U.S. Justice System: Chinese State Hacker Xu Zewei Extradited

Italian authorities have extradited Xu Zewei, a Chinese national accused of being a member of the state-backed HAFNIUM (Silk Typhoon) hacking group, to the United States. Xu is now held at the Houston Federal Detention Center and faces a nine-count indictment tied to intrusions that compromised over 12,700 U.S. entities and targeted COVID-19 vaccine research.

What Happened

Xu Zewei was arrested in July 2025 in Milan, Italy, while traveling with his wife, following a U.S. arrest warrant first filed in the Southern District of Texas in November 2023. His lawyer, Simona Candido, confirmed the extradition took place on Saturday, with Xu transferred to U.S. custody in Houston. The Chinese Foreign Ministry, through spokesman Lin Jian, publicly criticized the Italian government's decision to honor the U.S. extradition request. Xu has consistently denied involvement in Chinese state hacking operations, claiming mistaken identity. U.S. prosecutors allege he and co-defendant Zhang Yu, who remains at large, conducted computer intrusions between February 2020 and June 2021 at the direction of China's Ministry of State Security (MSS) and the Shanghai State Security Bureau (SSSB). Xu faces charges of wire fraud, aggravated identity theft, and unauthorized access to protected computers, carrying a maximum sentence of 77 years if convicted on all counts.

What Was Taken

The HAFNIUM campaign, attributed to Xu and his co-conspirators, compromised more than 12,700 U.S. entities out of over 60,000 targeted, according to FBI Cyber Division Assistant Director Brett Leatherman. Stolen data included sensitive COVID-19 vaccine, treatment, and testing research from U.S. universities, immunologists, and virologists. Court documents specifically reference Xu confirming to SSSB handlers that he "had compromised the network of a research university located in the Southern District of Texas." Beyond pandemic-related intellectual property, the broader 2021 Microsoft Exchange Server attacks attributed to HAFNIUM exposed email content, credentials, and sensitive correspondence across thousands of government, enterprise, and small-business mailboxes worldwide.

Why It Matters

This extradition is a rare and consequential enforcement action against an alleged Chinese state-sponsored operator, signaling that allied jurisdictions are increasingly willing to detain and transfer Chinese cyber operatives. HAFNIUM, also tracked as Silk Typhoon, is one of the most prolific Chinese state-aligned intrusion sets, with a multi-year track record of targeting U.S. government agencies, academic institutions, and large enterprises. The case also reinforces public attribution linking commercial-looking intrusion activity directly to the MSS and SSSB, narrowing the plausible deniability Beijing has historically relied on. For defenders, the indictment provides a documented operational pattern: state-tasked targeting of strategically valuable verticals (biomedical research during COVID-19) followed by indiscriminate, mass-exploitation campaigns when zero-day access becomes available.

The Attack Technique

HAFNIUM is best known for the early-2021 Microsoft Exchange Server intrusion campaign, which chained four zero-day vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, collectively "ProxyLogon") to achieve unauthenticated remote code execution on internet-facing Exchange servers. The group deployed web shells such as China Chopper for persistence, harvested mailbox contents, dumped credentials, and pivoted laterally into Active Directory environments. Earlier 2020 to 2021 operations against vaccine-research targets relied on spear-phishing, credential theft, exploitation of public-facing applications, and abuse of legitimate remote access tooling. The group operated under tasking from SSSB officers and reported intrusion outcomes back through formal handler relationships, indicating a structured, intelligence-driven targeting cycle rather than opportunistic crime.

What Organizations Should Do

Audit all Microsoft Exchange Server deployments for legacy ProxyLogon, ProxyShell, and ProxyNotShell exposure, and migrate end-of-life on-premises Exchange to a supported, fully patched configuration or to Exchange Online.
Hunt for known HAFNIUM and Silk Typhoon indicators, including China Chopper web shell artifacts in Exchange aspnet_client directories, anomalous OAB virtual directory writes, and outbound connections to known C2 infrastructure.
Apply enhanced monitoring on research, biomedical, pharmaceutical, and academic environments, which remain high-priority targets for MSS-aligned operators tasked with strategic IP collection.
Enforce phishing-resistant MFA (FIDO2 or platform authenticators) on all email, VPN, and remote-access endpoints, and disable legacy authentication protocols that bypass MFA.
Implement egress filtering and DNS monitoring to detect web-shell beaconing, post-exploitation tunneling, and exfiltration to attacker-controlled infrastructure.
Review CISA and FBI advisories on HAFNIUM and Silk Typhoon, integrate published TTPs into detection engineering, and run targeted purple-team exercises against Exchange and identity-system attack paths.

Sources: Italy extradites alleged Chinese state hacker to US - The Record