The United States has done something it rarely manages against Chinese state hackers: it got one into a courtroom. Xu Zewei, 34, a Chinese national accused of conducting intrusions for the group known as HAFNIUM — also tracked as Silk Typhoon — was extradited from Italy and arrived in Houston, Texas, where he pleaded not guilty at a federal hearing and is now held at the Federal Detention Center. His co-defendant, PRC national Zhang Yu, 44, remains at large.
The pair face a nine-count indictment, unsealed in the Southern District of Texas, covering computer intrusions between February 2020 and June 2021 — a window that spans two of the most consequential episodes in recent cyber history: the theft of early COVID-19 research and the mass exploitation of Microsoft Exchange Server that became known worldwide as HAFNIUM.
The Arrest That Almost Didn’t Stick
Xu was originally detained in Milan in July 2025, arrested at the request of U.S. authorities while on holiday with his wife. What followed was a year of extradition proceedings in the Italian courts, complicated by Beijing’s diplomatic objections and by Xu’s own insistence — maintained throughout — that Italian police had detained the wrong man. He has consistently denied the charges.
Italy approved the extradition, and Xu arrived in Houston over the weekend before pleading not guilty on Monday. That he was arrestable at all is the whole story: like the Chinese Ministry of State Security’s sprawling contractor ecosystem, operators like Xu are shielded inside China’s borders. The moment one steps out — a holiday, a layover, a flight through a cooperating jurisdiction — the shield drops. It is the same dynamic that has repeatedly turned foreign vacations into arrest points for wanted hackers of every nationality.
What HAFNIUM Did
For readers who did not live the 2021 incident from a SOC chair, the scale is worth restating. Beginning in late 2020, Xu and his co-conspirators allegedly exploited a chain of zero-day vulnerabilities in Microsoft Exchange Server, the on-premises email platform running in tens of thousands of organizations. When Microsoft disclosed and patched the flaws in March 2021, the exploitation was already indiscriminate and global.
According to the Justice Department, the campaign targeted more than 60,000 U.S. entities and successfully compromised more than 12,700 of them, harvesting email and sensitive data at industrial scale. HAFNIUM did not pick targets so much as sweep them — a smash-and-grab against the entire installed base of a critical product. Court documents say officers of the MSS’s Shanghai State Security Bureau directed the work, and that Xu carried it out while employed by Shanghai Powerock Network, one of the private contractors Beijing uses to launder state operations through nominally commercial firms.
The Exchange episode reshaped how the industry thinks about mass exploitation of edge and server software — a lesson that echoes through every subsequent zero-day panic, from the SharePoint ToolShell campaign to Microsoft’s later MAPP-disclosure crisis. HAFNIUM was the template: patch the flaw and you still leave thousands of pre-compromised servers behind.
The COVID-19 Angle
Before Exchange, there was the pandemic. In February 2020, as COVID-19 spread and the race for a vaccine began, Xu was — per the indictment — directed to target and access specific email accounts belonging to virologists and immunologists conducting COVID-19 research at a U.S. research university. On February 22, 2020, prosecutors say, he was tasked with breaking into those accounts to steal groundbreaking pandemic research.
That framing is deliberate. Charging the espionage as an attack on medical researchers during a global health emergency casts it not as routine spycraft but as predation at a moment of collective crisis — the kind of narrative that resonates with a jury and with allied governments weighing their own extraditions.
One Defendant, a Broader Pattern
Xu’s case does not stand alone. It slots into a documented, multi-year campaign in which China figures as one of four state actors — alongside Russia, Iran, and North Korea — that Western intelligence and vendors have accused of coordinated targeting of the defense industrial base and critical infrastructure. The contractor model that Xu allegedly worked under is the connective tissue: the MSS sets objectives, private firms supply the labor, and deniability sits in the gap between them.
A single extradition does not dismantle that machine. But it punctures the deniability. For the first time in this campaign, a person the U.S. says did the hacking is sitting in an American jail, entering a plea, and facing the evidence in open court. Whether Xu is convicted or, as he claims, the wrong man, the proceeding itself sends the message U.S. prosecutors have been unable to send for years: the contractors are not untouchable, and a passport stamp can be the whole difference.
Sources
- DOJ — Justice Department Announces Arrest of Prolific Chinese State-Sponsored Contract Hacker
- The Record — Chinese national arrested in Milan after US issues arrest warrant for HAFNIUM attacks
- BleepingComputer — Alleged Silk Typhoon hacker extradited to US for cyberespionage
- SecurityWeek — Alleged Chinese State Hacker Wanted by US Arrested in Italy
- Infosecurity Magazine — Chinese State-Sponsored Hacker Charged Over COVID-19 Research Theft



