Chinese Hacker Bags COVID Research, Emails, and Probably a Bonus—Now Faces Extradition Vacation

The U.S. Justice Department has finally confirmed what every cybersecurity expert has been screaming into the void since 2020: that the mass theft of COVID-19 research and a historic email server breach weren’t just the handiwork of anonymous gremlins in a basement, but the work of state-backed hackers—specifically, Chinese nationals allegedly acting on behalf of Beijing.

On Monday, U.S. officials revealed the arrest of Xu Zewei, a Chinese national and alleged mercenary hacker-for-hire, who was apprehended in Italy at the request of U.S. prosecutors. His crime? Just a casual spree of cyber espionage, including the theft of vital COVID-19 research during a global pandemic and compromising tens of thousands of Microsoft Exchange email servers. You know—just typical Tuesday stuff.

Xu, along with alleged co-conspirator Zhang Yu, was named in a nine-count indictment that paints a very public and very damning portrait of China’s digital offensive. While Zhang is still at large—presumably somewhere far away from countries with extradition treaties—Xu now finds himself facing the very real prospect of standing trial in the United States.

According to the indictment, Xu worked for Shanghai Powerock Network Technology Company, which, surprise, has ties to China’s Ministry of State Security. The DOJ claims the firm was essentially a front for state-sanctioned cyber operations, making Xu not just a rogue actor, but a paid foot soldier in an international campaign of intellectual property theft.

Among the most infuriating charges? The alleged theft of COVID-19 research from U.S. universities in February 2020, a time when the world was scrambling for answers in the face of a mysterious and deadly virus. While researchers toiled around the clock to find a vaccine, hackers like Xu allegedly swooped in to pilfer data that took months—and countless taxpayer dollars—to develop.

But Xu and Zhang didn’t stop there. According to the Justice Department, they were also behind the infamous 2021 Microsoft Exchange hack, a sprawling digital raid that compromised more than 60,000 servers across small businesses, municipalities, and nonprofits. The hacking group, dubbed “Hafnium” by Microsoft, exploited zero-day vulnerabilities to infiltrate systems, loot private emails, and scrape contact books.

At the time, Microsoft described the attack as “limited and targeted,” which turned out to be a bit of a corporate understatement. The attack not only disrupted businesses across America but also forced an unprecedented emergency response from the federal government and private cybersecurity firms.

As if to stay on-brand, Hafnium has reportedly evolved into a new cyber-threat group now known as “Silk Typhoon,” which researchers say has been targeting large corporations and government institutions. So yes, the cyber party is far from over.

“Today’s announcement sends a clear message: the United States will not tolerate nation-state cyberattacks,” said a Justice Department official, in a statement that feels a little like bolting the door after the hackers have already ransacked the house, stolen the blueprints, and emailed them to Beijing.

Cybersecurity experts have long warned about the expanding role of state-sponsored hacking groups in China’s geopolitical toolkit. According to a 2023 report by cybersecurity firm Mandiant, Chinese government-linked hackers were responsible for more than 50 percent of all state-backed cyber operations detected worldwide between 2020 and 2022.

But the arrest of Xu Zewei marks a rare moment of accountability in a cyberwar where the lines between government espionage and freelance criminality are increasingly blurry.

Whether the U.S. can secure his extradition and actually bring him to trial is still uncertain. What’s clear is that the digital battlefield is now just as important—if not more—than the physical one. And while the Justice Department’s statement is full of bravado, the reality is that for every hacker arrested, a dozen more are booting up their laptops.

In a world where stealing vaccine research is just another bullet point on a cybercriminal’s resume, maybe it’s time to stop pretending this is just “cybercrime” and start calling it what it is: digital warfare.