A suspected state-linked hacker accused of targeting US organizations and COVID-19 research has been extradited to the US, according to the Department of Justice (DoJ).
Xu Zewei, a 34-year-old Chinese national, appeared in a federal court in Houston over the weekend on charges tied to a series of intrusions carried out between February 2020 and June 2021, some of which were allegedly tied to the Silk Typhoon campaign.
Prosecutors alleged that Xu acted under the direction of China’s intelligence apparatus, specifically the Ministry of State Security (MSS) and its Shanghai branch.
Court filings claimed he worked through a private contractor, Shanghai Powerock Network Co. Ltd., part of a broader ecosystem used to obscure government involvement in cyber operations.
Alleged Role in COVID-19 and Exchange Server Attacks
Investigators said early attacks focused on US universities and researchers working on pandemic-related science. In February 2020, Xu allegedly accessed a university network in Texas and was later instructed to extract emails belonging to virologists and immunologists studying COVID-19.
Authorities claimed that stolen mailbox data included sensitive research into vaccines, treatments, and testing. These activities were reportedly coordinated with MSS officers, who directed targeting priorities and received updates on compromised systems.
Later that year, the operation allegedly expanded into the exploitation of Microsoft Exchange Server vulnerabilities. These attacks formed part of the wider Silk Typhoon (also tracked as Hafnium) campaign, publicly disclosed by the tech giant in March 2021, which impacted thousands of organizations globally.
Read more on Microsoft Exchange vulnerabilities: New Microsoft Exchange Vulnerability Puts Hybrid Cloud Environments at Risk
Global Campaign and Attribution to State Actors
The Silk Typhoon campaign affected more than 12,700 US organizations, according to the FBI. Attackers deployed web shells on compromised servers, allowing persistent remote access and data exfiltration. Even after patches were released, hundreds of systems remained exposed.
Among the alleged victims were another US university and a global law firm. Prosecutors state that attackers searched stolen emails for references to US policymakers and agencies, using terms linked to Chinese intelligence interests.
The indictment outlines how contractor networks operated with both state direction and financial incentives. According to US officials, these groups often targeted a broad set of systems, gathering data that could be sold onward if not directly useful to government intelligence.
Xu faces multiple charges, including wire fraud, unauthorized access to protected computers and identity theft. Each carries a potential prison sentence of 2 to 20 years. His co-defendant, Zhang Yu, remains at large.
US authorities emphasized that the allegations remain unproven, and the defendant is presumed innocent unless found guilty in court.
