Academic Jobs - Home of Higher Ed Logo

Italy Extradites Suspected Chinese Hacker to US for Stealing COVID-19 Research

Submit News
Become a Contributor
a flag flying in the wind next to a building
Photo by Serge Taeymans on Unsplash

The Arrest and Extradition of Xu Zewei: A Timeline

The saga of Xu Zewei, a 33-year-old Chinese national, began on July 3, 2025, when Italian authorities arrested him at Milan’s Malpensa Airport at the request of the United States. This marked the culmination of a multi-year investigation into state-sponsored cyber intrusions that allegedly targeted critical COVID-19 research efforts. Xu, an IT manager at Shanghai Powerock Network Co. Ltd., faced immediate detention as Italian courts navigated a complex extradition process spanning nearly a year.

Key milestones in the timeline include:

  • November 2023: U.S. grand jury indicts Xu and co-defendant Zhang Yu (at large) in a sealed nine-count complaint in the Southern District of Texas.
  • July 2025: Indictment unsealed following Xu’s arrest; Milan court initially approves extradition.
  • January 2026: Italian appeals court upholds decision.
  • April 2026: Italy’s Supreme Court of Cassation rejects final appeal; government under Premier Giorgia Meloni approves extradition on April 26.
  • Late April 2026: Xu is transferred to U.S. custody, ending nearly 10 months in Italian pre-trial detention.

Throughout, Xu’s legal team argued mistaken identity, claiming no connection to the alleged crimes. A Milan court rejected house arrest requests, citing flight risk and strong evidence of guilt.

Xu Zewei appearing in Milan court during extradition hearing

U.S. Charges: A Deep Dive into the Indictment

The U.S. Department of Justice accuses Xu of working under direct orders from China’s Ministry of State Security (MSS), specifically its Shanghai State Security Bureau (SSSB), to conduct unauthorized intrusions from February 2020 to June 2021. The nine counts encompass conspiracy to commit wire fraud (max 20 years), two wire fraud counts (20 years each), unauthorized computer access, intentional damage to protected systems (10 years each), and aggravated identity theft (2 years).

Evidence cited includes chat logs where Xu confirmed network compromises to SSSB officers. For instance, on February 19, 2020, he reported hacking a Texas research university, followed by directives to target virologists’ emails. If convicted, Xu could face decades in prison, setting a precedent for prosecuting foreign contractors in state-sponsored hacks.

Targeting COVID-19 Research: The Early 2020 Intrusions

At the pandemic’s onset, Xu allegedly led efforts to steal data from U.S. organizations racing for vaccines and treatments. Specific targets included the University of Texas Medical Branch (UTMB) in Galveston, a hub for coronavirus studies, where hackers accessed immunologists’ and virologists’ email accounts. This occurred amid global desperation, as China faced accusations of withholding virus origin data.

Learn more about the U.S. indictment in the official DOJ press release.

Such thefts risked delaying breakthroughs; similar attempts hit firms like Moderna and AstraZeneca in 2020, per FBI warnings.

HAFNIUM Campaign: Escalation to Global Microsoft Exchange Hacks

By late 2020, Xu shifted to exploiting zero-day vulnerabilities in Microsoft Exchange Servers as part of the HAFNIUM (aka Silk Typhoon) group, linked to MSS. Attackers installed web shells for persistent access, compromising over 12,700 U.S. entities and thousands worldwide—including European targets.

Microsoft disclosed the flaws in March 2021, prompting patches and joint U.S.-EU alerts. HAFNIUM’s indiscriminate approach stole emails, intellectual property, and policy docs from a D.C. law firm searching terms like “MSS.”

China’s Denial and State-Sponsored Hacking Ecosystem

Beijing’s Foreign Ministry decried the extradition as “U.S. political manipulation,” urging Italy to “correct its mistake.” Yet, Powerock exemplifies China’s model: private firms masking government ops. From 2020-2026, U.S. indicted dozens in similar campaigns, with stats showing China behind 50%+ of state-sponsored incidents targeting IP.

Italy’s Geopolitical Balancing Act

Under Meloni, Italy prioritized transatlantic ties over past China overtures like Belt and Road. The decision tests Rome-Beijing relations but aligns with EU cyber resilience pushes post-HAFNIUM. EU’s 2021 response blamed China, fostering NATO-EU cyber pacts.

Details on Italy’s stance in Bloomberg’s coverage.

Global Implications for Cyber Espionage and Research Security

This case highlights vulnerabilities in pandemic-era research sharing. Steps forward include zero-trust architectures, international extradition treaties, and AI-driven threat detection. Europe eyes NIS2 Directive for bolstered defenses.

  • Risks: IP theft delays innovation; HAFNIUM cost billions in remediation.
  • Solutions: Multi-factor auth, regular patching, intel-sharing via ENISA.
Illustration of Hafnium Microsoft Exchange hacking campaign

What Lies Ahead: U.S. Trial and Broader Ramifications

Xu awaits arraignment in Texas; conviction could yield 60+ years. Success may deter contractors, but challenges persist with actors like Zhang at large. For Europe, it underscores need for unified cyber diplomacy amid U.S.-China tensions.

Stakeholders urge enhanced global norms, like Budapest Convention expansions, to combat cross-border threats.

Portrait of Prof. Clara Voss
About the author

Prof. Clara VossView author

Academic Jobs In House Author

Discussion

Sort by:

Be the first to comment on this article!

You

Please keep comments respectful and on-topic.

New0 comments

Join the conversation!

Add your comments now!

Have your say

Engagement level

Frequently Asked Questions

🔍Who is Xu Zewei and what is he accused of?

Xu Zewei, a 33-year-old IT manager from Shanghai Powerock Network, faces nine U.S. charges including wire fraud and unauthorized computer access for allegedly stealing COVID-19 research under China’s MSS direction. DOJ details here.

📅When was Xu Zewei arrested and extradited?

Arrested July 3, 2025, in Milan, Italy. Extradited April 2026 after Italian Supreme Court approval.

🛡️What is the HAFNIUM hacking group?

HAFNIUM (Silk Typhoon), MSS-linked, exploited Microsoft Exchange zero-days in 2021, compromising 12,700+ U.S. systems globally.

🧪Which organizations were targeted in the COVID hacks?

U.S. universities like UTMB Galveston, virologists’ emails for vaccine/treatment data.

🇨🇳China's response to the extradition?

Foreign Ministry called it ‘U.S. fabrication,’ urged Italy to reverse.

⚖️Potential sentence if convicted?

Up to 60+ years across nine counts.

🌍Implications for Italy-US-China relations?

Strains Italy-China ties amid Meloni’s pro-US pivot; bolsters transatlantic cyber cooperation.

💻How did the Microsoft Exchange hack work?

Zero-day exploits allowed web shell installation for persistent access and data exfil.

📊Broader context of Chinese cyber campaigns?

Dozens indicted 2020-2026; 50%+ state-sponsored IP theft attributed to PRC.

🛡️What defenses against such hacks?

Patch promptly, zero-trust models, intel-sharing; EU’s NIS2 aids resilience.

🚨Status of co-defendant Zhang Yu?

At large; faces identical charges.