Alleged Silk Typhoon hacker extradited to the United States to face charges

A man accused of working as a hacker for China's Ministry of State Security has been extradited to the USA from Italy, and faces - if found guilty - the prospect of decades behind bars.

34-year-old Xu Zewei arrived in Houston, Texas at the weekend after Italian authorities approved his extradition to the United States. At a federal court hearing on Monday, he pleaded not guilty, and is currently being held at the Federal Detention Center in Houston.

Xu, who has consistently denied the charges and insists that Italian police detained the wrong man, was originally arrested in July 2025 while on holiday in Milan with his wife.

According to the indictment, Xu and a co-conspirator spent the early months of 2020 attempting to steal coronavirus research from American universities, immunologists, and virologists.

While the world's scientists raced to understand COVID-19, the alleged hackers were quietly trying to siphon off their work on vaccines, treatments, and testing. One of the instituions reportedly targeted was a Texas university.

The US Department of Justice alleges that Xu was following orders from officers at the Shanghai State Security Bureau, an arm of China's Ministry of State Security. At the time, Xu was employed by Shanghai Powerock Network, a Chinese firm that prosectors described as existing to carry out hacking on Beijing's behalf.

Xu is accused of being part of Hafnium - the Chinese state-backed hacking crew that Microsoft dubbed Silk Typhoon.

This hacking group has been blamed for zero-day attacks on Microsoft Exchange Server that began in early 2021. Using a chain of previously unknown vulnerabilities, the attackers compromised as many internet-facing Exchange servers as they could, unlocking long-term access for themselves.

According to the FBI, Hafnium targeted more than 60,000 organisations in the United States and successfully broke into over 12,700 of them. Those organisations impacted by the spate of attacks varied from defence contractors and law firms to think tanks and infectious disease researchers.

Predictably, China has denied any involvement. The Chinese Foreign Ministry opposed Xu's extradition to the United States, and claimed that cases are being fabricated against Chinese citizens.

If convicted on all charges - which include wire fraud, conspiracy to damage protected computers, and aggravated identity theft - Xu could spend decades in prison.

What makes this case unusual is that most state-sponsored hackers indicted by the US Department of Justice never see the inside of an American courtroom. That's because those alleged to have been behind the attacks live in countries with no intention of handing their citizens over to the US legal system.

But every so often, a suspect makes the mistake of going on holiday somewhere with an extradition agreement with the United States.

For organisations that were caught up in the original Exchange Server free-for-all of 2021, this week's news might bring a small sense of vindication.

For the rest of us, it's a useful reminder that the people behind these enormous, headline-grabbing campaigns are not faceless ghosts . They have names, employers, and - occasionally - travel plans.

And just sometimes, those plans don't end the way they expected.