A Chinese contract hacker accused of helping Beijing steal American COVID‑19 research and run a massive Microsoft email hacking campaign has been extradited from Italy to Houston to face federal charges.
Federal prosecutors say 34‑year‑old Chinese national Xu Zewei worked as a state‑sponsored “contract hacker” tied to China’s Ministry of State Security (MSS), the Communist regime’s powerful intelligence service.
According to a nine‑count indictment unsealed in the Southern District of Texas, Xu allegedly led computer intrusions from February 2020 to June 2021 while working for Shanghai Powerock Network Co. Ltd., a company prosecutors describe as one of many “enabling” firms that hack on behalf of Beijing.
Italian authorities arrested Xu at Milan’s Malpensa airport in July 2025 at the request of the United States. After months of legal wrangling, the Italian government approved his extradition, and he was flown to Texas and made his initial appearance in a Houston court.
“We have pursued this moment across years and continents, and the message this office sends today is the same one we sent when we first unsealed this indictment: we will work to protect the American people,” stated Acting U.S. Attorney John G.E. Marck.
Prosecutors allege Xu and his co‑conspirators hacked U.S. universities, immunologists, and virologists in early 2020 as they raced to develop COVID‑19 vaccines, treatments, and tests. The Justice Department says Xu’s team stole or attempted to steal sensitive research data and then reported back to officers in the MSS’s Shanghai Security Bureau, which directed the operations.
Beyond pandemic research, Xu is accused of playing a central role in HAFNIUM, a notorious hacking campaign that exploited security flaws in Microsoft Exchange Server, the widely used email platform.
Prosecutors say Xu and his associates used zero‑day vulnerabilities to break into thousands of servers worldwide, including in the United States, planting web shells, stealing data, and leaving backdoors for further exploitation.
The FBI estimates HAFNIUM compromised more than 12,700 U.S. organizations, from law firms and think tanks to local governments and small businesses. Officials describe Xu as one of many outside contractors China’s spy services use to disguise the Communist Party’s hand in cyber‑operations while still benefiting from the stolen data.
Xu faces a stack of felony charges: conspiracy to commit wire fraud, multiple counts of wire fraud, conspiracy to damage and intrude into protected computers, obtaining information from protected computers, intentional damage to protected computers, and aggravated identity theft.
If convicted on all counts and given maximum sentences, he could face decades in federal prison, including mandatory consecutive time for the identity theft charges.
The Justice Department credits the FBI, its Cyber Division, and Italian law enforcement—particularly the Italian National Police’s cyber unit—for tracking Xu overseas and securing his arrest and extradition.
