A 33-year-old Chinese national has been arrested for allegedly participating in a widespread hacking operation targeting U.S. computer networks between February 2020 and June 2021, including the sweeping HAFNIUM campaign that infiltrated thousands of systems worldwide.
Authorities detained Xu Zewei (徐泽伟), a citizen of the People’s Republic of China (PRC), in Milan, Italy, as he arrived on a flight from China. The arrest followed a request from the United States.
Xu and fellow PRC national Zhang Yu (张宇), 44, are charged in a nine-count indictment unsealed in November 2023. The indictment accuses them of conducting cyber intrusions during that period under orders from officers in the Ministry of State Security’s (MSS) Shanghai State Security Bureau (SSSB).
According to the charges, the MSS and its SSSB division serve as Chinese intelligence agencies responsible for domestic counterintelligence, non-military foreign intelligence, and political security. Xu was employed by Shanghai Powerock Network Co. Ltd., one of several Chinese firms that allegedly carry out cyberattacks on behalf of the PRC government.
“The indictment alleges Xu was hacking and stealing crucial COVID-19 research at the behest of the Chinese government while that same government was simultaneously withholding information about the virus and its origins,” said U.S. Attorney Nicholas Ganjei. “We’ve waited years to bring Xu to justice. This arrest proves the U.S. doesn’t forget — we will track hackers down and make them answer for their crimes.”
“This arrest underscores the United States’ patient and tireless commitment to pursuing hackers who seek to steal information belonging to U.S. companies and universities,” said John A. Eisenberg, Assistant Attorney General for the National Security Division.
“While the world reeled from a virus that originated in China, the Chinese government plotted to steal U.S. research critical to vaccine development,” said FBI Houston Special Agent in Charge Douglas Williams. “Xu Zewei, an alleged hacker for China’s primary spy agency, used advanced cyber tools to target COVID-19 data. His arrest in Italy shows we will scour the globe to bring foreign cybercriminals to justice.”
Court documents allege that in early 2020, Xu and his co-conspirators targeted U.S. universities and top immunologists and virologists engaged in cutting-edge COVID-19 research. Xu allegedly updated SSSB officers on their progress. On Feb. 19, 2020, for example, Xu reportedly confirmed that he had breached the network of a research university in the Southern District of Texas. Days later, the SSSB allegedly directed him to access specific email accounts belonging to COVID-19 researchers. Xu later confirmed he had retrieved the contents of those mailboxes.
Starting in late 2020, the group exploited vulnerabilities in Microsoft Exchange Server, a commonly used email platform. This exploitation became central to the HAFNIUM campaign, which compromised thousands of systems around the globe.
In March 2021, Microsoft publicly exposed the HAFNIUM campaign, identifying the attackers as China-based, state-sponsored hackers. By July 2021, the U.S. and its international partners formally attributed the campaign to the PRC’s MSS. Private sector cybersecurity experts condemned the operation as reckless, irresponsible, and destabilizing.
Victims of Xu’s Microsoft Exchange Server exploits included a university in the Southern District of Texas and an international law firm with offices in Washington, D.C. Xu and his co-conspirators reportedly installed web shells—malicious scripts allowing remote control—on compromised servers. These tools were unique to HAFNIUM at the time. As with earlier COVID-19 intrusions, Xu and Zhang allegedly acted under SSSB guidance. On Jan. 30, 2021, Xu reportedly informed Zhang that he had accessed the university’s network. By Feb. 28, he had updated an SSSB officer, who then instructed him to coordinate with another officer for a full list of successful intrusions.
The indictment alleges Xu and his associates also gained unauthorized access to the law firm’s systems to search for information tied to U.S. policymakers and government entities. Their search reportedly included terms like “Chinese sources,” “MSS,” and “HongKong.”
This case highlights the PRC’s use of a sprawling network of private contractors to obscure state involvement in cyber espionage. These companies allegedly operated from the safety of Chinese territory, scanning global networks for weaknesses, exploiting them, and funneling valuable information to the Chinese government—or reselling it if the state showed no interest. This scattershot approach left more systems vulnerable and allowed third parties to access stolen data.
In April 2021, the Justice Department conducted a court-approved operation to remove malware left behind by HAFNIUM from hundreds of U.S. systems.
Xu faces multiple charges:
-
Two counts of wire fraud and conspiracy, each carrying up to 20 years in prison.
-
Conspiracy to damage protected computers and commit identity theft, and two counts of unauthorized access to protected systems, each punishable by up to 5 years.
-
Intentional damage to protected computers, which carries a potential 10-year sentence per count.
-
Aggravated identity theft, carrying an additional mandatory 2-year sentence served consecutively.
All charges also carry potential fines of up to $250,000 each.
Zhang remains at large. Anyone with information about his whereabouts is urged to call the FBI at 1-800-CALL-FBI (1-800-225-5324).
The FBI’s Houston Field Office is leading the investigation.
Assistant U.S. Attorneys S. Mark McIntyre and John Marck, along with Deputy Chief Matthew Anzaldi of the National Security Division’s Cyber Section, are prosecuting the case.
