Chinese Hacker Extradited to U.S. for Massive Email Server Breach Campaign

Xu Zewei, a 33-year-old Chinese national, has been extradited from Italy to the United States to face charges related to a hacking operation run by the Chinese government. The operation targeted COVID-19 research and exploited widely used Microsoft Exchange Server email systems. The extradition brings one of the key figures behind the HAFNIUM campaign—which broke into over 60,000 U.S. organizations—to American soil.

The Charges and Timeline

Xu faces nine charges, including wire fraud and unauthorized computer access, with potential sentences of up to 20 years. His alleged co-defendant, Zhang Yu, a 44-year-old Chinese national, remains at large.

The break-ins occurred between February 2020 and June 2021, a critical period when pharmaceutical companies and research universities were racing to develop COVID-19 treatments and vaccines. Court documents show that China's Ministry of State Security—specifically its Shanghai branch—directed the operation.

Hunting Pandemic Research

The operation's most significant target was pandemic research. On February 22, 2020, an officer from the Shanghai State Security Bureau specifically ordered Xu to break into email accounts belonging to virologists and immunologists at a research university in Texas. Court filings show Xu had already compromised that same university three days earlier.

The attacks extended beyond one institution. Xu and his co-conspirators successfully broke into two universities in the same district, plus a law firm with offices worldwide, including Washington D.C.

How They Did It

Xu and Zhang exploited previously unknown security flaws—called zero-day vulnerabilities—in Microsoft Exchange Server, the email software used by millions of organizations globally. Once inside a network, they installed web shells: small hidden programs that let them remotely control compromised computers and stay inside networks for months.

The HAFNIUM campaign affected about 60,000 U.S. organizations, but successfully stole data from more than 12,700 of them. The hackers specifically searched email systems for information about U.S. government officials and agencies.

Following the Trail Back to China

Court documents show direct contact between Xu, his partner Zhang, and Chinese state intelligence officers. In January 2021, Xu confirmed to Zhang that he had broken into a university network. A month later, Xu gave an update to an SSSB officer on his progress.

These communications establish a chain connecting the hackers to China's state security apparatus. The Shanghai officers gave specific targets and received regular updates on what had been compromised.

Arrest and Extradition

Xu was arrested in Italy at U.S. request after the FBI placed him on its wanted list. When facing extradition charges, Xu claimed he was a different person—an IT manager at a Shanghai company—but Italian courts rejected this and approved his extradition to stand trial in the United States.

What This Case Signals

We have seen this pattern before: a government hiring outside hackers to do its intelligence work while maintaining some distance if things go wrong. The HAFNIUM campaign follows this template, but its specific focus on pandemic research during a global health crisis made it strategically distinct from previous Chinese operations.

Xu's extradition represents a win for international law enforcement cooperation. Italy's willingness to extradite him—despite China's likely diplomatic objections—signals growing agreement among nations that state-sponsored hackers should face criminal prosecution rather than be treated as an accepted cost of international relations.

In my view, this case also sets an important precedent: contract hackers working for foreign governments cannot rely on geographic distance for protection. The detailed evidence of communication between Xu and Chinese intelligence officers creates a clear path to proving that these were not crimes by rogue individuals, but state-directed operations.

The case sends a message to other contract hackers that the U.S. Department of Justice will pursue them across borders. That said, with Zhang Yu still at large, the reach of law enforcement has its limits, especially when a suspect remains in a country unlikely to extradite.

For organizations running Microsoft Exchange Server, the case underscores a persistent reality: nation-states invest heavily in finding and exploiting security gaps in widely used software. The specific techniques HAFNIUM used—installing web shells to maintain long-term access—continue to appear in current attacks. Organizations managing these systems need robust monitoring tools and rapid incident response capabilities to detect when attackers have established a hidden foothold.