Italian authorities have extradited Xu Zewei, a 33-year-old Chinese national accused by the U.S. of participating in state-sponsored cyberattacks, including the theft of COVID-19 medical research. The handover to U.S. custody marks a significant win for American prosecutors pursuing hackers linked to China's government, as reported by Bloomberg and Reuters sources close to the matter.
Xu was arrested in Milan on July 3, 2025, at the request of the U.S. Department of Justice, which alleges he worked through a Shanghai-based company under direction from China's state security apparatus. According to the nine-count indictment in the Southern District of Texas, Xu and co-defendant Zhang Yu conducted cyber intrusions between 2020 and 2021 as part of the notorious Hafnium group, infiltrating thousands of computers worldwide, including U.S. universities, immunologists, and virologists researching vaccines, treatments, and testing. The Independent and TechCrunch detailed how these operations stole sensitive COVID-19 data during the height of the pandemic.
An Italian court ruled earlier this month that Xu could be extradited, a decision upheld by Prime Minister Giorgia Meloni's government. As of late last week, Xu remained in a prison near Parma, but U.S. officials confirmed his transfer, underscoring Washington's global pursuit of cyber threats. The Justice Department emphasized that such actions demonstrate commitment to holding accountable those targeting American institutions, with charges including wire fraud and aggravated identity theft.
Xu's Milan-based lawyer has contested the extradition, claiming his client is a victim of mistaken identity and maintaining his innocence, as noted by Italian media and UniIndia reports. China has condemned the move, protesting Italy's cooperation with the U.S. in handing over one of its nationals. This case highlights ongoing tensions in international cyber diplomacy, where extraditions of alleged state-backed hackers remain rare.
The extradition affects U.S. research institutions, healthcare providers, and government systems hit by Hafnium's exploits, which exploited vulnerabilities in Microsoft Exchange servers in early 2021. Broader U.S. efforts against Chinese cyber actors continue, with recent Treasury sanctions on figures like Zhou Shuai for similar data brokering, though Xu's case stands out for its direct pandemic-related theft. What happens next includes Xu's arraignment in Texas, potential trial, and further revelations on the scale of the intrusions.
This development reinforces the risks of state-sponsored hacking to global health security and critical infrastructure, prompting stronger international alliances against such threats. U.S. prosecutors vow continued pursuit, while Xu's defense prepares to challenge the evidence in court.