"China's 'hacker-for-hire ecosystem has gotten out of control,'" Brett Leatherman, assistant director of the FBI's cyber division, told reporters — a blunt assessment that frames the Justice Department's latest criminal action and the broader pattern prosecutors say it exposes.
Assistant Director Brett Leatherman's warning
Leatherman described a network of private Chinese technology companies and contractors that, he said, operate at the behest of the People's Republic of China's intelligence agencies while preserving plausible deniability. "Motivated by profit," he said, the network "cast a wide net to identify vulnerable computers, exploit those computers, and then identify information that it could sell directly or indirectly to the PRC government."
He added a second, starker consequence: if the Chinese government will not purchase stolen data or system access, those actors "turn from cyber mercenaries into cyber dealers," offering access and stolen information to third parties on the dark web. "This leads to a less secure environment that is ripe for further lawlessness," Leatherman said.
Xu Zewei's extradition and the charges filed in the United States
Over the weekend, American prosecutors received custody of Xu Zewei after his extradition from Italy. Italian authorities originally arrested Xu in July; U.S. prosecutors have charged him with nine hacking-related crimes.
The indictment alleges Xu worked, between February 2020 and June 2021, on taskings from China's Ministry of State Security (MSS) and the Shanghai State Security Bureau (SSSB). Prosecutors say Xu was directed to hack thousands of computers and steal sensitive information while hiding the Chinese government's involvement.
Court filings list a range of counts, with the indictment charging Xu with conspiracy to cause damage to and obtain information by unauthorized access to protected computers, wire fraud, aggravated identity theft, and other offenses. The filing identifies statutory maximum penalties for the counts, including:
- Conspiracy to cause damage to and obtain information by unauthorized access to protected computers — (count specifics in the indictment)
- Conspiracy to commit wire fraud and two counts of wire fraud — each wire fraud count carries a maximum penalty of 20 years
- Two counts of obtaining information by unauthorized access to protected computers — each carrying a maximum penalty of five years
- Two counts of intentional damage to a protected computer — each carrying a maximum penalty of 10 years
- One count of aggravated identity theft — carrying a mandatory consecutive two-year sentence
The indictment also alleges Xu worked as a general manager at a company named Shanghai Powerock Network, which prosecutors say the federal government previously linked to Hafnium/Silk Typhoon.
Alleged operational links to MSS, SSSB, and Hafnium/Silk Typhoon
Prosecutors assert that Xu, and at least one other named individual, coordinated hacking operations under the direction of Chinese security organs. The indictment charges that Xu "supervised hacking activity of other Powerock personnel in support of such taskings, coordinated hacking activities with fellow hacker Zhang Yu, and reported the results of the hacking activities to the SSSB."
The court filing also names Zhang, described as a director at Shanghai Firetech Information Science and Technology Company, as an alleged operator acting under SSSB direction. Two unnamed SSSB officers are also charged with directing the hacking operations. Zhang remains at large, according to the Department of Justice.
Some of the intrusions prosecutors link to Xu occurred during the 2021 campaign in which Hafnium — now described in the filing as Silk Typhoon — exploited zero-day bugs in Microsoft Exchange. That campaign, the indictment says, compromised hundreds of thousands of servers worldwide, including 12,700 organizations in the United States. Other alleged intrusions targeted American universities and researchers working on COVID-19 vaccines, treatments, and testing during the pandemic's height.
The hacker-for-hire business model, as described by the FBI
Leatherman painted a two-track commercial model: companies and contractors operating for state intelligence services, and the same actors selling access or data when governments decline. The indictment's factual allegations echo that model, describing taskings from security bureaus, supervision of personnel, coordination between operators, and the reporting of results back to state actors.
Leatherman emphasized a jurisdictional lesson: "The protection you assume from operating inside China does not extend the moment you cross a border," he said, framing Xu's extradition as evidence the U.S. will seek legal recourse beyond its borders when it identifies alleged criminal conduct.
What this means for technologists, policymakers, and affected researchers
- Technologists and security teams: The indictment links large-scale exploitation of Microsoft Exchange zero-days and the sale of access to compromised systems. Teams responsible for vulnerable services should note the attribution in prosecutors' claims and the scale cited — "hundreds of thousands of servers worldwide" and 12,700 U.S. organizations were named in connection with the 2021 campaign.
- Policymakers and regulators: The FBI framed extradition as a tool to reach alleged actors beyond domestic borders and to send a message to contractor ecosystems. Prosecutors' public statements and the charges signal an enforcement approach that pairs criminal indictments with international cooperation.
- Affected universities and researchers: The indictment specifically alleges intrusions targeting American universities and researchers working on COVID-19 vaccines, treatments, and testing, underscoring the prosecutorial emphasis on research-sector victims in this case.
Xu's extradition and indictment, combined with Leatherman's public characterization of a sprawling, profit-driven contractor ecosystem, set a clear prosecutorial line: alleged state-directed cyber operations and a commercial market for access are both subject to legal pursuit. With Zhang at large and multiple counts filed, the case will test how far cross-border cooperation can reach into the contractor networks that prosecutors portray as blurring the lines between state espionage and criminal enterprise.
Source: The Register — FBI cyber boss: China's hacker-for-hire ecosystem 'out of control'




