Suspected China-linked hacker extradited to the United States over cyberattack charges

A man accused of conducting cyberattacks tied to the Chinese government has been extradited to the United States and could face more than a decade in prison if found guilty.

Last year, the U.S. Department of Justice charged Xu Zewei with working as a contractor for China’s Ministry of State Security. Prosecutors allege that Xu carried out a series of cyber operations alongside co-conspirator Zhang Yu. The pair is accused of targeting multiple U.S. universities in early 2020 to obtain research related to the COVID-19 pandemic. Authorities also allege that Xu and Zhang were involved in a broader campaign beginning in March 2021 that compromised thousands of email servers running Microsoft Exchange. The attacks were described as “indiscriminate” and attributed to a Chinese-linked hacking group known as Hafnium, later referred to as Silk Typhoon.

Xu was detained in Italy last year following a request from U.S. officials. His Italian lawyer, Simona Candido, confirmed that he was extradited to the United States on Saturday and is currently being held in Houston.

Records from the U.S. Bureau of Prisons indicate that an individual with the same name is being held at the Federal Detention Centre in Houston. Shortly after these developments, the Justice Department publicly confirmed Xu’s extradition in an official statement.

Xu’s U.S. attorney, Dan Cogdell, stated that his client entered a plea of not guilty to all charges during a court hearing held Monday morning. Court filings show that Xu appeared for his initial hearing in federal court and was ordered to remain in custody.

According to prosecutors, Xu was employed by Shanghai Powerock Network, which they allege conducted hacking activities on behalf of Chinese authorities. Investigators claim that Xu and other individuals involved in the operation reported directly to government officials based in Shanghai.

Alongside Zhang, Xu is alleged to have been part of the Hafnium group, which exploited previously unknown vulnerabilities in Microsoft Exchange servers to gain unauthorised access to systems belonging to a wide range of U.S. organisations. These reportedly included defence contractors, law firms, think tanks, and researchers working on infectious diseases.

Prosecutors say the campaign targeted more than 60,000 entities across the United States, with over 12,700 successfully compromised.

The Chinese Embassy in Washington, D.C., did not respond when asked for comment. Meanwhile, reports indicate that China’s Foreign Ministry opposed the extradition and accused the U.S. government of fabricating the case.

The case reflects a broader pattern of charges brought by U.S. authorities against individuals accused of cyber activities linked to China, many of whom remain outside U.S. jurisdiction. In 2022, Yanjun Xu was sentenced to 20 years in prison in what the Justice Department described as the first instance of a Chinese intelligence officer being extradited to the United States and convicted on hacking-related charges.