Italy Extradites Alleged HAFNIUM Hacker Xu Zewei to the United States
Italian authorities extradited Chinese national Xu Zewei to the United States over allegations that he took part in a Chinese state-backed hacking campaign linked to HAFNIUM, also tracked as Silk Typhoon. U.S. prosecutors say Xu and co-defendant Zhang Yu conducted intrusions between February 2020 and June 2021 on behalf of China’s Ministry of State Security and the Shanghai State Security Bureau, including efforts to steal COVID-19 vaccine and research data from U.S. universities and researchers. Xu was arrested at Milan’s Malpensa Airport on a U.S. warrant, later transferred to U.S. custody, and is now being held in Houston; he denies the allegations and claims mistaken identity.
The indictment also ties Xu to the mass exploitation of previously unknown Microsoft Exchange vulnerabilities that began in March 2021, a campaign U.S. authorities say hit more than 60,000 U.S. entities and successfully compromised over 12,700 organizations. Prosecutors allege the victims included defense contractors, law firms, think tanks, universities, and infectious disease researchers, making the case one of the most prominent efforts to bring an alleged Chinese state-linked hacker into U.S. custody. If convicted on all charges, Xu faces up to 77 years in prison.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Xu Zewei makes first U.S. court appearance in Texas
After being extradited from Italy, Xu Zewei made his first appearance in the U.S. District Court for the Southern District of Texas. The appearance followed the Justice Department's announcement of charges tied to the alleged HAFNIUM/Silk Typhoon espionage campaign.
Xu Zewei is extradited to the United States and held in Houston
By April 27, 2026, Xu Zewei had been extradited from Italy to the United States and was being held in Houston to face charges tied to the alleged China-backed hacking campaign.
Italy moves to extradite Xu Zewei to the United States
Italian authorities initiated extradition proceedings to send Xu Zewei to the U.S. over cyber-espionage charges tied to the alleged 2020-2021 hacking campaign.
Italian police arrest Xu Zewei at Milan Malpensa Airport
Italian authorities arrested Xu Zewei in July 2025 at Milan's Malpensa Airport on a U.S. warrant and seized his documents and devices.
Alleged Chinese state-backed intrusion campaign ends
According to the indictment, the charged hacking activity involving Xu Zewei and Zhang Yu ran from February 2020 until June 2021.
HAFNIUM allegedly starts exploiting Microsoft Exchange zero-days
Beginning in March 2021, prosecutors say the operators attributed to HAFNIUM, later tracked as Silk Typhoon, exploited previously unknown Microsoft Exchange vulnerabilities in a broad campaign. The activity allegedly affected more than 60,000 U.S. entities and successfully compromised more than 12,700 organizations.
Xu Zewei and Zhang Yu allegedly begin targeting COVID-19 research
U.S. prosecutors allege that Xu Zewei and co-defendant Zhang Yu began intrusions in February 2020 against U.S. universities and researchers to steal COVID-19 vaccine and related research on behalf of Chinese state security services.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
16 references tracked. Mallory keeps watching after this page renders.
FBI: China's hacker-for-hire ecosystem 'out of control' • The Register
go.theregister.com
Open sourceFBI: China's hacker-for-hire ecosystem 'out of control'
theregister.com
Open sourceFBI: China's hacker-for-hire ecosystem 'out of control' • The Register
theregister.com
Open sourceFBI: Chinese Hacker Extradition Sends a Global Message
govinfosecurity.com
Open sourceAlleged Silk Typhoon hacker extradited to US - DataBreaches.Net
databreaches.net
Open sourceAlleged Silk Typhoon hacker extradited to US for cyberespionage
bleepingcomputer.com
Open sourceHacker who allegedly carried out cyberattacks for China is extradited to U.S. | TechCrunch
techcrunch.com
Open sourceItaly extradites alleged Chinese state hacker to US | The Record from Recorded Future News
therecord.media
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
FBI disrupts Chinese PlugX botnet and charges Silk Typhoon-linked hackers
The FBI said it remotely removed **PlugX malware** from more than **4,200 U.S. computers** after obtaining court authorization to dismantle infrastructure tied to a long-running Chinese cyber campaign. The malware, commonly associated with Chinese state-backed operators, had infected mostly small office and home office devices, and the bureau deleted the malicious files without collecting personal data from victims. Reporting put the total at **4,258 systems**, underscoring the scale of the cleanup operation against a botnet that had quietly persisted on U.S. networks. U.S. authorities later expanded the crackdown by unsealing charges against **12 Chinese nationals** and seizing domains linked to a broader espionage and hacker-for-hire ecosystem associated with **Silk Typhoon** (also tracked as **APT27** and formerly **Hafnium**). Prosecutors alleged that China’s security services used contractors, including **i-Soon**, to hack U.S. government agencies and other prominent targets, charging state customers roughly **$10,000 to $75,000 per compromised email inbox** and tying the activity to intrusions spanning more than a decade, including the **U.S. Treasury** breach. Italian authorities subsequently arrested an alleged Silk Typhoon-linked suspect wanted over cyberespionage tied to COVID-19 vaccine research.
May 27, 2026
China-Linked Espionage Targeting U.S. Government and Technology Talent
U.S. authorities and researchers are highlighting **China-linked espionage** that increasingly leverages online recruitment and employment channels to access sensitive information. Reporting on recent federal cases describes foreign intelligence services posing as consulting firms, research groups, or recruiters to approach current and former U.S. government personnel—often starting via email or job platforms and escalating through staged interviews, fake websites, and payment offers—to solicit **classified or sensitive information**; multiple Justice Department actions in 2025 reportedly involved such virtual-first recruitment approaches. Separately, a former Google engineer, **Linwei Ding**, was found guilty of **economic espionage and trade secret theft** after prosecutors said he exfiltrated over 2,000 pages of confidential AI supercomputing documents (including TPU/GPU architecture details, orchestration software, SmartNIC networking designs, and internal system configurations) and uploaded them to a personal cloud account while maintaining undisclosed ties to China-based companies and engaging with a Shanghai-sponsored talent program. Broader context from CSIS’ long-running survey of Chinese espionage cases underscores that these incidents fit a sustained pattern since 2000 spanning both **human intelligence** and **cyber-enabled theft** targeting U.S. government and commercial technologies, while noting open-source case lists likely undercount the true scope.
Mar 21, 2026
Chinese Phishing Campaign Stole NASA and Defense Software Source Code
NASA's Office of Inspector General disclosed that Chinese national **Song Wu** allegedly conducted a years-long spear-phishing and impersonation campaign to obtain sensitive aerospace and defense-related software, source code, and other controlled technical information from NASA personnel, other U.S. government agencies, universities, and private companies. U.S. authorities said the operation ran from **2017 through 2021** and relied on fraudulent emails and false identities, with Wu posing as U.S. engineers, friends, and colleagues to persuade victims to share restricted data in violation of export control laws. The U.S. Department of Justice charged Wu in **September 2024** with wire fraud and aggravated identity theft, and the FBI has since placed him on its **Most Wanted** list. Investigators identified him as an engineer at the Aviation Industry Corporation of China (**AVIC**) and assessed the stolen software as having both industrial and military applications, including advanced tactical missile development and aerodynamic weapons design, underscoring the campaign's significance for U.S. national security and the defense industrial base.
Apr 28, 2026