The Department of Justice (DOJ) announced Tuesday in a press release that Xu Zewei, 33, of the People’s Republic of China (PRC) was arrested on July 3, 2025 in Milan, Italy at the request of the United States.
Xu, and his co-defendant, 44 year-old PRC national Zhan Yu, are charged in a nine-count indictment for their alleged involvement in the hacking and stealing of crucial COVID-19 research from a university in Texas at the behest of the Chinese government.
The indictment revealed that Xu and Zhan were involved in hacking activities from February 2020 to June 2021.This included the widespread HAFNIUM hacking campaign that compromised thousands of computers worldwide, including in the United States.
Court documents also show that officers from the PRC’s Ministry of State Security’s (MSS) and Shanghai State Security Bureau (SSSB) allegedly ordered Xu to conduct the hacks. The MSS and SSSB are PRC intelligence agencies responsible for PRC’s domestic security, non-military foreign intelligence, and aspects of the PRC’s political security.
When committing his crimes, Xu worked for the company named Shanghai Powerock Network Co. Ltd. (Powerock). Powerock was one of many companies in the PRC that has conducted hacking for the PRC government, the DOJ reports.
The hacking operation targeting the Texas university in February of 2020 is allegedly a part of a broader campaign by Xu and Zhan to exploit vulnerabilities in global computer systems during the height of COVID-19. According to the DOJ the stolen research included COVID-19 vaccine research, as well as sensitive data on treatment and testing. Xu and others reported their activity to the SSSB, which was directing and advising their activities at the time.
Xu and Zhan’s campaign continued for another year where they would continue to allegedly target networks under the direction of the SSSB. According to the DOJ, in 2021, the campaign successfully compromised another university in Texas and a law firm with offices worldwide, including in Washington D.C.
Unauthorized access to the firm’s network allegedly allowed Xu and Zhan to steal information from mailboxes and search for information regarding specific U.S. policy makers and government agencies. Their search terms included “Chinese sources,” “MSS,” and “HongKong.”
The charges pressed against Xu are the latest describing the PRC’s extensive use of a network of private companies and contractors in China to steal information in a manner that obscures the PRC’s alleged involvement.
Xu Zewei faces numerous charges, including conspiracy to commit wire fraud, two counts of wire fraud, and conspiracy to damage and access protected computers without authorization. If prosecuted to the fullest extent and sentenced consecutively, he could face a maximum of 97 years in prison.
“The Southern District of Texas has been waiting years to bring Xu to justice and that day is nearly at hand,” U.S. Attorney for the Southern District of Texas Nicholas Ganjei boldly stated regarding Xu’s arrest. “As this case shows, even if it takes years, we will track hackers down and make them answer for their crimes. The United States does not forget.”
Xu is facing extradition proceedings, however, Zhan remains at large.