Chinese Hacker Extradited to Face Federal Charges
A Chinese national alleged to have conducted cyberespionage operations on behalf of China's intelligence apparatus has been extradited from Italy to the United States, where he now faces a series of criminal charges. According to an announcement from the Department of Justice (DOJ), the individual — identified as Xu Zewei — is accused of working as a contract hacker for China's Ministry of State Security (MSS), carrying out intrusions between February 2020 and June 2021 as part of a coordinated intelligence-gathering campaign.
Xu was originally arrested in Milan, Italy, in 2025 following a request from U.S. authorities. His extradition marks a significant development in American efforts to hold foreign state-sponsored hackers accountable through the domestic legal system.
Ties to the Silk Typhoon Hacking Group
The federal indictment connects Xu to the Silk Typhoon hacking group, a China-linked threat actor also tracked under the name Hafnium. The group is known for targeting internet-facing systems to gain initial footholds in victim networks. Once access was established, the attackers would conduct reconnaissance, deploy malware, and exfiltrate sensitive data.
Among the alleged targets were COVID-19 research organizations, which investigators say were infiltrated in an effort to steal data related to vaccines, treatments, and testing — intelligence of obvious strategic value during the height of the pandemic.
Microsoft Exchange Zero-Day Exploitation
A central element of the indictment involves the exploitation of Microsoft Exchange Server zero-day vulnerabilities, which Xu and his co-conspirators allegedly began abusing in late 2020. This campaign, prosecutors say, was part of a sweeping effort to compromise email servers globally and gain persistent access to victim networks.
After successfully breaching vulnerable Exchange servers, the attackers reportedly deployed web shells — malicious scripts that provided remote access to the compromised systems. These tools allowed the threat actors to:
- Access victim mailboxes and harvest communications
- Move laterally across internal networks
- Exfiltrate data before detection or remediation
The scale of the Exchange exploitation campaign was enormous, resulting in incidents affecting thousands of organizations worldwide before patches were made fully available and widely deployed.
MSS Direction and the Powerock Front Company
Prosecutors allege that Xu did not act independently but rather operated under direct guidance from officials within the MSS's Shanghai State Security Bureau (SSSB). The DOJ stated in its announcement:
"According to court documents, officers of the PRC's Ministry of State Security's (MSS) Shanghai State Security Bureau (SSSB) directed Xu to conduct this hacking."
Xu allegedly carried out these intrusions while employed by a company called Shanghai Powerock Network Co., Ltd., referred to in court documents as Powerock. The DOJ described Powerock as one of several front companies used to execute hacking operations on behalf of the Chinese government, providing a layer of deniability between the state and its cyber operatives.
This arrangement — where private firms serve as cutouts for state-directed hacking — has become a well-documented pattern in Chinese cyber operations, with the MSS in particular known to leverage contractor networks to conduct foreign intelligence activities.
Legal Proceedings and Charges
Xu is expected to make an appearance in federal court, where he faces multiple counts related to computer intrusions and conspiracy. His co-defendant in the case has not been publicly named in available court documents referenced by the DOJ.
The extradition underscores the continued commitment by U.S. law enforcement to pursue cyber actors linked to foreign intelligence services, even when those individuals are located abroad. Italy's cooperation in apprehending and ultimately extraditing Xu represents an important example of international legal collaboration in the effort to counter state-sponsored hacking.
Broader Context: Silk Typhoon's Campaign
The Silk Typhoon / Hafnium group has been on the radar of Western intelligence agencies and cybersecurity researchers for years. Their focus on exploiting publicly exposed enterprise software — particularly email infrastructure — has made them one of the more impactful Chinese threat groups in terms of breadth of compromise. The 2021 Exchange Server exploitation wave attributed to this group was described at the time as one of the most significant cyberattacks targeting U.S. organizations in recent memory, prompting emergency guidance from the Cybersecurity and Infrastructure Security Agency (CISA).
Xu Zewei's extradition and the accompanying indictment provide a rare glimpse into the operational mechanics of MSS-directed hacking, including the use of contracted personnel and corporate cover structures to conduct espionage at scale.
Source: BleepingComputer