Silk Typhoon Hacker Xu Zewei Extradited to U.S.

Key Takeaways

• Xu Zewei allegedly conducted hacking operations for China's Ministry of State Security between February 2020 and June 2021
• The attacks targeted COVID-19 research organizations and exploited Microsoft Exchange Server zero-day vulnerabilities
• Xu was arrested in Milan in 2025 and now faces multiple federal charges related to computer intrusions

The U.S. Department of Justice announced that Xu Zewei, a Chinese national accused of conducting cyberespionage for China's Ministry of State Security (MSS), has been extradited from Italy to face criminal charges. Xu was arrested in Milan in 2025 at the request of U.S. authorities.

According to the DOJ, Xu allegedly worked as a contract hacker for the MSS and conducted breaches between February 2020 and June 2021. The operations were part of a coordinated intelligence-gathering campaign tied to the Silk Typhoon hacking group, also known as Hafnium.

COVID-19 Research Among Primary Targets

The indictment links Xu to attacks on COVID-19 research organizations. Prosecutors allege the hackers sought data on vaccines, treatments, and testing during the pandemic's early stages.

Silk Typhoon exploited vulnerabilities in internet-facing systems to gain initial access. Once inside networks, the attackers performed reconnaissance, deployed malware, and exfiltrated data.

Microsoft Exchange Zero-Day Exploitation

U.S. authorities also allege that Xu and his co-conspirators exploited Microsoft Exchange Server zero-day vulnerabilities beginning in late 2020. This widespread campaign compromised email servers and gave attackers access to victim networks.

After breaching vulnerable Exchange servers, attackers deployed web shells. These tools allowed them to access mailboxes, move laterally within networks, and steal data. The exploitation led to global incidents impacting thousands of organizations before patches were fully available.

Contract Hackers Operating Under State Direction

“According to court documents, officers of the PRC's Ministry of State Security's (MSS) Shanghai State Security Bureau (SSSB) directed Xu to conduct this hacking.”

— U.S. Department of Justice

The DOJ identified Xu's employer as Shanghai Powerock Network Co., Ltd. (Powerock). Prosecutors described it as one of many firms used to carry out hacking operations on behalf of the Chinese government.

This arrangement reflects a pattern U.S. officials have highlighted in previous cases. Chinese state security services often work through private contractors rather than using government employees directly. The structure provides deniability while allowing state agencies to leverage specialized talent.

Federal Charges and Next Steps

Xu is expected to appear in federal court, where he faces multiple counts related to computer intrusions and conspiracy. The charges carry significant penalties.

The extradition marks a rare success in bringing alleged Chinese state-sponsored hackers to U.S. courts. Most individuals indicted for similar operations remain in China and face no realistic prospect of arrest.

Implications for Enterprise Security

The Silk Typhoon attacks exploited vulnerabilities that have long since been patched. But the case serves as a reminder of how quickly state-sponsored groups weaponize zero-days. Organizations running internet-facing systems, especially email servers, remain high-value targets.

The Exchange campaign affected thousands of organizations globally. Many discovered compromises only after patches were released and forensic tools became available. Web shells deployed during the initial breach sometimes remained active for months.

Frequently Asked Questions

Who is Xu Zewei?

Xu Zewei is a Chinese national accused of working as a contract hacker for China's Ministry of State Security. He allegedly conducted cyberespionage operations between February 2020 and June 2021 as part of the Silk Typhoon (Hafnium) hacking group.

What is Silk Typhoon?

Silk Typhoon, also known as Hafnium, is a Chinese state-sponsored hacking group. The group is known for exploiting vulnerabilities in internet-facing systems, including the 2020-2021 Microsoft Exchange Server zero-day attacks that compromised thousands of organizations worldwide.

What did Silk Typhoon hackers target?

According to the DOJ indictment, the group targeted COVID-19 research organizations seeking data on vaccines, treatments, and testing. They also exploited Microsoft Exchange Server vulnerabilities to compromise email systems across thousands of organizations.

Where was Xu Zewei arrested?

Xu was arrested in Milan, Italy in 2025 at the request of U.S. authorities. He was extradited to the United States in April 2026 to face federal charges.

What charges does Xu Zewei face?

Xu faces multiple federal counts related to computer intrusions and conspiracy. The charges stem from his alleged role in hacking operations conducted for China's intelligence services.

Source: BleepingComputer