Chinese Silk Typhoon suspect extradited to the U.S. over COVID research hacks

A Chinese national accused of taking part in state-backed cyber intrusions has been extradited from Italy to the United States. Xu Zewei, 34, appeared in federal court in Houston on April 27, 2026, on a nine-count indictment tied to alleged hacking activity between February 2020 and June 2021.

The U.S. Department of Justice says some of the alleged intrusions were part of the HAFNIUM campaign, now tracked by Microsoft as Silk Typhoon. The same indictment also accuses Xu and others of targeting U.S. universities, virologists, and immunologists working on COVID-19 vaccines, treatments, and testing during the pandemic.

Prosecutors allege that officers from China’s Ministry of State Security, through the Shanghai State Security Bureau, directed Xu’s hacking activity. Xu allegedly worked for Shanghai Powerock Network Co. Ltd., which the DOJ describes as one of several private companies used to obscure Chinese government involvement in cyber operations.

Why this extradition matters

The case stands out because suspected state-linked hackers often remain outside the reach of U.S. courts. Xu was arrested in Milan in July 2025 and extradited after Italy approved the U.S. request. Reuters reported that China criticized the extradition and accused Washington of political manipulation, while Xu’s lawyer argued mistaken identity.

The DOJ says Xu is now in U.S. custody and faces charges including conspiracy to commit wire fraud, wire fraud, unauthorized access to protected computers, intentional damage to protected computers, and aggravated identity theft. Some counts carry maximum penalties of up to 20 years in prison.

The indictment remains an allegation, and Xu is presumed innocent unless proven guilty in court. His co-defendant, Zhang Yu, 44, also a Chinese national, remains at large.

At a glance

Item	Details
Defendant	Xu Zewei
Age	34
Nationality	People’s Republic of China
Extradited from	Italy
U.S. court	Southern District of Texas, Houston
Initial appearance	April 27, 2026
Alleged activity period	February 2020 to June 2021
Alleged direction	China’s MSS and Shanghai State Security Bureau
Related group	HAFNIUM, now tracked by Microsoft as Silk Typhoon
Co-defendant	Zhang Yu, still at large
Main alleged targets	U.S. universities, COVID-19 researchers, Exchange Server victims

COVID-19 research was a key target

According to the DOJ, Xu and his co-conspirators targeted U.S.-based universities and scientists during the early months of the pandemic. Prosecutors say the victims included immunologists and virologists working on COVID-19 vaccines, treatment, and testing.

The indictment says Xu confirmed around February 19, 2020, that he had compromised a research university in the Southern District of Texas. Days later, an SSSB officer allegedly directed him to access specific mailboxes belonging to researchers working on COVID-19.

Xu later allegedly confirmed that he had acquired the contents of those researchers’ mailboxes. That makes the case part of a wider pattern of pandemic-era espionage, where governments and cyber groups targeted vaccine research, medical data, and scientific institutions.

How HAFNIUM fits into the case

The second major part of the case centers on Microsoft Exchange Server. The DOJ says Xu and others allegedly exploited Exchange Server vulnerabilities beginning in late 2020 and installed web shells on compromised systems for remote access.

Microsoft publicly disclosed HAFNIUM’s Exchange Server attacks in March 2021. At the time, Microsoft said the actor used zero-day vulnerabilities to access on-premises Exchange servers, read email accounts, and install additional malware for long-term access.

Microsoft now maps HAFNIUM to Silk Typhoon, a China-based nation-state activity group known to target healthcare, law firms, higher education, defense contractors, policy think tanks, and NGOs.

What prosecutors say happened inside victim networks

The DOJ says Xu and his co-conspirators targeted another Texas university and a global law firm with offices in Washington, D.C. after exploiting Exchange Server systems. The group allegedly installed web shells that were specific to HAFNIUM actors at the time.

Inside the law firm’s network, the indictment alleges that the attackers searched mailboxes for information related to U.S. policymakers and government agencies. Prosecutors say search terms included “Chinese sources,” “MSS,” and “HongKong.”

The FBI said HAFNIUM compromised more than 12,700 U.S. organizations. Microsoft’s earlier Exchange reporting also warned that attackers rapidly adopted the Exchange exploits after the patches became public, which widened the risk beyond the original actor.

Key charges and penalties

Charge type	Maximum penalty listed by DOJ
Conspiracy to commit wire fraud	20 years
Wire fraud counts	20 years each
Computer intrusion conspiracy	5 years
Obtaining information by unauthorized computer access	5 years each
Intentional damage to a protected computer	10 years each
Aggravated identity theft	2 years

Web shells played a major role

A web shell is a malicious script placed on a server so attackers can send commands remotely through a browser or web request. In Exchange Server intrusions, web shells often gave attackers continued access even after the original vulnerability was patched.

The DOJ says hundreds of web shells remained on U.S.-based Exchange servers by the end of March 2021. In April 2021, the department carried out a court-authorized operation to remove hundreds of lingering web shells from compromised systems in the United States.

CISA and the FBI had also warned organizations about compromised Microsoft Exchange servers in March 2021. The U.S. and foreign partners later attributed the HAFNIUM campaign to China’s Ministry of State Security in July 2021.

Why the contractor model matters

The DOJ’s case highlights how China allegedly uses private contractors to conduct cyber operations while hiding government involvement. Prosecutors say this model allows contracted hackers to exploit victims broadly, then pass useful information to Chinese state handlers or sell other stolen data elsewhere.

That contractor structure makes attribution and prosecution more difficult. It can also create more victims because contractors may scan widely, compromise many systems, and sort the intelligence value later.

For defenders, the lesson remains practical. State-backed cyber campaigns often begin with known vulnerabilities, stolen credentials, exposed servers, and unpatched systems. The threat may come from intelligence services, but the entry points often look like ordinary enterprise security failures.

What organizations should learn from the case

• Patch internet-facing systems quickly, especially Exchange and other email servers.
• Search for web shells after patching, since updates do not always remove backdoors.
• Review mailbox access logs after suspected email server compromise.
• Monitor for unusual search terms and bulk mailbox access.
• Segment research networks from normal administrative systems.
• Protect university, healthcare, and legal-sector email environments with stronger monitoring.
• Treat research data and policy-related communications as espionage targets.
• Keep incident response plans ready for both criminal and state-linked intrusions.

FAQ