A Chinese national accused of carrying out cyberattacks for China’s intelligence services has been extradited from Italy to the United States, where he now faces federal charges tied to alleged intrusions targeting COVID-19 researchers and thousands of Microsoft Exchange servers.
The U.S. Department of Justice said Xu Zewei, 34, appeared Monday in federal court in Houston on a nine-count indictment covering alleged computer intrusions between February 2020 and June 2021.
Xu Zewei faces charges linked to HAFNIUM campaign
According to the Justice Department, Xu is accused of taking part in intrusions connected to HAFNIUM, a Chinese state-sponsored hacking campaign that compromised thousands of computers worldwide, including in the United States.
TechCrunch reported that Xu was arrested in Italy last year at the request of U.S. authorities and was extradited to the United States over the weekend. His U.S. lawyer, Dan Cogdell, shared that Xu pleaded not guilty to all charges during a Monday court hearing.
Xu is charged alongside Zhang Yu, 44, another Chinese national who remains at large. The indictment alleges that officers of China’s Ministry of State Security and its Shanghai State Security Bureau directed Xu’s hacking activity, and that Xu worked for Shanghai Powerock Network Co. Ltd., which the department described as one of several “enabling” companies in China that conducted hacking for the Chinese government.
COVID-19 research was allegedly targeted
The case includes allegations that Xu and his co-conspirators targeted U.S.-based universities, immunologists, and virologists working on COVID-19 vaccine, treatment, and testing research in early 2020.
Xu allegedly confirmed to a Shanghai State Security Bureau officer that he had compromised a research university in the Southern District of Texas and later acquired email contents belonging to researchers working on COVID-19.
Acting U.S. Attorney John G.E. Marck said Xu will now answer in federal court for alleged crimes that “struck at the heart of American science and security,” referring to accusations that COVID-19 research was stolen from U.S. universities at a critical point in the pandemic.
DOJ links case to Microsoft Exchange intrusions
The indictment also alleges that Xu and others exploited vulnerabilities in Microsoft Exchange Server beginning in late 2020. The exploitation was part of the massive HAFNIUM campaign publicly disclosed by Microsoft in March 2021.
Hafnium hackers targeted more than 60,000 entities in the U.S. and successfully compromised more than 12,700 of them.
The Justice Department said some victims included another university in the Southern District of Texas and a law firm with offices worldwide, including Washington, D.C. Prosecutors allege the attackers installed web shells after exploiting Exchange servers and searched stolen mailboxes for terms including “Chinese sources,” “MSS,” and “HongKong.”
FBI says extradition shows global reach
FBI Cyber Division Assistant Director Brett Leatherman said Xu’s extradition shows the FBI’s reach “extends well beyond U.S. borders.”
He said Xu now faces allegations over his role in HAFNIUM, which he described as a campaign directed by China’s Ministry of State Security that compromised more than 12,700 U.S. organizations.
Xu faces several charges, including conspiracy to commit wire fraud, wire fraud, unauthorized access to protected computers, intentional damage to protected computers, and aggravated identity theft.
Some wire-fraud counts carry a maximum penalty of 20 years in prison, while other computer-intrusion and damage charges carry maximum penalties of five or 10 years.
China has opposed the extradition
China’s Foreign Ministry opposed Xu’s extradition and accused the U.S. government of fabricating cases. The Chinese Embassy in Washington did not respond to a request for comment.
The case is another example of U.S. prosecutors trying to bring alleged Chinese state-backed hackers into American courts, even though many suspects remain outside U.S. reach.
For Washington, Xu’s extradition is a rare enforcement win in a field where indictments often serve mainly as public attribution. For Beijing, the case adds another cyber flashpoint to already tense U.S.-China relations.
