A Chinese national accused of helping run one of the largest state-linked cyber espionage campaigns in recent memory has been flown into Houston and put in front of a federal judge. After his extradition from Italy, the suspect made his first appearance Monday in federal court, where prosecutors tied him to the HAFNIUM operation that exploited Microsoft Exchange servers and went after U.S. universities, COVID-19 researchers and other institutions. Federal authorities say the yearslong international probe has uncovered compromises across thousands of computer systems.
What prosecutors allege
According to the U.S. Department of Justice, the defendant, identified in court filings as 34-year-old Xu Zewei, was extradited over the weekend and appeared Monday in U.S. District Court in Houston on a nine-count indictment. Prosecutors allege Xu carried out computer intrusions between February 2020 and June 2021, including operations they say were directed by officers of China’s Ministry of State Security and its Shanghai State Security Bureau. They also say Xu worked for a Shanghai company described as an “enabling” firm used to conduct state-directed hacking, and that some of the intrusions targeted U.S. universities engaged in COVID-19 research.
Extradition and international cooperation
Italian authorities say Xu was arrested in Milan last July and, after an Italian court approved his transfer earlier this month, turned him over to U.S. officials, a move reported by ANSA. Beijing has protested the extradition, and Xu’s attorney has argued that his client was wrongly identified, according to international reporting. U.S. officials have credited Italian investigators, including the Polizia Postale, for tracking Xu down and carrying out the arrest and handoff.
How HAFNIUM worked
Security researchers and U.S. agencies say HAFNIUM actors took advantage of zero-day vulnerabilities in on-premises Microsoft Exchange Server in early 2021, using the flaws to install web shells and maintain persistent access to victim networks. Federal partners released detection tools and guidance at the time, and a CISA advisory details the ProxyLogon-era vulnerabilities along with mitigation steps organizations were urged to follow. The breadth of the intrusions triggered a coordinated cleanup effort involving U.S. law enforcement and cybersecurity agencies.
Victims and the Houston connection
Authorities say the victim list includes several U.S. universities, two of them in the Southern District of Texas, along with a Washington, D.C. law firm. Reporting by the Associated Press notes that more than 12,700 U.S. organizations were affected in the campaign. Local outlets followed both the 2025 arrest and Monday’s arrival in Houston; his arrest in Milan was previously covered by Hoodline, and local TV crews were on hand for his federal court appearance in Houston.
Charges and legal exposure
Federal prosecutors have charged Xu with conspiracy to commit wire fraud, several counts of obtaining information by unauthorized access to protected computers, intentional damage to protected computers and aggravated identity theft. Some of the charges carry maximum sentences that could stretch into decades, the Justice Department says. The Southern District of Texas is handling the prosecution with support from the Justice Department’s National Security Cyber Section, and officials emphasize that the indictment is only an allegation that must be proved at trial.
What comes next
Xu remains in federal custody in Houston as pretrial proceedings begin, and U.S. authorities say they are still looking for his alleged co-defendant, Zhang Yu, who remains at large according to reporting. Officials have urged anyone with information on Zhang’s whereabouts to contact the FBI, and the Justice Department says Xu’s extradition highlights ongoing international law-enforcement cooperation in tracking state-linked cyber operators.
