Chinese Hacker Extradited to U.S. Over Pandemic Research Theft

Xu Zewei, a 33-year-old Chinese national, was arrested in Italy and sent to the United States to face charges for hacking. Prosecutors say he worked for the Chinese government while breaking into computer systems at universities and other organizations, stealing information about COVID-19 research. He is part of a larger hacking campaign called HAFNIUM that compromised over 60,000 American organizations between 2020 and 2021.

What He's Accused Of

Xu faces nine charges including wire fraud and unauthorized computer access. If convicted on the wire fraud counts alone, he could face up to 20 years in prison.

Prosecutors say Xu and a co-defendant, Zhang Yu, carried out their hacking between February 2020 and June 2021. During this time, information about developing COVID-19 vaccines and treatments was extremely valuable. Court documents show that officers from China's Ministry of State Security in Shanghai told Xu which researchers and organizations to target.

The Focus on COVID-19 Research

Court filings show that on February 22, 2020, a Chinese government officer directly ordered Xu to break into email accounts belonging to scientists studying COVID-19 at a university in Texas. Just three days earlier, Xu had already reported back that he'd successfully broken into another university's computer network in the same area.

The hacking went beyond those two universities. Xu and his co-conspirators also broke into a large law firm with offices around the world, including Washington, D.C.

How They Did It

Xu and Zhang used a technique common in sophisticated hacking: they found previously unknown flaws in Microsoft Exchange Server, a widely used email system that companies rely on. Once they got into a network through these flaws, they installed hidden tools — called web shells — that let them stay inside the system long-term and steal data without being noticed.

The HAFNIUM campaign was large in scale. While the hackers targeted more than 60,000 American organizations, they successfully stole information from at least 12,700 of them. Among the data they took were emails and documents from specific U.S. government officials and agencies.

Proof of Government Direction

Internal communications uncovered by law enforcement show the connection between Xu and Chinese government officials. On January 30, 2021, Xu told his co-defendant that he'd successfully broken into a university network. A month later, he reported his progress directly to a Chinese state security officer.

These messages prove that this wasn't just criminal hacking for profit. Xu received specific instructions about which targets to focus on, and he reported back regularly to his government handlers.

How He Was Caught and Brought to Justice

Xu was arrested in Italy after U.S. authorities asked for his capture. When arrested, he claimed his name was being confused with someone else's and said he was just an IT worker in Shanghai. The Italian courts didn't accept his defense and approved sending him to the United States to stand trial.

This case matters because it shows that nation-state hackers can be held accountable in court, even when they operate from overseas. It also sends a message: being in another country doesn't necessarily protect you from U.S. law enforcement.

The broader context here is that this is part of a longer pattern. Over the years, we have seen foreign governments hire hackers to steal information while trying to hide their involvement. In this case, China's government was open in its communications — at least internally — about directing the operation. The timing is what stands out most: the hacking focused specifically on pandemic research at the moment when that research had extraordinary value.

The extradition also shows something shifting in international cooperation. Italy was willing to send Xu to the United States despite likely pressure from China not to. That suggests countries are increasingly willing to work together to hold state-sponsored hackers accountable in criminal courts, rather than treating cyber theft as just another spy operation.

For the average person, the practical lesson is straightforward. If you work at a company or organization that uses Microsoft Exchange Server for email, this case underscores why keeping software updated and monitoring for suspicious activity matters. The techniques that HAFNIUM used — installing hidden tools to maintain access — are still being used by hackers today. Organizations that stay vigilant tend to catch these intrusions faster.

One more name remains important in this case: Zhang Yu, Xu's co-defendant, is still at large. His location is unknown. The case against Xu proceeds, but it's incomplete without him.