China-linked hacker Xu Zewei extradited, faces 20-year US sentence
Synopsis
A Chinese national allegedly directed by the Shanghai State Security Bureau has been extradited to the US and arraigned on nine counts — including stealing COVID-19 vaccine research from American universities at the height of the pandemic. The case lifts the curtain on Beijing's use of private contractors to conduct state-sponsored cyber operations with plausible deniability.
Key Takeaways
Xu Zewei , 34 , was extradited to the United States and appeared in federal court in Houston on a nine-count indictment .
Alleged hacking operations spanned February 2020 to June 2021 , including the HAFNIUM Microsoft Exchange Server campaign.
Xu allegedly acted under direction of the Shanghai State Security Bureau (SSSB) , part of China's Ministry of State Security .
Targets included US universities, immunologists, and virologists working on COVID-19 vaccines, treatment, and testing.
Co-accused Zhang Yu remains at large.
The most serious charges carry prison sentences of up to 20 years .
A Chinese national accused of conducting state-directed cyber intrusions — including targeting COVID-19 vaccine research — has been extradited to the United States and appeared before a federal court in Houston, Texas on a nine-count indictment, the US Department of Justice announced on 28 April.
Xu Zewei, 34, faces charges stemming from alleged hacking operations carried out between February 2020 and June 2021, including activity linked to the HAFNIUM campaign, which reportedly compromised thousands of computers worldwide, including systems across the United States.
Who Is Xu Zewei and Who Directed Him
According to court documents, Xu allegedly operated under the direction of officers from the Shanghai State Security Bureau (SSSB), a component of China's Ministry of State Security (MSS) — the agency responsible for foreign intelligence and counterintelligence operations. Prosecutors describe Xu as
Point of View
Where private nationals provide the MSS operational cover and deniability. The targeting of COVID-19 researchers in February 2020, when the world was scrambling for a vaccine, underscores how state-linked actors treat a global health crisis as a strategic intelligence opportunity. With co-accused Zhang Yu still at large and the FBI explicitly warning others face similar risks, Washington is signalling that extradition is now a credible — not just theoretical — deterrent. The deeper question is whether charges alone reshape the calculus for contractors who serve as Beijing's digital proxies.
NationPress
1 May 2026
Frequently Asked Questions
Who is Xu Zewei and what is he charged with?
Xu Zewei is a 34-year-old Chinese national extradited to the United States and indicted on nine counts, including conspiracy to commit wire fraud, unauthorised access to protected computers, intentional damage to computer systems, and aggravated identity theft. The most serious charges carry prison sentences of up to 20 years.
What is the HAFNIUM hacking campaign?
HAFNIUM is a cyber campaign that exploited previously unknown vulnerabilities in Microsoft Exchange Server systems, enabling attackers to install web shells for remote access. According to court documents, it compromised thousands of computers worldwide, with victims including US universities and a global law firm.
Who directed Xu Zewei's alleged hacking operations?
Prosecutors allege Xu acted under the direction of officers from the Shanghai State Security Bureau (SSSB), a division of China's Ministry of State Security (MSS). The FBI has described him as one of many private contractors used by the Chinese government to obscure state involvement in cyber operations.
What COVID-19 research was allegedly stolen?
Prosecutors allege Xu and his co-conspirators targeted US-based universities, immunologists, and virologists working on COVID-19 vaccines, treatment, and testing. In one instance in February 2020, Xu allegedly accessed a Texas university network and obtained the contents of researchers' email accounts at the direction of an SSSB officer.
Where does the case stand now?
Xu Zewei has appeared in federal court in Houston following his extradition. His co-accused, Zhang Yu, remains at large. The FBI has warned that others involved in similar state-linked cyber operations face comparable legal risks.
