State Security (MSS), specifically its Shanghai State Security Bureau (SSSB).
At the time, he was reportedly employed by Shanghai Powerock Network Co. Ltd., one of several “enabling” firms allegedly used by the Chinese government to carry out cyber operations while maintaining plausible deniability.
Targeting COVID-19 Research
One of the most serious allegations involves cyberattacks against U.S.-based researchers working on COVID-19 vaccines, treatments, and testing.
Prosecutors claim Xu and his co-conspirators infiltrated university networks and accessed sensitive email accounts belonging to immunologists and virologists.
In February 2020, Xu allegedly confirmed to MSS अधिकारियों that he had successfully breached a Texas-based research university.
Xu is also accused of involvement in the widespread exploitation of Microsoft Exchange Server vulnerabilities, a campaign publicly disclosed by Microsoft in March 2021 and widely tracked as HAFNIUM, also known as Silk Typhoon.
He was then instructed to extract data from specific researchers’ mailboxes, which he reportedly did, handing over the stolen information to intelligence handlers.
U.S. officials emphasized that these intrusions occurred at a time when global collaboration and scientific integrity were critical to combating the pandemic, raising concerns over national security and intellectual property theft.
The attackers leveraged zero-day vulnerabilities in Exchange Server to gain unauthorized access to thousands of systems worldwide.
After exploitation, they deployed web shells malicious scripts that allowed persistent remote access to compromised servers.
Victims included a U.S. university and an international law firm, where attackers searched stolen emails for sensitive terms such as “MSS,” “HongKong,” and references to U.S. policymakers.
Despite emergency patches and guidance released by Microsoft, CISA, and the FBI, hundreds of compromised systems remained vulnerable weeks after disclosure.
Broader Cyber Espionage Network
U.S. authorities say Xu’s case highlights a broader ecosystem of state-backed cyber contractors in China.
These groups allegedly scan for vulnerable systems globally, exploit them, and harvest data that may be passed to government intelligence agencies or sold to third parties.
This model allows state actors to obscure direct involvement while expanding the scale of cyber operations.
Officials warn that such indiscriminate campaigns increase global cybersecurity risks by leaving behind compromised systems that can be reused by other threat actors.
Xu faces multiple charges, including wire fraud, unauthorized access to protected systems, intentional damage to computers, and aggravated identity theft. If convicted, he could face decades in prison.
His alleged co-conspirator, Zhang Yu, 44, remains at large. The FBI has urged anyone with information about Zhang’s whereabouts to come forward.
The investigation is being led by the FBI’s Houston Field Office, with support from U.S. prosecutors and international partners. Italian law enforcement, particularly the Polizia Postale, played a key role in Xu’s arrest in Milan and subsequent extradition.
The case underscores the increasing willingness of U.S. authorities to pursue cybercriminals across borders, especially those linked to nation-state operations targeting critical infrastructure and sensitive research.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
