"In early 2020, Xu and his co-conspirators hacked and otherwise targeted U.S.-based universities, immunologists, and virologists conducting research into COVID‑19 vaccines, treatment, and testing," the Department of Justice said.
U.S. charges, Italian arrest, and extradition
A Chinese national identified as Xu Zewei, 34, has been extradited to the United States from Italy on charges tied to a string of cyber intrusions that U.S. authorities say took place between February 2020 and June 2021. Italian authorities arrested Xu in July 2025 while he was in Milan with his wife on vacation, and he later was handed over to U.S. custody.
The Department of Justice charged Xu with nine counts of wire fraud and conspiracy to cause damage to and obtain information by unauthorized access to protected computers, and with committing aggravated identity theft. Xu pleaded not guilty to all charges during a court hearing, his lawyer told TechCrunch, and the defendant has repeatedly denied involvement in Chinese government hacking operations, calling his arrest a case of mistaken identity. A co-defendant named Zhang Yu remains at large.
Alleged chain of command: Silk Typhoon, MSS's SSSB, and Powerock
The indictment alleges Xu was a member of the Silk Typhoon hacking group and that the activity was undertaken under directions issued by the Ministry of State Security's Shanghai State Security Bureau (SSSB). According to the Department of Justice, Xu worked for Shanghai Powerock Network Co. Ltd. when the attacks were carried out.
The DoJ described Powerock as one of many "enabling" companies in China that conducted hacking operations for the government. The indictment links Silk Typhoon, state direction, and a corporate umbrella in its portrayal of how the accused operations were organized and executed.
Technique: Microsoft Exchange zero-days, Hafnium, and web shells
The attacks included the exploitation of then-zero-day vulnerabilities in Microsoft Exchange Server. Microsoft tracked a cluster of activity that weaponized those Exchange vulnerabilities under the name Hafnium; the indictment says the defendants exploited certain Exchange Server vulnerabilities to breach targets and deploy web shells for remote administration.
Deployment of web shells and exploitation of email infrastructure vulnerabilities are central technical elements identified in the charging documents as the mechanism by which intruders maintained access and moved through victim networks.
Targets and timing: COVID-19 vaccine research and a Texas university
Prosecutors say the intrusions targeted U.S.-based universities and scientists—specifically immunologists and virologists—working on COVID-19 vaccine research, treatment, and testing. The indictment singles out a break‑in at a Texas university as one of the breaches that resulted in the theft of COVID-19 vaccine information.
The alleged conduct spans the early pandemic period through mid‑2021, a stretch in which the DoJ says the defendants first targeted researchers and later exploited Exchange vulnerabilities to widen access to protected computer systems.
What this means for technologists, policymakers, and universities
- Technologists and security teams: Expect renewed focus on detecting and removing web shells and on hardening Microsoft Exchange Server deployments or patching legacy mail infrastructure—both are named explicitly in the indictment as the route of compromise.
- Policymakers and prosecutors: The case underscores cross‑border cooperation—Italy’s arrest and the extradition to the U.S.—and the legal framing around state‑linked threat groups and "enabling" companies as described by the Department of Justice.
- Universities and research institutions: Institutions that conduct sensitive biomedical work will likely re-examine access controls and incident response plans, especially where research systems intersect with enterprise email platforms alleged to have been exploited in these intrusions.
The case now moves into the U.S. criminal process with Xu in custody and Zhang at large. The indictment links named tactics, a specific corporate employer, and a state security bureau to intrusions that prosecutors say targeted COVID‑19 research; how courts, international partners, and affected organizations respond to those links will determine whether the charges translate into successful convictions, broader sanctions, or fresh defensive measures.




