U.S. Indicts Chinese Hacker for HAFNIUM Cyberattacks, COVID-19 Research Theft: Beijing’s Shadow Network Exposed

Summary

• Chinese national Xu Zewei was arrested in Italy for allegedly hacking U.S. universities and exploiting Microsoft Exchange Server vulnerabilities under China’s Ministry of State Security (MSS).
• The DOJ says Xu targeted COVID-19 research and infiltrated 12,700+ U.S. systems through the infamous “HAFNIUM” campaign, operating from a front company linked to the CCP.
• His arrest reveals how China outsourced cyber espionage to private contractors while maintaining plausible deniability and profiting from stolen data.

A Shadow Operative Unmasked: Xu Zewei and the HAFNIUM Intrusions

The U.S. Justice Department has blown the lid off a major state-sponsored cyber espionage ring allegedly orchestrated by China’s Ministry of State Security (MSS). At the center of it is Xu Zewei, a 33-year-old Chinese hacker who, until last week, operated under Beijing’s protection. Now under arrest in Milan, Italy, Xu faces extradition to the U.S. for his role in one of the most damaging global cyberattacks in recent memory—the indiscriminate HAFNIUM campaign.

From February 2020 to June 2021, Xu and co-defendant Zhang Yu (still at large) allegedly compromised thousands of U.S. systems, including those belonging to COVID-19 researchers, universities, and even a global law firm. What makes this case explosive isn’t just the scale of the attack—but its timing and coordination: it began just as the world plunged into the COVID-19 pandemic, with Chinese hackers reportedly stealing vaccine and virus-related research on direct orders from the MSS.

INBOX: U.S. Arrests Prolific Chinese State-Sponsored Contract Hacker — China’s Ministry of State Security Directed the Theft of COVID-19 Research and the Exploitation of Microsoft Exchange Server Vulnerabilities pic.twitter.com/96ZnUgVz8H

— Adam Kredo (@Kredo0) July 8, 2025

COVID-19 Espionage: When the World Suffered, China Hacked

• Xu allegedly hacked Texas-based research universities in February 2020 to steal COVID-19 research.
• The campaign targeted immunologists, virologists, and U.S. vaccine developers.
• Xu reported directly to MSS officers, confirming mailbox intrusions and network access.

The indictment details how, at the height of the global pandemic, Xu hacked into the email systems of U.S. researchers racing to develop COVID-19 vaccines. These intrusions were not rogue operations—they were supervised by the Shanghai State Security Bureau (SSSB), a provincial arm of China’s main intelligence service.

Court documents allege that on Feb 19, 2020, Xu gained access to the network of a university in the Southern District of Texas. Just three days later, an MSS handler ordered him to exfiltrate mailbox data from virologists working on virus treatment and vaccine trials. Xu later confirmed the job was done.

The implications are profound: while the Chinese government withheld key information about the virus’s origin, it simultaneously ran covert operations to steal the scientific breakthroughs of others.

Enter HAFNIUM: A Cyber Campaign of Global Proportions

• Xu and Zhang later launched a global campaign exploiting Microsoft Exchange Server vulnerabilities.
• More than 12,700 U.S. entities were victimized in the months-long “HAFNIUM” intrusion.
• Web shells and backdoors enabled persistent remote access and large-scale data theft.

By late 2020, Xu’s group shifted gears—turning to one of the most widely used corporate email systems in the world. Leveraging zero-day exploits in Microsoft Exchange Server, the hackers deployed custom web shells that allowed them to stay inside breached systems undetected. Microsoft disclosed the campaign in March 2021, naming the actors as “HAFNIUM,” and confirming Chinese state sponsorship.

Among the compromised entities were a second U.S. university and a law firm with offices in Washington, D.C. The hackers didn’t just seek technical or scientific data—they searched emails for terms like “Chinese sources,” “MSS,” and “Hong Kong”—suggesting a broader political surveillance mission aimed at U.S. policymakers and international critics of Beijing.

Despite coordinated mitigation efforts from Microsoft, the FBI, and CISA, hundreds of U.S. servers remained vulnerable months after the campaign’s exposure.

A Network Hidden in Plain Sight: State Espionage Through Private Contractors

• Xu worked under the guise of Shanghai Powerock Network Co. Ltd., a “cyber mercenary” firm for MSS.
• The indictment paints a picture of a blended threat model—state-backed hackers masked as private actors.
• The PRC allegedly profits from stolen data, selling it to state organs and third parties.

The case against Xu reveals the structural sophistication behind Chinese cyber operations. Rather than relying solely on military hackers, the MSS outsourced much of its espionage to private firms like Powerock, granting deniability while expanding reach. These firms not only operated at MSS direction—but also monetized the stolen data by selling it to government agencies or third-party buyers, according to U.S. officials.

This dual-use exploitation model enabled the PRC to gather sensitive health, defence, and legal information while flooding the global cyber landscape with backdoors, often leaving systems vulnerable to secondary exploitation by other criminal actors.

What’s Next: Legal Fallout and Geopolitical Tensions

• Xu faces multiple charges including wire fraud, identity theft, and intentional computer damage.
• He could serve up to 20 years per wire fraud count if convicted.
• His extradition could further escalate U.S.–China tensions amid rising cyberwarfare and trade friction.

Xu Zewei now awaits extradition proceedings in Italy. His charges carry decades-long penalties, and the U.S. has made it clear that the pursuit of cybercriminals with state links will not stop at borders.

Meanwhile, Zhang Yu remains at large, and the FBI has issued a global call for information. With international cooperation intensifying, future arrests may follow—especially as Western nations align on joint cyber deterrence measures against Beijing.

For China, the revelations are a diplomatic minefield. The indictment not only accuses the MSS of weaponizing a pandemic—but also exposes how the CCP has built a sprawling network of state-sponsored hacking teams under the guise of tech companies.

Final Verdict: COVID Secrets, Corporate Hacks, and a New Cyber Cold War

The unsealing of charges against Xu Zewei isn’t just a legal development—it’s a strategic message. The U.S. is drawing a clear red line between espionage-as-policy and criminal accountability. As Assistant Attorney General John Eisenberg put it, “The Justice Department will find you and hold you accountable for threatening our cybersecurity and harming our people.”

With cyberattacks now weaponized on the global stage—and COVID-19 used as a cover for espionage—the lines between peacetime and war are increasingly blurred.

Welcome to the new Cold War—fought not with missiles, but malware.