“Xu will now answer for his alleged role in HAFNIUM, a group responsible for a vast intrusion campaign directed by China’s Ministry of State Security that compromised more than 12,700 U.S. organizations,” Brett Leatherman, assistant director of the FBI’s Cyber Division, said in a statement.
Extradition from Italy and U.S. court proceedings
Italian authorities arrested Xu Zewei in Milan in July at the United States’ request and extradited him to the United States last Saturday, according to court records and statements to the press. Italy did not release the extradition orders until Monday, Simona Candido, Xu’s attorney in Italy, told CyberScoop. Monday also marked Xu’s first appearance in the U.S. District Court for the Southern District of Texas. He is currently being held at a federal prison in Houston.
Allegations tied to HAFNIUM and Silk Typhoon
The indictment alleges Xu was part of a pandemic-era campaign that exploited a string of zero-day vulnerabilities in Microsoft Exchange Server to infiltrate U.S. networks and steal research on COVID-19 vaccines, treatments and testing during the initial wave and later peaks of the pandemic. The government describes those intrusions as directed by China’s intelligence services under an operation first publicly flagged by Microsoft as HAFNIUM in March 2021; that state-linked activity is now more widely known as Silk Typhoon.
According to the indictment, HAFNIUM/Silk Typhoon targeted a broad set of victims, including infectious disease experts, law firms, universities, defense contractors and policy think tanks. Microsoft issued its initial warning in March 2021, and the FBI and the Cybersecurity and Infrastructure Security Agency issued a joint advisory soon after about widespread compromise of Microsoft Exchange Server.
Accused links to Shanghai Powerock Network and China’s Ministry of State Security
Federal court documents allege Xu worked for Shanghai Powerock Network as one of “many companies that conducted attacks for China’s various intelligence services.” Officials say Xu worked under the direction of China’s Ministry of State Security’s Shanghai State Security Bureau to break into networks, steal data, implant webshells for persistent remote access and harvest information. The indictment names a co-conspirator, Zhang Yu, who remains at large.
Investigators also allege one of the victims was a global law firm with offices in Washington; prosecutors say Xu stole information regarding U.S. policymakers and government agencies from that firm.
Charges, possible penalties, and prosecutors’ statements
Xu, described in court records as 34 years old, faces a multi-count federal indictment that includes: conspiracy to commit wire fraud; two counts of wire fraud; conspiracy to cause damage to and obtain information by unauthorized access to protected computers, to commit wire fraud, and to commit identity theft; two counts of obtaining information by unauthorized access to protected computers; two counts of intentional damage to a protected computer; and aggravated identity theft. If convicted on the aggregate charges, the indictment states he faces up to 62 years in prison.
“We have pursued this moment across years and continents, and the message this office sends today is the same one we sent when we first unsealed this indictment: we will work to protect the American people,” John G.E. Marck, acting U.S. attorney for the Southern District of Texas, said in a statement announcing the extradition and court appearance.
How technologists, policymakers, and affected organizations are positioned
- Technologists and security teams: Microsoft’s March 2021 warning and the subsequent FBI/CISA advisory are the concrete markers in this case. Those advisories signaled the initial response to the Exchange Server zero-days and remain central reference points for defensive and forensic work tied to the intrusions alleged in the indictment.
- Policymakers and international law enforcement: The extradition from Italy reflects cross-border cooperation and, according to outside commentary cited by CyberScoop, underscores the use of coordinated legal efforts to impose consequences for state-directed cyber activity. Aaron Shraberg, senior team lead of global intelligence at Flashpoint, told CyberScoop the extradition “demonstrates a united stance” and the importance of bringing real-world consequences to such targeting.
- Affected enterprises and law firms: The allegation that a global law firm’s Washington offices were tapped for information on U.S. policymakers and agencies highlights the lingering operational impact of the Exchange compromises and the sensitivity of data stolen during the period identified by prosecutors.
Xu’s transfer to a U.S. courtroom closes one chapter of an investigation that federal officials characterize as sprawling and state-directed; it leaves others open. Zhang Yu’s whereabouts remain unresolved in the indictment, and the government’s public statements emphasize that contractors who allegedly obscure state control in cyber operations “face the same risk,” Brett Leatherman said. The case thus foregrounds both a set of technical vulnerabilities that were exploited at scale and a law-enforcement approach that relies on international cooperation to pursue accused actors across borders.
