Italy extradited Chinese national Xu Zewei to the United States on Saturday, transferring him to the Houston Federal Detention Center to face a nine-count indictment tied to the Hafnium (Silk Typhoon) intrusion campaign and COVID-19 vaccine research theft. U.S. prosecutors allege Xu acted at the direction of China's Ministry of State Security (MSS) and the Shanghai State Security Bureau (SSSB), participating in operations that the FBI says targeted more than 60,000 U.S. entities and successfully compromised over 12,700.

What Happened

Xu Zewei was arrested by Italian authorities in Milan in July 2025 while vacationing with his wife. The arrest stemmed from a U.S. warrant originally filed in the Southern District of Texas in November 2023. After a months-long extradition process, Italy handed Xu over to U.S. custody on Saturday, and he is now held at the Houston Federal Detention Center awaiting prosecution.

The indictment unsealed last year names Xu and co-defendant Zhang Yu, who remains at large, charging them with computer intrusions spanning February 2020 through June 2021. Charges include wire fraud, aggravated identity theft, and unauthorized access to protected computers. Xu faces up to 77 years in prison if convicted on all counts. China's Foreign Ministry spokesman Lin Jian publicly condemned the Italian extradition decision. Xu denies the allegations and claims mistaken identity.

What Was Taken

Court documents allege Xu and his co-conspirators targeted U.S. universities, immunologists, and virologists conducting COVID-19 vaccine, treatment, and testing research. In one documented exchange, Xu reported to SSSB supervisors that he had compromised the network of a research university located in the Southern District of Texas, exfiltrating vaccine-related research data.

Beyond the targeted COVID-19 espionage, the broader Hafnium campaign Xu participated in compromised thousands of organizations indiscriminately. The FBI assessed that the campaign targeted over 60,000 U.S. entities and successfully victimized more than 12,700, harvesting sensitive information including email content, contacts, and credentials from compromised Exchange environments.

Why It Matters

This extradition is one of the rare instances where a Chinese state-aligned operator has been physically transferred to U.S. custody, providing prosecutors with direct testimony potential and intelligence value beyond the indictment itself. It signals an evolving U.S. posture: pursuing alleged MSS contractors when they travel to extradition-friendly jurisdictions rather than relying solely on sealed indictments.

For defenders, the case reinforces that Hafnium/Silk Typhoon is not a one-off campaign but a sustained MSS-tasked operation against U.S. research, government, and enterprise targets. The named tasking relationship between an individual operator and the SSSB removes ambiguity about state attribution and raises the cost calculus for contractors operating on behalf of Chinese intelligence services.

The Attack Technique

The Hafnium intrusions Xu is charged with leveraged the well-documented chain of zero-day vulnerabilities in Microsoft Exchange Server disclosed in March 2021, including ProxyLogon (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065). Operators chained server-side request forgery with arbitrary file write to deploy web shells, achieve remote code execution, and harvest mailbox data from on-premises Exchange installations.

Earlier 2020 operations against vaccine research targets relied on credential theft, public-facing application exploitation, and post-compromise lateral movement to research networks. The group's tradecraft has continued to evolve under the Silk Typhoon designation, with recent reporting tying it to supply chain access via IT vendors and remote management tooling.

What Organizations Should Do

1. Audit on-premises Microsoft Exchange deployments for ProxyLogon and ProxyShell exposure, validate patch levels, and hunt for legacy web shells that may still reside on systems compromised in 2021.
2. Review remote management tools, IT service providers, and cloud application registrations for unexpected service principals or OAuth grants consistent with Silk Typhoon's recent supply chain tradecraft.
3. For research universities, healthcare, and life sciences organizations, treat MSS-tasked espionage as an active threat model and segment research networks from general enterprise infrastructure.
4. Hunt for known Hafnium indicators including China Chopper variants, suspicious IIS modules, and mailbox export activity from Exchange servers, retroactively if necessary.
5. Enable mailbox auditing, conditional access, and modern authentication in Microsoft 365 environments, and disable legacy authentication protocols that bypass MFA.
6. Share suspected nation-state intrusion indicators with CISA, the FBI, and relevant ISACs to support ongoing investigations and broader victim identification.

Sources: Italy extradites alleged Chinese state hacker to US - Therecord.media