Key Takeaways
- Xu Zewei, a 34‑year‑old Chinese national, was extradited from Italy to the United States and appeared in a Houston federal court on a nine‑count indictment linked to alleged computer‑intrusion activities conducted between February 2020 and June 2021.
- Prosecutors allege that Xu acted under the direction of officers from China’s Ministry of State Security (MSS) Shanghai State Security Bureau (SSSB) and worked through a private contractor, Shanghai Powerock Network Co. Ltd. (Powerock), to conceal the PRC’s involvement.
- The indictment ties Xu to two distinct hacking campaigns: (1) targeting U.S. COVID‑19 research institutions in early 2020, and (2) exploiting vulnerabilities in Microsoft Exchange Server as part of the broader HAFNIUM operation that compromised more than 12,700 U.S. organizations.
- Xu and his co‑conspirator Zhang Yu (still at large) reportedly reported their progress to SSSB supervisors, confirming compromises of university networks, email mailboxes of virologists and immunologists, and later the installation of web shells for persistent remote access.
- The charges carry severe penalties, including up to 20 years imprisonment for wire‑fraud counts, up to 10 years for intentional damage to protected computers, and additional time for conspiracy and aggravated identity‑theft offenses.
- The case highlights the U.S. government’s commitment to pursuing state‑sponsored cyber actors, the importance of international cooperation (notably Italy’s Polizia Postale), and the ongoing threat posed by PRC‑linked contractors who obscure government involvement while profiting from cyber‑espionage.
Background on the Extradition and Initial Court Appearance
Xu Zewei was apprehended in Milan, Italy, following a coordinated law‑enforcement effort that involved the FBI’s Cyber Division and Italy’s Polizia Postale. His extradition to the United States was completed over the weekend, after which he made his initial appearance before a U.S. District Court judge in Houston. The proceedings marked the first time Xu faced American justice for the alleged conduct outlined in a nine‑count indictment that spans computer intrusions, wire fraud, and identity‑theft charges related to activities conducted between February 2020 and June 2021.
Alleged Direction by Chinese State Security
According to the indictment and supporting court documents, Xu did not operate independently. Officers from the PRC’s Ministry of State Security (MSS) Shanghai State Security Bureau (SSSB) allegedly directed his hacking efforts. The MSS and its subsidiary SSSB are responsible for China’s domestic counterintelligence, non‑military foreign intelligence, and aspects of political and domestic security. Xu’s reported employer, Shanghai Powerock Network Co. Ltd. (Powerock), is described as one of many private “enabling” firms in China that conduct hacking on behalf of the government while ostensibly operating for profit.
Statements from U.S. Officials
Senior U.S. officials emphasized the significance of the case. Assistant Attorney General for National Security John A. Eisenberg praised the prosecutors and investigators for their persistence and reiterated the Department of Justice’s commitment to pursuing hackers who threaten American businesses and universities. Acting U.S. Attorney John G.E. Marck for the Southern District of Texas highlighted the alleged theft of COVID‑19 research during a global crisis, stating that the indictment sends a clear message that the United States will protect its scientific assets. Assistant Director Brett Leatherman of the FBI’s Cyber Division noted that Xu’s extradition demonstrates the FBI’s reach beyond U.S. borders and warned that other contractors working for the Chinese government face similar risks.
Targeting COVID‑19 Research in Early 2020
The indictment details that, beginning in early 2020, Xu and his co‑conspirators focused on U.S.-based universities, immunologists, and virologists engaged in COVID‑19 vaccine, treatment, and testing research. On or about February 19, 2020, Xu reportedly informed an SSSB officer that he had compromised the network of a research university located in the Southern District of Texas. Two days later, the SSSB officer instructed Xu to target specific email accounts belonging to virologists and immunologists at that institution. Xu subsequently confirmed that he had accessed the contents of those researchers’ mailboxes, allegedly stealing sensitive scientific data.
Exploitation of Microsoft Exchange Server and the HAFNIUM Campaign
Starting in late 2020, the indictment alleges that Xu and his accomplices shifted focus to exploiting vulnerabilities in Microsoft Exchange Server, a widely used platform for email communication. Their exploitation formed part of the globally recognized HAFNIUM intrusion campaign, which Microsoft publicly disclosed in March 2021 as a state‑sponsored operation originating from China. Throughout March 2021, Microsoft, industry partners, the FBI, and the Cybersecurity and Infrastructure Security Agency (CISA) released detection tools, patches, and a joint advisory to help victims identify and mitigate the compromise. Despite these efforts, hundreds of web shells remained on vulnerable U.S. Exchange servers by the end of March. In April 2021, the Justice Department announced a court‑authorized operation to remediate affected systems, and by July 2021, the United States and its foreign partners attributed the HAFNIUM campaign to the PRC’s MSS.
Specific Victims and Persistent Access Mechanisms
Among the entities allegedly impacted by Xu’s Exchange Server exploits were another university in the Southern District of Texas and an international law firm with offices in Washington, D.C., among other locations. After gaining initial access, Xu and his co‑conspirators installed web shells—malicious scripts that enable remote administration—on the compromised servers. The indictment asserts that these web shells were characteristic of HAFNIUM actors at the time. Xu reportedly updated his SSSB supervisor on successful intrusions and, following direction, obtained lists of additional compromised systems from a second SSSB officer. Unauthorized access to the law firm’s network allowed the group to search mailboxes for information pertaining to U.S. policymakers and government agencies, using search terms such as “Chinese sources,” “MSS,” and “HongKong.”
Broader Implications of China’s Use of Private Contractors
The July 2025 announcement of charges against Xu underscores a broader pattern: the PRC allegedly employs an extensive network of private companies and contractors in China to conduct hacking operations that obscure direct government involvement. Motivated by profit, these entities indiscriminately scan for vulnerable computers, exploit them, and then seek information that can be sold—either directly to the Chinese government or to third parties. This approach expands the victim pool, leaves numerous systems worldwide exposed to future exploitation, and often results in the theft of data of little strategic value to China, which is subsequently monetized elsewhere.
Charges, Potential Penalties, and Status of Co‑Conspirator
Xu faces a nine‑count indictment that includes: conspiracy to commit wire fraud and two counts of wire fraud (each carrying a maximum of 20 years imprisonment); conspiracy to cause damage to and obtain information by unauthorized access to protected computers, to commit wire fraud, and to commit identity theft (maximum five years); two counts of obtaining information by unauthorized access to protected computers (maximum five years each); two counts of intentional damage to a protected computer (maximum ten years each); and aggravated identity theft (maximum two years). Zhang Yu, the alleged co‑conspirator identified in the indictment, remains at large and has not been apprehended.
Prosecution Team and International Cooperation
The case is being prosecuted by Assistant U.S. Attorney Mark McIntyre of the Southern District of Texas and Deputy Chief Matthew Anzaldi of the National Security Division’s National Security Cyber Section. The U.S. Department of Justice’s Office of International Affairs coordinated Xu’s arrest and extradition from Italy, with particular appreciation expressed toward the Italian Government and the Cyber Division of the Italian National Police (Polizia Postale) for their instrumental role. The FBI’s Houston Field Office continues to investigate the matter, underscoring the ongoing commitment to hold accountable those who engage in cyber‑espionage against the United States.
Conclusion
The extradition and prosecution of Xu Zewei illustrate the United States’ resolve to counter state‑sponsored cyber threats, especially those that exploit moments of global vulnerability such as the COVID‑19 pandemic. By linking Xu’s alleged actions to the direction of Chinese intelligence services and exposing the mechanics of PRC‑linked contractor networks, the case seeks not only to punish individual wrongdoing but also to deter future attempts to undermine American scientific, governmental, and private‑sector cybersecurity. The outcome of the proceedings will likely serve as a benchmark for how extraterritorial cybercrime is addressed in an era of increasingly sophisticated and state‑backed hacking operations.