Chinese National Xu Zewei Extradited for HAFNIUM Cyberattacks, Appears in US Court for 9-Count Indictment
Published
Key Takeaways
- Global exploitation: Xu Zewei participated in the HAFNIUM hacking campaign, compromising thousands of Microsoft Exchange Server instances worldwide.
- Targeted institutions: The suspect allegedly hacked U.S. universities and researchers to execute a major COVID-19 research breach during the pandemic.
- Xu Zewei's arrest: The individual was detained by Italian authorities in July 2025.
Xu Zewei, a 34-year-old national of the People’s Republic of China, appeared in a U.S. District Court in Houston facing a nine-count indictment. The charges detail his extensive involvement in sophisticated computer intrusions between February 2020 and June 2021, some allegedly part of the HAFNIUM hacking campaign, which he executed alongside 44-year-old co-defendant Zhang Yu, who remains at large.
The HAFNIUM hacking campaign, which was attributed to the PRC’s MSS, compromised more than 12,700 U.S. organizations.
The HAFNIUM Hacking Campaign
In late 2020, Xu and co-conspirators began exploiting vulnerabilities in the Microsoft Exchange Server infrastructure, some of which reportedly contributed to the notorious HAFNIUM hacking campaign. Microsoft publicly disclosed the intrusion in March 2021, attributing it to state-sponsored hackers operating out of China.
“Certain of those computer intrusions allegedly are part of the HAFNIUM computer intrusion campaign that compromised thousands of computers worldwide, including in the U.S,” the Justice Department press release said.
Xu and his co-conspirators deployed persistent web shells “specific to HAFNIUM actors at the time” across compromised servers, granting them remote administrative access to thousands of systems worldwide, including international law firms, to extract sensitive documents. “Xu and Zhang worked together on the HAFNIUM intrusions, under the supervision and direction of Shanghai State Security Bureau (SSSB) officers,” the documents say.
In early 2020, Xu systematically targeted U.S.-based immunologists, virologists, and universities conducting critical vaccine and treatment research operating under the strict direction of the SSSB, a branch of the PRC’s Ministry of State Security (MSS). This COVID-19 research breach enabled the unauthorized exfiltration of proprietary medical data and researcher communications directly to PRC intelligence officers.
Advanced Cybersecurity Threats
The recent Xu Zewei extradition marks a critical milestone in international cyber law enforcement. These targeted intrusions highlight the severe cybersecurity threats posed by state-sponsored cyberespionage.
Court documents allege Xu Zewei conducted these operations through Shanghai Powerock Network Co. Ltd., a private company utilizing a contractor model to obscure MSS involvement. “He is one of many contractors the Chinese government uses to obscure its hand in cyber operations,” the DoJ added.
The individual was arrested in Milan, Italy, on July 3, 2025. Xu is charged with:
- conspiracy to commit wire fraud and two counts of wire fraud, maximum penalty of 20 years in prison for each count;
- conspiracy to cause damage to and obtain information by unauthorized access to protected computers, to commit wire fraud, and to commit identity theft, maximum penalty of five years in prison;
- two counts of obtaining information by unauthorized access to protected computers, maximum penalty of five years in prison;
- two counts of intentional damage to a protected computer, maximum penalty of 10 years in prison;
- aggravated identity theft, maximum penalty of two years in prison.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular