FBI agents in Houston have arrested Xu Zewei, an alleged hacker tied to China’s notorious Ministry of State Security, while he was traveling in Italy. Xu, believed to be working on behalf of the Chinese Communist Party’s largest spy agency, is accused of orchestrating cyberattacks targeting American institutions.
According to the U.S. Attorney’s Office for the Southern District of Texas, Xu Zewei was arrested for his alleged role in a series of cyberattacks on American systems between February 2020 and June 2021. These attacks include the widespread HAFNIUM hacking campaign, which affected thousands of computers worldwide. Prosecutors say Zewei carried out the intrusions while working for Shanghai Powerock Network Co. Ltd., a Chinese company accused of helping the government with state-sponsored hacking. The charges claim that Zewei operated on behalf of China’s Ministry of State Security (MSS) and the Shanghai State Security Bureau (SSSB), agencies responsible for the country's domestic surveillance and foreign intelligence operations.
“The indictment alleges that Xu was hacking and stealing crucial COVID-19 research at the behest of the Chinese government while that same government was simultaneously withholding information about the virus and its origins,” Nicholas Ganjei, U.S. Attorney for the Southern District of Texas said. “The Southern District of Texas has been waiting years to bring Xu to justice and that day is nearly at hand. As this case shows, even if it takes years, we will track hackers down and make them answer for their crimes. The United States does not forget.”
Huge… manhunting the CCP https://t.co/gEzok2RCnj
— FBI Director Kash Patel (@FBIDirectorKash) July 11, 2025
Zewei and his co-conspirators allegedly hacked U.S. universities and top COVID-19 researchers in early 2020, targeting vaccine, treatment, and testing data. Court documents claim Zewei worked under the direction of China’s Shanghai State Security Bureau (SSSB), reporting back to their officers. He is accused of confirming the breach of a research university's network and, shortly after, accessing the email accounts of key virologists and immunologists as instructed by the SSSB.
In 2020, Zewei and his co-conspirators allegedly exploited vulnerabilities in Microsoft Exchange Server, a widely used platform for managing email communications. According to the charges, their actions were part of the large-scale “HAFNIUM” cyber campaign, which targeted thousands of computers worldwide. In March 2021, Microsoft publicly revealed that a cyber intrusion campaign had been carried out by state-sponsored hackers based in China. By July of that year, the U.S., along with international allies, blamed China’s Ministry of State Security (MSS) for the HAFNIUM operation. Both government officials and private cybersecurity experts harshly criticized the campaign, calling it “reckless,” “irresponsible,” “indiscriminate,” and a threat to global stability.
"While the world was reeling from a virus that originated in China, the Chinese government plotted to steal U.S. research critical to vaccine development,” FBI Houston Special Agent in Charge Douglas Williams said. “Xu Zewei, an alleged hacker acting on behalf of China's primary spy agency, targeted COVID-19 data using sophisticated cyber techniques and tradecraft. His landmark arrest by FBI Houston agents in Italy proves that we will scour the ends of the Earth to hold criminal foreign adversaries accountable.”
In all, Zewei and his co-conspirators allegedly hacked into the network of a university in the Southern District of Texas and a global law firm with offices in Washington, D.C. They exploited vulnerabilities in Microsoft Exchange Server and installed "web shells" to enable remote access, tactics associated with the HAFNIUM hacking group. Working under the direction of China’s State Security Bureau (SSSB), Xu and fellow hacker Zhang carried out the attacks while providing regular updates to supervising officers. Xu was reportedly instructed to gather intelligence from additional compromised systems. At the law firm, the hackers searched email accounts using terms such as “Chinese sources,” “MSS,” and “HongKong,” indicating an effort to collect information related to U.S. policy and intelligence operations.
He has been charged with two counts of wire fraud and conspiracy to commit wire fraud, each carrying a potential sentence of up to 20 years in federal prison. The indictment also includes charges of conspiracy to damage and access protected computers without authorization, conspiracy to commit identity theft, and two counts of unlawfully obtaining information from protected computers.