Italian authorities have arrested a Chinese national suspected of involvement in a state-sponsored hacking campaign aimed at stealing US Covid-19 vaccine research during the pandemic.
According to media reports, Xu Zewei, 33, was detained at Milan’s Malpensa airport on July 3 after arriving from Shanghai. The arrest followed an international warrant issued by the United States, which has requested the suspect’s extradition.
Xu is alleged to be affiliated with Hafnium (aka Silk Typhoon), a China-linked state-sponsored hacking group believed to be behind the compromise of Microsoft’s email servers in a large-scale 2021 cyberespionage campaign.
US authorities say Xu played a key role in targeting American virologists, immunologists, and research institutions, including the University of Texas, in an attempt to access proprietary Covid-19 vaccine data between February 2020 and June 2021.
According to officials familiar with the case, a nine-count indictment is expected from US prosecutors, charging Xu with wire fraud, aggravated identity theft, conspiracy, and unauthorized access to protected computers. If convicted, he could face up to 32 years in prison.
Xu, who used multiple aliases, including ‘Zavier Xu’ and ‘David Xu,’ had his personal electronic devices seized under the US request. He is currently being held in Busto Arsizio prison near Milan. The FBI says that Xu’s activities were part of broader Chinese campaign to infiltrate sensitive sectors of US infrastructure and steal confidential data related not only to healthcare but also national policy.
Italy’s Ministry of Justice has confirmed the extradition request from Washington.
In the summer of 2020, the US Department of Justice indicted two Chinese nationals for allegedly participating in a decade-long effort to steal American trade secrets, including attempts to access COVID-19 research. Around the same time, the US, UK, and Canada accused Russian hackers linked to Russia's intelligence services of targeting COVID-19 vaccine developers. The group, known as APT29 or ‘Cozy Bear,’ was reportedly conducting cyberattacks to steal sensitive information related to vaccine development.