Italy extradites alleged Chinese state-backed hacker to US over theft of COVID-19 research
Yaorusheng/Getty Images
U.S. officials requested the arrest, which was conducted in Milan in July 2025.
A Chinese national accused of hacking U.S. universities to steal COVID-19 research and carrying out parts of a sweeping cyber espionage campaign earlier in the decade has been extradited from Italy to the United States, where he now faces federal charges tied to the yearslong intrusions.
Xu Zewei, 34, was transferred from Milan over the weekend and appeared Monday in federal court in Houston on a nine-count indictment alleging wire fraud, identity theft and unauthorized access to protected computers, the Justice Department said.
Authorities allege he was part of a network of contract hackers operating on behalf of China’s Ministry of State Security. Xu and co-conspirators were directed to conduct intrusions aimed at stealing sensitive COVID-19 vaccine, treatment and testing research from U.S. entities.
Xu was also allegedly involved in intrusions between 2020 and 2021, including attacks on U.S. research institutions and exploitation of Microsoft Exchange vulnerabilities tied to the sprawling HAFNIUM campaign, which compromised thousands of organizations worldwide, including roughly 13,000 in the United States.
The case highlights longstanding concerns within the U.S. government about China’s use of private-sector contractors to carry out cyber espionage. Prosecutors allege Xu worked for a Shanghai-based company that functioned as one of many “enabling” firms conducting hacking operations for Chinese intelligence services.
Court filings describe how Xu allegedly reported directly to Chinese intelligence officers and carried out specific tasks, including targeting the email accounts of immunologists and virologists conducting COVID-19 research. In one instance, prosecutors say Xu confirmed he had accessed the network of a Texas-based research university and later retrieved the contents of researchers’ email accounts at the direction of a state security officer.
Xu has denied the allegations through an attorney. He was arrested in Milan in July 2025.
The Justice Department first unsealed charges against Xu and an alleged co-conspirator, Zhang Yu, last year. Zhang remains at large. If convicted on all counts, Xu could face decades in prison.
“The extradition of Xu Zewei demonstrates the FBI’s reach extends well beyond U.S. borders,” Brett Leatherman, the FBI’s Cyber Division assistant director, said in a prepared statement. “Xu will now answer for his alleged role in HAFNIUM, a group responsible for a vast intrusion campaign directed by China’s Ministry of State Security that compromised more than 12,700 U.S. organizations. He is one of many contractors the Chinese government uses to obscure its hand in cyber operations, and others who do the same face the same risk.”
The case reflects both the scale of China’s hacking operations and the difficulty of holding alleged state-backed cyber operatives accountable. While U.S. authorities have increasingly sought to name and charge foreign cyber operators, arrests and extraditions remain less common due to jurisdictional and diplomatic constraints.
But the extradition could mark a notable step in that effort. Italian authorities arrested Xu at the request of U.S. officials, and American investigators credited international coordination with securing his transfer.