Silk Typhoon Hacker Xu Zewei Extradited to U.S.
Key Takeaways
- Xu Zewei allegedly conducted hacking operations for China's Ministry of State Security between February 2020 and June 2021
- The attacks targeted COVID-19 research organizations and exploited Microsoft Exchange Server zero-day vulnerabilities
- Xu was arrested in Milan in 2025 and now faces multiple federal charges related to computer intrusions
The U.S. Department of Justice announced that Xu Zewei, a Chinese national accused of conducting cyberespionage for China's Ministry of State Security (MSS), has been extradited from Italy to face criminal charges. Xu was arrested in Milan in 2025 at the request of U.S. authorities.
According to the DOJ, Xu allegedly worked as a contract hacker for the MSS and conducted breaches between February 2020 and June 2021. The operations were part of a coordinated intelligence-gathering campaign tied to the Silk Typhoon hacking group, also known as Hafnium.
COVID-19 Research Among Primary Targets
The indictment links Xu to attacks on COVID-19 research organizations. Prosecutors allege the hackers sought data on vaccines, treatments, and testing during the pandemic's early stages.
Silk Typhoon exploited vulnerabilities in internet-facing systems to gain initial access. Once inside networks, the attackers performed reconnaissance, deployed malware, and exfiltrated data.
Microsoft Exchange Zero-Day Exploitation
U.S. authorities also allege that Xu and his co-conspirators exploited Microsoft Exchange Server zero-day vulnerabilities beginning in late 2020. This widespread campaign compromised email servers and gave attackers access to victim networks.
After breaching vulnerable Exchange servers, attackers deployed web shells. These tools allowed them to access mailboxes, move laterally within networks, and steal data. The exploitation led to global incidents impacting thousands of organizations before patches were fully available.
Contract Hackers Operating Under State Direction
“According to court documents, officers of the PRC's Ministry of State Security's (MSS) Shanghai State Security Bureau (SSSB) directed Xu to conduct this hacking.”
— U.S. Department of Justice
The DOJ identified Xu's employer as Shanghai Powerock Network Co., Ltd. (Powerock). Prosecutors described it as one of many firms used to carry out hacking operations on behalf of the Chinese government.
This arrangement reflects a pattern U.S. officials have highlighted in previous cases. Chinese state security services often work through private contractors rather than using government employees directly. The structure provides deniability while allowing state agencies to leverage specialized talent.
Federal Charges and Next Steps
Xu is expected to appear in federal court, where he faces multiple counts related to computer intrusions and conspiracy. The charges carry significant penalties.
The extradition marks a rare success in bringing alleged Chinese state-sponsored hackers to U.S. courts. Most individuals indicted for similar operations remain in China and face no realistic prospect of arrest.
Logicity's Take
Implications for Enterprise Security
The Silk Typhoon attacks exploited vulnerabilities that have long since been patched. But the case serves as a reminder of how quickly state-sponsored groups weaponize zero-days. Organizations running internet-facing systems, especially email servers, remain high-value targets.
The Exchange campaign affected thousands of organizations globally. Many discovered compromises only after patches were released and forensic tools became available. Web shells deployed during the initial breach sometimes remained active for months.
Related coverage on cybersecurity threats and financial impact
Frequently Asked Questions
Who is Xu Zewei?
Xu Zewei is a Chinese national accused of working as a contract hacker for China's Ministry of State Security. He allegedly conducted cyberespionage operations between February 2020 and June 2021 as part of the Silk Typhoon (Hafnium) hacking group.
What is Silk Typhoon?
Silk Typhoon, also known as Hafnium, is a Chinese state-sponsored hacking group. The group is known for exploiting vulnerabilities in internet-facing systems, including the 2020-2021 Microsoft Exchange Server zero-day attacks that compromised thousands of organizations worldwide.
What did Silk Typhoon hackers target?
According to the DOJ indictment, the group targeted COVID-19 research organizations seeking data on vaccines, treatments, and testing. They also exploited Microsoft Exchange Server vulnerabilities to compromise email systems across thousands of organizations.
Where was Xu Zewei arrested?
Xu was arrested in Milan, Italy in 2025 at the request of U.S. authorities. He was extradited to the United States in April 2026 to face federal charges.
What charges does Xu Zewei face?
Xu faces multiple federal counts related to computer intrusions and conspiracy. The charges stem from his alleged role in hacking operations conducted for China's intelligence services.
Need Help Implementing This?
Source: BleepingComputer
Manaal Khan
Tech & Innovation Writer
Related Articles
Browse all
Kraken Crypto Exchange Extortion: Hackers Threaten to Leak Internal Videos After Insider Breach
Cryptocurrency exchange Kraken is being extorted by hackers who obtained videos of internal systems through bribed support employees. The company says no funds were compromised and refuses to pay, with only about 2,000 accounts affected. Kraken is working with federal law enforcement to prosecute everyone involved.
Windows 11 KB5083769 and KB5082052: April 2026 Patch Tuesday Brings Smart App Control Changes and Security Fixes
Microsoft's April 2026 Patch Tuesday updates are now live for Windows 11, bringing critical security patches alongside a welcome change to Smart App Control. You can finally toggle SAC on or off without wiping your entire system. The updates cover versions 23H2, 24H2, and 25H2.
Zero Trust Identity Security: 5 Ways This Framework Actually Stops Credential Theft
Stolen credentials caused 22% of breaches in 2025, making them the top attack vector. Zero Trust promises to fix this, but only when it's built around identity as the core principle. Here's how organizations can implement it properly.
Open Source PR Backlogs: Why Your GitHub Contribution Sits Unreviewed for a Year
A developer's Jellyfin pull request has been waiting over a year for merge despite two approvals, exposing a systemic crisis in open source maintenance. Queuing theory explains why backlogs grow exponentially, and 60% of maintainers have quit or considered quitting due to burnout.
Also Read
3 HBO Max Shows Worth Rewatching This Week
HBO Max's library offers perfect timing this week with Chernobyl marking the disaster's 40th anniversary, Game of Thrones spinoff news dropping, and His Dark Materials' complete three-season run ready for binge-watching.
Element-Data Package Compromised: 1 Million Users at Risk
A popular open source Python package with over 1 million monthly downloads was hijacked by attackers who exploited a GitHub Actions vulnerability. The malicious version harvested credentials, API tokens, and SSH keys before removal 12 hours later.
Spiral: Plex's Free French Crime Drama Worth 8 Seasons
Plex offers all eight seasons of Spiral, a critically acclaimed French crime series, completely free. The show ran on Canal+ from 2005 to 2021 and follows Paris police officers, lawyers, and judges through morally complex investigations.