FBI Arrests Chinese Ministry of State Security Hacker at Italian Airport After 5-Year Investigation

Washington, D.C., July 11, 2025

By Alfred J Kim

Xu Zewei, 33, a Chinese national, was arrested on July 3 at Milan’s Malpensa Airport at the request of the FBI. Accused of working for China’s Ministry of State Security (MSS)—specifically the Shanghai State Security Bureau (SSSB)—Xu is allegedly linked to the hacking group known as HAFNIUM, also referred to as Silk Typhoon. Between February 2020 and June 2021, he is said to have targeted COVID-19 research at U.S. universities, exploiting Microsoft Exchange server vulnerabilities to breach over 60,000 systems worldwide, including more than 12,700 in the United States.

A federal grand jury in the Southern District of Texas secretly indicted Xu in November 2023 on nine counts, which were unsealed on July 8, 2025. Charges include wire fraud, identity theft, and computer fraud. If convicted, he faces up to 20 years in prison for each wire fraud count, up to 10 years for damaging protected computers, and an additional two years for aggravated identity theft.

Xu was apprehended by Italian police immediately upon arrival from Shanghai under an Interpol Red Notice issued by the United States. The arrest marks one of the first times the FBI has succeeded in detaining a Chinese state-sponsored hacker overseas. Xu is currently held at Busto Arsizio Prison near Milan, awaiting extradition proceedings. His alleged co-conspirator, Zhang Yu, 44, remains at large. Xu’s attorney, Enrico Giarda, argues his client is an innocent man with a common surname and suggests that a stolen phone in 2020 may have led to mistaken identity. China’s Foreign Ministry spokesperson Mao Ning denounced the case as “malicious slander,” accusing Washington of “long-arm jurisdiction abuse” and opposing any extradition via a third country.

How the FBI Managed the Arrest in Italy

The FBI, primarily operating within the United States, also leverages international partnerships to conduct overseas arrests. Xu Zewei’s capture showcases the agency’s ability to coordinate with foreign law enforcement.

1. International Arrest Warrant and Extradition Request

The U.S. issued an Interpol Red Notice based on the sealed November 2023 indictment. Following Xu’s July 3 arrest, the charges were unsealed on July 8. The U.S. Department of Justice (DOJ) formally requested Italy to detain him pending extradition. Under the bilateral extradition treaty and mutual legal assistance agreement, Italy accepted the request.

American prosecutors have 40 days to submit all supporting documentation. The Italian Ministry of Justice is now reviewing the case, while the Milan prosecutor’s office assesses the extradition request. In a diplomatic note dated July

1, the DOJ warned Italy of Xu’s high flight risk and urged detention over bail or house arrest.

2. FBI’s International Coordination

The FBI worked through its Legal Attaché office at the U.S. Embassy in Rome, which maintains close ties with Italy’s International Police Cooperation Service. Embassy officials tracked Xu’s travel plans and alerted Italian police ahead of his arrival. The Polizia di Stato arrested him at the airport immediately upon landing.

The FBI’s Houston Field Office led the investigation, with the Cyber Division under Deputy Assistant Director Brett Leatherman identifying Xu as a central figure in the HAFNIUM campaign. Interpol and Italian authorities were critical partners in the operation.

3. Investigation and Intelligence Gathering

The FBI had tracked Xu’s cyber activities for years. Beginning in early 2020, Xu and accomplices allegedly targeted American universities researching COVID-19 vaccines, treatments, and testing. Court documents describe Xu as working for Shanghai Powerock Network Co. Ltd., a company allegedly operated by the MSS as cover.

On February 19, 2020, Xu reported to an SSSB officer that he had breached a Texas university’s network. On February 22, he was allegedly instructed to target specific researchers’ email accounts, which he claimed to have successfully accessed.

From late 2020 onward, Xu and his co-conspirators exploited zero-day vulnerabilities in Microsoft Exchange servers, planting web shells to maintain remote access. Targets included Texas universities and a Washington, D.C.–based law firm. The FBI used cyber forensics, system analyses, and international intelligence-sharing to confirm Xu’s activities and identity.

A 2021 joint disclosure by the Cybersecurity and Infrastructure Security Agency (CISA) and Microsoft, which publicly detailed the HAFNIUM campaign, was instrumental in linking Xu and Zhang Yu to the MSS.

4. Diplomatic and Legal Cooperation

The DOJ’s Office of International Affairs is overseeing the extradition, working within established treaty frameworks. Italy, a close U.S. ally, has cooperated but the case risks diplomatic tensions with China. Notably, Xu’s arrest coincided with Italian Deputy Prime Minister Matteo Salvini’s planned visit to Beijing.

5. The Operation in Milan

Italian police acted on the U.S.-issued warrant as soon as Xu landed in Milan, exemplifying seamless real-time intelligence sharing. The FBI has praised the arrest on X (formerly Twitter) as a model of international partnership.

Details of the Charges Against Xu Zewei

Xu Zewei and Zhang Yu face nine charges in the Southern District of Texas, reflecting the scale and sophistication of their alleged operations.

1. Wire Fraud and Conspiracy to Commit Wire Fraud

• Maximum penalty: 20 years per count

• Alleged theft of sensitive COVID-19 research data for profit and provision to China’s MSS. Specific accusations include exfiltrating research from Texas universities.

  
  

2. Unauthorized Access to Protected Computers

• Maximum penalty: 5 years per count

• Xu allegedly hacked networks at universities in Texas and North Carolina, and a law firm in Washington, D.C. Examples include the February 19 breach of a Texas university network and the February 22 infiltration of researchers’ email accounts.

  
  

3. Conspiracy to Cause Damage to Protected Computers

• Maximum penalty: 10 years per count

• Use of zero-day vulnerabilities in Microsoft Exchange to plant web shells and maintain control during the HAFNIUM campaign. Specific acts include the January 30, 2021, breach of a Texas university’s network and the February 28 report to SSSB of successful infiltration.

  
  

4. Aggravated Identity Theft

• Mandatory consecutive sentence: 2 years

• Alleged use of stolen identities to gain system access and exfiltrate data.

  
  

5. HAFNIUM Campaign-Related Allegations

• Xu and Zhang are accused of attacks on more than 60,000 systems globally, with over 12,700 U.S. victims.

• Prosecutors allege they worked under MSS direction via Shanghai Powerock Network Co. Ltd., a front company designed to obscure Chinese state sponsorship of hacking operations.

  
  

If convicted on all counts, Xu faces decades in prison and hundreds of thousands of dollars in fines.

 The Chinese equivalent of the KGB, MSS

China’s Ministry of State Security (MSS), despite its innocuous-sounding name, is often described as the Chinese equivalent of the KGB - a sprawling, highly secretive intelligence agency responsible for both foreign and domestic operations. Officially established in 1983 out of the Ministry of Public Security’s Political Protection Bureau, the MSS oversees foreign espionage, counterintelligence, domestic political and ideological policing, monitoring of dissidents abroad, and industrial and technological theft. Though it is nominally charged with “ensuring national security and conducting counterespionage,” its real activities are far broader and more clandestine.

One of the MSS’s most distinctive features is its extensive civilian-facing network, which contrasts with China’s military intelligence units (like those under the PLAAF’s 2nd or 3rd Departments). Rather than relying solely on military channels, the MSS systematically infiltrates and leverages diplomatic missions, state-owned enterprises, academia, and diaspora communities. Many political, cultural, and commercial attachés in Chinese embassies are MSS officers or collaborators, while overseas Chinese business representatives, students, and academic exchange delegations often serve as conduits for intelligence collection and influence operations.

The MSS reports directly to the Chinese Communist Party’s Central National Security Commission, maintaining a chain of command that reaches the Politburo Standing Committee itself.

In June 2023, Fangzhi Li (李峰志), identified as a former MSS intelligence officer, defected to the United States and triggered a wave of scrutiny in Western media and intelligence circles with his detailed exposé of the ministry’s global spy operations and internal structure. Li described the MSS not merely as a foreign intelligence service but as a “tool for totalitarian control and overseas penetration.”

According to Li, the MSS systematically combines classic espionage with China’s broader “United Front” strategy to co-opt foreign governments, businesses, media, and academic institutions. He alleged that Chinese embassies serve as “overseas strategy centers” for the MSS, actively targeting sitting politicians, former senior officials, think tank researchers, university professors, and even religious leaders to extend Beijing’s influence.

Li also claimed the MSS maintains dedicated units specializing in technology theft, systematically targeting military, industrial, AI, telecommunications, and aerospace secrets worldwide. He described tactics such as using Chinese companies and academic research projects as fronts to recruit foreign engineers with lucrative salaries, then circumventing nondisclosure clauses when they change employers. This pattern is reminiscent of allegations involving South Korean ADD researchers moving to the UAE to help set up local defense companies and transfer weapons-system technology.

Li testified that the phrase “China will be the world’s policeman” was openly used within the MSS. He described how China leverages diaspora communities, university exchange programs, overseas branches of state-owned enterprises, and cultural institutes as part of an expansive MSS network designed to shape foreign elections, public opinion, and legislation over the long term. Domestically, he said, the MSS plays a central role in China’s comprehensive surveillance regime, including social media censorship, monitoring of dissidents, and repression of journalists, lawyers, and academics.

Li’s defection and public testimony have been cited in U.S. and Australian media, think tank reports, and parliamentary hearings, helping spur a reassessment of China’s espionage threat by Western intelligence services. The U.S. House Select Committee on the Chinese Communist Party adopted the view that the MSS is “not just a spy agency but the heart of the CCP’s strategy to export authoritarianism overseas.”