China's Hackers-for-Hire Are Running Out of Safe Havens

.

A Rare Arrest Signals a New Era of Accountability

For years, hackers working on behalf of the Chinese government operated with near-total impunity. As long as they stayed inside China, U.S. law enforcement couldn't touch them. That calculus may be changing.

On April 27, 2026, the U.S. Department of Justice announced the extradition of Xu Zewei, a 34-year-old Chinese national, from Italy to the United States. He now faces a nine-count federal indictment in Houston covering charges that include wire fraud, identity theft, and unauthorized access to protected computer systems. If convicted on the most serious counts, he could face up to 20 years in prison per charge.

The case is being described as a rare and significant milestone — one of the few instances in which an alleged Chinese state-linked hacker has been brought before American courts.

The FBI's Message to Beijing's Cyber Contractors

FBI Assistant Director Brett Leatherman, head of the bureau's Cyber Division, did not mince words. Speaking publicly on April 30, he warned that Beijing's sprawling hack-for-hire ecosystem has "gotten out of control" and gives the Chinese government a layer of cover — what he called "a form of plausible deniability."

But Leatherman made clear that this cover has limits. The protection hackers receive "inside China does not extend the moment you cross a border," he said. The arrest of Xu Zewei, he added, "demonstrates the FBI's reach extends well beyond U.S. borders."

FBI Director Kash Patel, who visited Italy earlier in 2026 in connection with Olympic security coordination and bilateral law enforcement meetings, said his trip helped lay the groundwork for the operation. He described Xu as "one of the top two cyber criminals in the world for China."

Who Is Xu Zewei — and What Did He Do?

According to U.S. court documents, Xu worked as a contract hacker for Shanghai Powerock Network, a company prosecutors describe as a front company for Chinese state-sponsored cyber espionage. His alleged handler: the Shanghai State Security Bureau (SSSB), a branch of China's powerful Ministry of State Security (MSS) — the country's primary intelligence agency.

The indictment alleges two distinct phases of criminal activity:

Phase 1 – Stealing COVID-19 Research (Early 2020): Xu and co-conspirators targeted U.S. universities, immunologists, and virologists who were racing to develop vaccines, treatments, and tests during the pandemic. An MSS officer in Shanghai allegedly directed Xu to go after specific email accounts belonging to medical researchers.

Phase 2 – The HAFNIUM Campaign (Late 2020 – 2021): Xu is alleged to have played a key role in a massive hacking operation known as "HAFNIUM" — later tracked under the name Silk Typhoon. The campaign exploited critical vulnerabilities in Microsoft Exchange Server, a widely used corporate email platform, to breach thousands of organizations worldwide. According to the DOJ, more than 12,700 U.S. organizations alone were compromised.

Victims included universities, law firms, and entities with connections to U.S. policymakers and government agencies. Hackers reportedly searched email accounts for sensitive information about American policy decisions and government operations.

How Italy Became the Trap

Xu Zewei was arrested in Milan in July 2025 at the request of the FBI, with assistance from Italy's Postal Police (Polizia Postale), a specialized unit handling cybercrime. An Italian court subsequently approved his extradition, and the Italian government under Prime Minister Giorgia Meloni authorized the transfer.

Beijing's reaction was sharp. Chinese Foreign Ministry Spokesperson Lin Jian accused Washington of "fabricating charges through political manipulation" and called on Italy to "avoid becoming an accomplice of the U.S." The Chinese Embassy in Washington did not respond to requests for comment.

Those protests were not enough to stop the extradition.

The Bigger Picture: China's Contractor Model Under Scrutiny

U.S. officials say China has deliberately structured its cyber operations to maintain distance from direct government involvement. By routing attacks through private companies and contractors, Beijing gains strategic capability while preserving deniability — the contractor takes the risk, the state takes the intelligence.

Leatherman's comments suggest the FBI is now actively working to dismantle that model, not just by indicting hackers (which has happened before) but by physically bringing them to trial. Co-conspirator Zhang Yu, 44, also named in the indictment, remains at large.

For the many Chinese hackers currently working in this shadow economy, the Xu case is a pointed warning: a business trip, a vacation, or any travel outside China could end with an arrest.

.

Sources

1. U.S. Department of Justice – Official Press Release: Prolific Chinese State-Sponsored Contract Hacker Extradited from Italy — https://www.justice.gov/opa/pr/prolific-chinese-state-sponsored-contract-hacker-extradited-italy

2. Al Jazeera – Italy extradites Chinese cyber-espionage suspect to US — https://www.aljazeera.com/news/2026/4/28/italy-extradites-alleged-chinese-cyber-espionage-suspect-to-us

3. TechCrunch – Hacker who allegedly carried out cyberattacks for China is extradited to US — https://techcrunch.com/2026/04/27/hacker-who-allegedly-carried-out-cyberattacks-for-china-is-extradited-to-u-s/

4. Nextgov/FCW – Italy extradites alleged Chinese state-backed hacker to US over theft of COVID-19 research — https://www.nextgov.com/cybersecurity/2026/04/italy-extradites-alleged-chinese-state-backed-hacker-us-over-theft-covid-19-research/413144/

5. Foundation for Defense of Democracies (FDD) – U.S. Conducts Rare Extradition of Alleged Chinese Cyber Spy — https://www.fdd.org/analysis/2026/04/28/u-s-conducts-rare-extradition-of-alleged-chinese-cyber-spy/

.