Xu Zewei Faces Federal Charges Over Massive HAFNIUM Espionage Campaign
The United States Department of Justice announced on Monday that a Chinese national allegedly tied to a sweeping, pandemic-era cyber espionage campaign has been extradited from Italy and formally charged in federal court. Xu Zewei and his alleged co-conspirators are accused of exploiting multiple zero-day vulnerabilities in Microsoft Exchange Server to breach the networks of nearly 13,000 American organizations — stealing sensitive research on COVID-19 vaccines, treatment methods, and testing protocols during one of the most critical periods of the global health crisis.
The espionage operation, known as HAFNIUM, was reportedly directed by China's Ministry of State Security and targeted a wide range of institutions, including infectious disease researchers, law firms, universities, defense contractors, and policy think tanks. The state-sponsored threat actor behind HAFNIUM is now more broadly tracked by the cybersecurity community under the name Silk Typhoon.
Who Is Xu Zewei and How Was He Caught?
Xu allegedly carried out the intrusions while employed at Shanghai Powerock Network, one of numerous private companies that China's intelligence services reportedly use as proxies to conduct offensive cyber operations. Italian authorities arrested Xu in Milan in July at the request of the United States — a notable example of how international travel by nation-state-linked hackers can create enforcement opportunities when they visit countries that cooperate with American law enforcement.
Italy extradited Xu to the United States on Saturday, though the extradition orders were not publicly released until Monday, according to his Italian attorney, Simona Candido, who confirmed the timeline to CyberScoop. Monday also marked his first appearance in the U.S. District Court for the Southern District of Texas. He is currently being held at a federal prison in Houston.
An indictment was filed against Xu alongside Zhang Yu, who remains at large.
What Xu Zewei Is Accused of Doing
According to court records, Xu allegedly operated under the direction of China's Ministry of State Security's Shanghai State Security Bureau. His alleged activities included:
- Breaking into the networks of U.S. organizations by exploiting zero-day vulnerabilities in Microsoft Exchange Server
- Stealing data from compromised systems
- Implanting webshells to maintain persistent remote access
- Stealing information about U.S. policymakers and government agencies from a global law firm with offices in Washington
Microsoft first publicly warned its customers about the HAFNIUM campaign in March 2021. The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) quickly followed with a joint advisory addressing the widespread compromise of Microsoft Exchange Server infrastructure.
Charges and Potential Sentence
The 34-year-old faces a formidable list of federal charges, including:
- Conspiracy to commit wire fraud
- Two counts of wire fraud
- Conspiracy to cause damage to and obtain information by unauthorized access to protected computers, to commit wire fraud, and to commit identity theft
- Two counts of obtaining information by unauthorized access to protected computers
- Two counts of intentional damage to a protected computer
- Aggravated identity theft
If convicted on all counts, Xu faces up to 62 years in federal prison.
Law Enforcement and Intelligence Community Reaction
Brett Leatherman, assistant director of the FBI's Cyber Division, emphasized both the scale of the operation and the broader pattern of Chinese government-linked contractor activity:
"Xu will now answer for his alleged role in HAFNIUM, a group responsible for a vast intrusion campaign directed by China's Ministry of State Security that compromised more than 12,700 U.S. organizations. He is one of many contractors the Chinese government uses to obscure its hand in cyber operations, and others who do the same face the same risk."
John G.E. Marck, acting U.S. attorney for the Southern District of Texas, underscored the persistence of the prosecution:
"We have pursued this moment across years and continents, and the message this office sends today is the same one we sent when we first unsealed this indictment: we will work to protect the American people."
Industry Perspective: A Signal to State-Linked Hackers
Aaron Shraberg, senior team lead of global intelligence at Flashpoint, told CyberScoop that the case illustrates the tangible consequences that can follow state-directed cyber activity:
"Today's law enforcement action demonstrates the real-world consequences of this state-led activity, which is fueled by a vast network of private companies operating under the direction of the Chinese government."
Shraberg further noted that coordinating extraditions across international boundaries sends a clear message about allied resolve:
"Extraditing these individuals from countries in coordination with international law enforcement demonstrates a united stance on these actions, and the importance of bringing real-world consequences to China's notorious targeting of not just the American people and their businesses, but individuals globally as well."
The Xu Zewei case reflects an increasingly assertive posture by U.S. authorities toward holding individual actors accountable for nation-state cyber operations — even when enforcement requires years of multinational coordination.
Source: CyberScoop