Prolific Chinese State-Sponsored Contract Hacker Extradited from Italy

Note: View the indictment in U.S. v. Xu Zewei et al. here.

Xu Zewei (徐泽伟), 34, of the People's Republic of China was extradited to the United States this weekend and appeared today in U.S. District Court in Houston on a nine-count indictment related to his involvement in computer intrusions between February 2020 and June 2021. Certain of those computer intrusions allegedly are part of the HAFNIUM computer intrusion campaign that compromised thousands of computers worldwide, including in the United States. Other intrusions targeted U.S. COVID-19 research during the height of the pandemic. Xu is charged along with Zhang Yu (张宇), 44, who is also a PRC national.

According to court documents, officers of the PRC's Ministry of State Security's (MSS) Shanghai State Security Bureau (SSSB) directed Xu to conduct this hacking. The MSS and SSSB are PRC intelligence services responsible for PRC's domestic counterintelligence, non-military foreign intelligence, and aspects of the PRC's political and domestic security. When Xu conducted the computer intrusions, he allegedly worked for a company named Shanghai Powerock Network Co. Ltd. (Powerock). Powerock was one of many "enabling" companies in the PRC that conducted hacking for the PRC government.

"The United States is committed to pursuing hackers who steal information from U.S. businesses and universities and threaten our cybersecurity," said Assistant Attorney General for National Security John A. Eisenberg. "I commend the prosecutors and investigators who have worked hard and sought justice for years in this investigation, and we look forward to proving our case in court."

"Today, Xu Zewei will stand in a federal courtroom to answer for crimes that struck at the heart of American science and security - allegedly stealing COVID-19 research from our universities when the world needed it most," said Acting U.S. Attorney John G.E. Marck for the Southern District of Texas. "We have pursued this moment across years and continents, and the message this office sends today is the same one we sent when we first unsealed this indictment: we will work to protect the American people."

"The extradition of Xu Zewei demonstrates the FBI's reach extends well beyond U.S. borders," said Assistant Director Brett Leatherman of the FBI's Cyber Division. "Xu will now answer for his alleged role in HAFNIUM, a group responsible for a vast intrusion campaign directed by China's Ministry of State Security that compromised more than 12,700 U.S. organizations. He is one of many contractors the Chinese government uses to obscure its hand in cyber operations, and others who do the same face the same risk. The FBI thanks our Italian law enforcement colleagues, especially the Polizia Postale, whose partnership led to Xu's arrest in Milan and his extradition to the United States."

According to court documents, in early 2020, Xu and his co-conspirators hacked and otherwise targeted U.S.-based universities, immunologists, and virologists conducting research into COVID-19 vaccines, treatment, and testing. Xu and others reported their activities to officers in the SSSB who were supervising and directing the hacking activities. For example, on or about Feb. 19, 2020, Xu provided an SSSB officer with confirmation that he had compromised the network of a research university located in the Southern District of Texas. On or about Feb. 22, 2020, the SSSB officer directed Xu to target and access specific email accounts (mailboxes) belonging to virologists and immunologists engaged in COVID-19 research for the university. Xu later confirmed for the SSSB officer that he acquired the contents of the researchers' mailboxes.

The charges further allege that beginning in late 2020, Xu and his co-conspirators exploited certain vulnerabilities in Microsoft Exchange Server, a widely-used Microsoft product for sending, receiving, and storing email messages. Their exploitation of Microsoft Exchange Server was at the forefront of a massive campaign targeting thousands of computers worldwide and known publicly as "HAFNIUM." In March 2021, Microsoft publicly disclosed the intrusion campaign by state-sponsored hackers operating out of China. Throughout March 2021, Microsoft and other industry partners released detection tools, patches, and other informationLinks to other government and non-government sites will typically appear with the "external link" icon to indicate that you are leaving the Department of Justice website when you click the link. to assist victim entities in identifying and mitigating this cyber incident. Additionally, the FBI and the Cybersecurity and Infrastructure Security Agency released a Joint Advisory on Compromise of Microsoft Exchange ServerLinks to other government and non-government sites will typically appear with the "external link" icon to indicate that you are leaving the Department of Justice website when you click the link. on March 10, 2021. However, by the end of March 2021, hundreds of web shells remained on certain U.S.-based computers running Microsoft Exchange Server software. In April 2021, the Justice Department announced a court-authorized operation to remediate hundreds of computers in the United States made vulnerable by HAFNIUM actors. In July 2021Links to other government and non-government sites will typically appear with the "external link" icon to indicate that you are leaving the Department of Justice website when you click the link., the United States and foreign partners attributed the HAFNIUM campaign to the PRC's MSS.

Among the victims of Xu's alleged exploitation of Microsoft Exchange Server were another university located in the Southern District of Texas and a law firm with offices worldwide, including in Washington, D.C. After exploiting computers running Microsoft Exchange Server, Xu and his co-conspirators installed web shells on them to enable their remote administration. The indictment alleges that these web shells were specific to HAFNIUM actors at the time. As with the earlier COVID-19 research intrusions, Xu and Zhang worked together on the HAFNIUM intrusions, under the supervision and direction of SSSB officers. For example, on or about Jan. 30, 2021, Xu confirmed to Zhang that he had compromised the other university's network. Later, on or about Feb. 28, 2021, Xu updated a SSSB officer on his successful intrusions. This SSSB officer then directed Xu to obtain a list of other, successful intrusions from a second SSSB officer. Unauthorized access to the law firm's network allowed Xu and his co-conspirators to steal information from mailboxes and search them for information regarding specific U.S. policy makers and government agencies. Their search terms included "Chinese sources," "MSS," and "HongKong."

As described in the July 2025 announcement of charges against Xu, the PRC uses an extensive network of private companies and contractors in China to hack and steal information in a manner that obscured the PRC government's involvement. Operating from their safe haven and motivated by profit, this network of private companies and contractors in China cast a wide net to identify vulnerable computers, exploit those computers, and then identify information that it could sell directly or indirectly to the PRC government. This largely indiscriminate approach results in more victims in the United States and elsewhere, more systems worldwide left vulnerable to future exploitation by third parties, and more stolen information, often of no interest to the PRC government and, therefore, sold to other third parties.

Xu is charged with conspiracy to commit wire fraud and two counts of wire fraud, which carries a maximum penalty of 20 years in prison for each count; conspiracy to cause damage to and obtain information by unauthorized access to protected computers, to commit wire fraud, and to commit identity theft, which carries a maximum penalty of five years in prison; two counts of obtaining information by unauthorized access to protected computers, which carries a maximum penalty of five years in prison; two counts of intentional damage to a protected computer, which carries a maximum penalty of 10 years in prison; and aggravated identity theft, which carries a maximum penalty of two years in prison. Zhang Yu, remains at large. Anyone with information about his whereabouts is asked to contact the FBI at 1-800-CALL-FBI (1-800-225-5324).

The FBI's Houston Field Office is investigating the case.

Assistant U.S. Attorney Mark McIntyre for the Southern District of Texas and Deputy Chief Matthew Anzaldi of the National Security Division's National Security Cyber Section are prosecuting the case. The U.S. Department of Justice's Office of International Affairs secured the arrest and extradition from Italy of Xu. The United States thanks the Government of Italy for its assistance extraditing Xu to the United States, including the Cyber Division of the Italian National Police for its valuable assistance.

An indictment is merely an allegation. All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.