Alleged Chinese Hacker Xu Zewei Extradited to U.S.

Key Takeaways

• Xu Zewei was extradited from Italy to Houston on Saturday and is now in federal detention
• Prosecutors allege Xu worked for China's Ministry of State Security to steal COVID-19 research from U.S. universities
• The accused hacker is linked to Hafnium (now called Silk Typhoon), the group behind the 2021 Microsoft Exchange attacks

Xu Zewei, a Chinese national accused of conducting cyberattacks for Beijing, arrived in the United States over the weekend after being extradited from Italy. His lawyer, Simona Candido, confirmed to TechCrunch that Xu was flown to the U.S. on Saturday and is now held at the Federal Detention Center in Houston, Texas.

The U.S. Justice Department first charged Xu last year. Prosecutors allege he worked as a contractor for China's Ministry of State Security, carrying out cyberattacks through a Shanghai-based company called Shanghai Powerock Network. The company, according to the indictment, "conducted hacking" on behalf of the Chinese government.

The Allegations: COVID Research and Exchange Servers

The charges against Xu focus on two campaigns. First, prosecutors say Xu and co-conspirator Zhang Yu targeted several U.S. universities in early 2020, attempting to steal research related to the COVID-19 pandemic. The timing coincides with the global scramble for vaccine development and treatment data.

Second, and more damaging, the pair allegedly participated in a sweeping attack on Microsoft Exchange email servers beginning in March 2021. Prosecutors describe this campaign as "indiscriminate." The hackers exploited previously unknown security flaws in Exchange to break into thousands of servers across American organizations.

The targets included defense contractors, law firms, think tanks, and infectious disease researchers. The U.S. government attributed this campaign to a Chinese-backed hacking group known as Hafnium, which Microsoft has since renamed Silk Typhoon.

The Path to Houston

Italian authorities arrested Xu last year at the request of U.S. law enforcement. The extradition process took months to complete. His U.S. lawyer, Dan Cogdell, appeared at a hearing in Houston on Monday. Cogdell told TechCrunch he learned about the hearing earlier that same day.

Angela Dodge, a spokesperson for the U.S. Attorney's Office in the Southern District of Texas, acknowledged receiving questions about Xu but did not respond to them. The Bureau of Prisons website confirms that a man with the same name is in custody at the Houston facility.

What Is Hafnium?

Hafnium, now tracked by Microsoft as Silk Typhoon, is a state-sponsored hacking group that operates out of China. The group gained notoriety in early 2021 when it exploited four zero-day vulnerabilities in Microsoft Exchange Server. These flaws allowed attackers to access email accounts and install malware on victim systems.

Microsoft released emergency patches in March 2021, but tens of thousands of organizations had already been compromised. The Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive requiring federal agencies to patch or disconnect vulnerable Exchange servers immediately.

According to prosecutors, Hafnium hackers reported their activities directly to Chinese state officials in Shanghai. The group's targets suggest a focus on intelligence gathering: defense contractors for military secrets, law firms for privileged communications, and infectious disease researchers for pandemic-related data.

What Happens Next

Xu faces trial in the Southern District of Texas. Co-conspirator Zhang Yu remains at large, presumably in China. The Chinese government does not extradite its citizens to the United States, so Zhang is unlikely to face trial unless he travels to a country with a U.S. extradition treaty.

The case adds to a growing list of prosecutions targeting alleged Chinese state hackers. The Justice Department has increased its focus on cyber-enabled economic espionage in recent years, though securing convictions remains difficult when defendants stay in China.

Frequently Asked Questions

Who is Xu Zewei?

Xu Zewei is a Chinese national accused of hacking U.S. universities and Microsoft Exchange servers on behalf of China's Ministry of State Security. He was arrested in Italy in 2024 and extradited to the United States in April 2026.

What is the Hafnium hacking group?

Hafnium, now called Silk Typhoon by Microsoft, is a Chinese state-sponsored hacking group. The group exploited zero-day vulnerabilities in Microsoft Exchange Server in 2021, compromising tens of thousands of organizations worldwide.

What did Hafnium steal from U.S. organizations?

According to prosecutors, Hafnium targeted defense contractors, law firms, think tanks, and infectious disease researchers. The group allegedly stole COVID-19 research from U.S. universities in early 2020.

Where is Xu Zewei being held?

Xu is currently detained at the Federal Detention Center in Houston, Texas. He faces prosecution in the Southern District of Texas.

Will Zhang Yu be prosecuted?

Zhang Yu, Xu's alleged co-conspirator, remains at large and is believed to be in China. Since China does not extradite citizens to the U.S., Zhang is unlikely to face trial unless he travels to a country with a U.S. extradition treaty.

Source: TechCrunch / Lorenzo Franceschi-Bicchierai