Chinese Silk-Typhoon-Linked Hacker Extradited to U.S. Over COVID-19 Research Theft and Microsoft Exchange Attacks
A Chinese state-linked contract hacker, Xu Zewei, has been extradited from Italy to the United States and charged for his alleged role in the Silk-Typhoon (Hafnium) campaigns that targeted U.S. universities conducting COVID-19 vaccine research and later thousands of Microsoft Exchange email servers worldwide.
WASHINGTON, D.C. — In a landmark development for international cyber-law enforcement, the U.S. Department of Justice announced the extradition of Xu Zewei, a 34-year-old Chinese national, from Italy. Xu is allegedly a key operative within a contract-hacking cluster linked to Silk-Typhoon (also known as Hafnium or Murky Panda).
Prosecutors allege that between early 2020 and mid-2021, Xu and his accomplices operated under the direction of the Shanghai State Security Bureau (SSSB). Their mission: to infiltrate U.S. biomedical research institutions to steal proprietary COVID-19 vaccine and treatment data, and later, to exploit critical zero-day vulnerabilities in Microsoft Exchange Server to gain a foothold in thousands of private-sector networks.
Incident Profile: Silk-Typhoon (Xu Zewei Cluster)
From Vaccine Research to Global Exchange Breaches
The indictment outlines a two-phase operation. First, during the height of the pandemic, the group targeted U.S. universities — including institutions in Texas — that were developing critical vaccine and diagnostic technologies. By stealing credentials and internal work products, the MSS-backed contract hackers sought to accelerate China’s own pharmaceutical R&D.
Second, the group was tied to the massive March 2021 exploitation of Microsoft Exchange Server zero-day vulnerabilities. By deploying web shells on compromised mail servers, Xu and the Silk-Typhoon collective gained persistent access to the communications of tens of thousands of organizations globally.
The "Contract Hacker" Model
The case highlights the SSSB's use of "front" companies — in this case, Shanghai Powerock Network Technology Co., Ltd. — to employ freelance hackers for state-sanctioned espionage. This model allows the Chinese government to maintain a degree of deniability while leveraging high-level technical talent for aggressive collection campaigns.
The CyberSignal Analysis: Strategic Signals
Signal 01 — A Global Shift in Cyber-Extradition Norms
The extradition of a Chinese national from Italy to the U.S. is a rare and significant diplomatic victory. It signals that Western allies are increasingly willing to cooperate in the legal pursuit of state-sponsored actors, even when those actors are tied to a superpower like China. This adds a new layer of risk for contract hackers working for state actors who previously felt safe traveling internationally.
Signal 02 — The Long Dwell of Pandemic Espionage
This case underscores that the cyber repercussions of the pandemic are still being litigated in 2026. The intelligence gathered during 2020-2021 regarding biomedical research wasn't just a temporary curiosity — it was a strategic theft intended to shift global economic power. Organizations in the research sector must realize they remain permanent targets in the Chinese state actor playbook.
Signal 03 — From Targeted Theft to Infrastructure Poisoning
The transition from attacking specific vaccine researchers to launching broad, automated attacks against Exchange Servers shows how major incidents like the Hafnium breach are born. State actors don't stay in one lane; they pivot from "intel collection" to "mass compromise" the moment a high-value vulnerability is discovered.
