Italy Hands Over Alleged Chinese State Hacker to the U.S. — Accused of Stealing COVID Research and Infiltrating Thousands of Computers

.

Italy Green-Lights Extradition After Court Ruling

The Italian government has decided to extradite Xu Zewei, a 33-year-old Chinese national, to the United States. A person with direct knowledge of the matter confirmed this to Reuters on April 26, 2026. The move follows a ruling by an Italian court earlier this month that cleared the legal path for the handover.

Italy's Prime Minister Giorgia Meloni's government gave the final sign-off after the court's decision. The Italian government itself declined to make an official public comment. Xu's defense attorney, Enrico Giarda, told Reuters that his client had not yet been formally notified of the extradition decision.

Arrested at the Airport on a Holiday Trip

The case began abruptly in the summer of 2025. Xu was arrested on July 3 at Milan's Malpensa Airport, where he had arrived with his wife for a holiday in Italy. U.S. authorities had been tracking him for years — the Justice Department had already filed an arrest warrant as far back as November 2023 in the U.S. District Court for the Southern District of Texas.

Xu faces a nine-count federal indictment, including charges of wire fraud, aggravated identity theft, and unauthorized access to protected computer systems. If convicted on all counts, he could face up to 77 years in prison.

The Charges: COVID Research Theft and Mass Cyber Intrusion

The U.S. Department of Justice (DOJ) lays out a sweeping set of allegations against Xu. The case centers on two overlapping phases of alleged criminal activity.

Phase 1 – Stealing COVID-19 Research (2020)

In early 2020, as the world was entering a global pandemic, Xu and his co-conspirators allegedly hacked U.S.-based universities, immunologists, and virologists conducting research into COVID-19 vaccines, treatments, and testing. The DOJ claims Xu was specifically directed to target and access email accounts belonging to researchers at a Texas university — and later confirmed to his handlers that he had successfully obtained the contents of their mailboxes.

Phase 2 – The HAFNIUM Campaign (2021)

Beginning in late 2020, Xu and his associates exploited vulnerabilities in Microsoft Exchange Server — a widely used corporate email platform — as part of a massive operation publicly known as "HAFNIUM." That campaign compromised over 60,000 U.S. systems and affected more than 12,700 entities globally. Victims included universities, law firms with offices in Washington D.C., and a broad range of other organizations.

Beijing's Fingerprints: The Ministry of State Security

What makes this case particularly significant is the alleged chain of command. According to court documents, officers of China's Ministry of State Security (MSS) — specifically its Shanghai State Security Bureau (SSSB) — directed Xu to carry out the hacking operations. The MSS is China's primary civilian intelligence agency.

Xu is described in the indictment as a contractor for the SSSB, where he served as general manager of Shanghai Powerock Network Co. Ltd. — a private tech company that prosecutors say was used as a front to conduct state-backed operations while providing Beijing with plausible deniability.

The DOJ stated that this case is part of a broader pattern of China "using an extensive network of private companies and contractors to hack and steal information in a manner that obscured the PRC government's involvement."

"Mistaken Identity" — The Defense's Argument

Xu's attorney has consistently denied the charges. His lawyer argued that his client is a victim of mistaken identity, pointing out that his surname is extremely common in China, and that his mobile phone was stolen in 2020 — potentially allowing someone else to use his digital identity to conduct the alleged crimes. Xu's wife also maintained that he is not a hacker but works as an IT technician for a company called GTA Semiconductor.

The Chinese government, for its part, has rejected the broader accusations. China's embassy in Washington previously stated that Beijing "opposes all forms of cyber crimes" and denied any need or intention to acquire vaccine research through theft.

A Rare Capture — and a Strong Signal

Cases like this one are unusual. The FBI's Houston field office described Xu as "one of the first hackers linked to Chinese intelligence services to be captured by the FBI," noting that most U.S. indictments against foreign intelligence-linked hackers are issued in absentia.

U.S. Attorney Nicholas Ganjei for the Southern District of Texas noted that prosecutors had waited years for this arrest. The fact that Italy — a NATO ally and increasingly aligned with Washington under Meloni — agreed to the extradition sends a strong diplomatic message: even alleged state-sponsored hackers are not beyond the reach of Western law enforcement when they set foot outside China's borders.

Xu's co-defendant, Zhang Yu, remains at large.

.

Sources

1. U.S. Department of Justice – Official Press Release on Xu Zewei Arrest (July 8, 2025): https://www.justice.gov/opa/pr/justice-department-announces-arrest-prolific-chinese-state-sponsored-contract-hacker
2. Reuters – Italy to extradite suspected Chinese hacker wanted by U.S. authorities (April 26, 2026): https://www.reuters.com/world/china/italy-extradite-suspected-chinese-hacker-wanted-by-us-authorities-says-source-2026-04-26/
3. The Record (Recorded Future News) – Chinese national arrested in Milan after U.S. issues arrest warrant for HAFNIUM attacks: https://therecord.media/chinese-national-arrested-italy-hafnium-covid
4. NBC News – Chinese state-sponsored contract hacker arrested in Italy at U.S. request: https://www.nbcnews.com/world/china/chinese-state-sponsored-contract-hacker-arrested-italy-us-request-doj-rcna217675
5. Natto Thoughts (Cyber Analysis) – HAFNIUM-Linked Hacker Xu Zewei: Riding the Tides of China's Cyber Ecosystem: https://nattothoughts.substack.com/p/hafnium-linked-hacker-xu-zewei-riding

.