Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime
Alleged Nation-State Hacker Being Held in Houston Jail
Senior U.S. law enforcement officials on Thursday described the extradition from Italy of an accused Chinese nation-state hacker as an effort to impose real-world consequences on threat actors long believed to operate beyond the reach of U.S. courts.
See Also: Experts Offer Insights from Theoretical to the Realities of AI-enabled Cybercrime
“State-affiliated cyber actors operate on the assumption that distance and state protection insulate them from consequence,” an FBI official said during a Thursday media briefing. “That assumption is no longer reliable.”
Xu Zewei, a 34-year-old Chinese national accused of working at the direction of China’s Ministry of State Security, was arrested in Milan in July 2025 while traveling and extradited Monday to the United States where a Houston federal judge ordered him held pending a detention hearing (see: Italian Police Arrest Alleged Chinese Hacker Wanted by FBI ).
Officials described the extradition as a rare instance of a Chinese hacker tied to state-directed operations being brought into U.S. custody after the Department of Justice and FBI paired his indictment with an opportunistic arrest when the suspect was traveling abroad.
A federal indictment unsealed in the Southern District of Texas alleges Xu played a central role in a Beijing cyberespionage campaign between February 2020 and June 2021 targeting U.S. universities, medical researchers and a Washington-based law firm. Prosecutors say Xu was a hacker-for-hire, working as a general manager at Shanghai Powerock Network Co., while carrying out intrusions under the direction of officers in the Shanghai State Security Bureau, a regional arm of the Ministry of State Security.
The charging document describes an operation in which Chinese state security officers tasked contractors with exploiting vulnerabilities, maintaining persistent access to victim networks, and exfiltrating data for intelligence and strategic purposes. Xu and his co-conspirators are accused of targeting at least three U.S.-based universities conducting novel coronavirus research, including work related to vaccines, treatments and testing, as well as a U.S. law firm with access to sensitive policy and client information.
According to prosecutors, the group gained initial access in early 2020 by exploiting known vulnerabilities such as CVE-2019-11510 in the Pulse Secure Connect VPN, stealing credentials and pivoting into internal systems, including email accounts belonging to virologists and immunologists. Senior Justice Department officials declined to name the victim organizations.
The indictment also links the operation to a widespread Microsoft Exchange zero-day campaign that compromised thousands of systems and drew condemnation from the U.S. and allied governments. At the time, Microsoft tracked the threat actor behind the hacks as Hafnium; it now does so as Silk Typhoon (see: White House Establishes Group to Investigate Exchange Attacks).
Xu faces multiple charges including conspiracy, wire fraud, computer intrusion and aggravated identity theft, with potential penalties exceeding 20 years if convicted. Officials said that the investigation began with efforts to assist victims and mitigate ongoing intrusions before shifting toward attribution and prosecution once the immediate threat was contained.
“When there is an opening to bring the attacker to U.S. soil, we always want to take it,” a senior FBI official said. The bureau “deployed its elite cyber action team to the most prominent victim” to further cut off the attacker’s access to victim networks.