Xu Zewei, a national of the People's Republic of China (PRC), has been extradited to the United States and appeared in US District Court in Houston on a nine-count indictment related to computer intrusions conducted between February 2020 and June 2021. Certain intrusions are allegedly part of the HAFNIUM campaign that compromised thousands of computers worldwide, including in the United States. Other intrusions targeted U.S. COVID-19 research during the height of the pandemic. Xu is charged alongside Zhang Yu, also a Chinese national.
State-Sponsored Hacking Operation
According to court documents, officers from the PRC's Ministry of State Security (MSS) Shanghai State Security Bureau (SSSB) directed Xu to conduct these hacks. The MSS and SSSB are PRC intelligence services responsible for domestic counterintelligence, non-military foreign intelligence, and aspects of political and domestic security. At the time of the intrusions, Xu worked for Shanghai Powerock Network, one of many "enabling" companies in China that conducted hacking for the PRC government.
“The United States is committed to pursuing hackers who steal information from U.S. businesses and universities and threaten our cybersecurity,” said Assistant Attorney General for National Security John A. Eisenberg. “I commend the prosecutors and investigators who have worked hard and sought justice for years in this investigation, and we look forward to proving our case in court.”
“Today, Xu Zewei will stand in a federal courtroom to answer for crimes that struck at the heart of American science and security — allegedly stealing COVID-19 research from our universities when the world needed it most,” said Acting U.S. Attorney John G.E. Marck for the Southern District of Texas. “We have pursued this moment across years and continents, and the message this office sends today is the same one we sent when we first unsealed this indictment: we will work to protect the American people.”
FBI's Global Reach
“The extradition of Xu Zewei demonstrates the FBI's reach extends well beyond U.S. borders,” said Assistant Director Brett Leatherman of the FBI's Cyber Division. “Xu will now answer for his alleged role in HAFNIUM, a group responsible for a vast intrusion campaign directed by China's Ministry of State Security that compromised more than 12,700 U.S. organizations. He is one of many contractors the Chinese government uses to obscure its hand in cyber operations, and others who do the same face the same risk. The FBI thanks our Italian law enforcement colleagues, especially the Polizia Postale, whose partnership led to Xu's arrest in Milan and his extradition to the United States.”
Targeting COVID-19 Research
According to court documents, in early 2020, Xu and his co-conspirators hacked U.S.-based universities, immunologists, and virologists conducting research into COVID-19 vaccines, treatment, and testing. They reported their activities to SSSB officers supervising and directing the hacking. For example, on February 19, 2020, Xu confirmed to an SSSB officer that he had compromised the network of a research university in the Southern District of Texas. On February 22, 2020, the officer directed Xu to target specific email accounts of virologists and immunologists engaged in COVID-19 research. Xu later confirmed that he acquired the contents of those mailboxes.
Exploitation of Microsoft Exchange Server
The charges also allege that in late 2020, Xu and his co-conspirators exploited vulnerabilities in Microsoft Exchange Server, a widely used email product. Their exploitation was at the forefront of a massive campaign known as "HAFNIUM." In March 2021, Microsoft publicly disclosed the state-sponsored hacking campaign. Microsoft and industry partners released detection tools and patches, while the FBI and Cybersecurity and Infrastructure Security Agency issued a joint advisory. However, by March 2021, hundreds of web shells remained on U.S.-based computers running Exchange Server. In April 2021, the Justice Department conducted a court-authorized operation to remediate affected computers. In July 2021, the U.S. and foreign partners attributed HAFNIUM to the PRC's MSS.
Among the victims were another university in the Southern District of Texas and a law firm with offices worldwide, including in Washington, D.C. After exploiting Exchange Server, Xu installed web shells for remote administration. The indictment states these web shells were specific to HAFNIUM actors. Xu and Zhang worked together under SSSB supervision. For example, on January 30, 2021, Xu confirmed to Zhang that he had compromised the other university's network. On February 28, 2021, Xu updated an SSSB officer on his successes and was directed to obtain a list of other successful intrusions. Unauthorized access to the law firm's network allowed Xu to steal information from mailboxes and search for data on U.S. policy makers and government agencies, using search terms like "Chinese sources," "MSS," and "HongKong."
Private Contractors as Fronts
As described in the July 2025 announcement, the PRC uses a network of private companies and contractors to hack and steal information, obscuring government involvement. Operating from a safe haven and motivated by profit, these entities cast a wide net to identify vulnerable computers, exploit them, and sell stolen information directly or indirectly to the PRC government. This indiscriminate approach results in more victims in the U.S. and elsewhere, leaving systems vulnerable and often selling information of no interest to the PRC government to third parties.
Charges and Penalties
Xu is charged with conspiracy to commit wire fraud and two counts of wire fraud (each carrying a maximum of 20 years in prison); conspiracy to cause damage to and obtain information by unauthorized access to protected computers, to commit wire fraud, and to commit identity theft (maximum 5 years); two counts of obtaining information by unauthorized access to protected computers (maximum 5 years each); two counts of intentional damage to a protected computer (maximum 10 years each); and aggravated identity theft (maximum 2 years). Zhang Yu remains at large. Anyone with information about his whereabouts is asked to contact the FBI at 1-800-CALL-FBI.
