A Chinese national has been arrested in Milan, Italy, for his alleged links to a state-sponsored hacking group known as Silk Typhoon and for carrying out cyber attacks against American organizations and government agencies.
The 33-year-old, Xu Zewei, has been charged with nine counts of wire fraud and conspiracy to cause damage to and obtain information by unauthorized access to protected computers, as well as committing aggravated identity theft. Details of the arrest were first reported by Italian media.
Xu is alleged to have been involved in the U.S. computer intrusions between February 2020 and June 2021, including a mass attack spree that leveraged then-zero-day flaws in Microsoft Exchange Server, a cluster of activity the Windows maker designed as Hafnium.
The suspect is also accused of participating in China’s espionage efforts during the COVID-19 pandemic, attempting to gain access to vaccine research at various U.S. universities, including the University of Texas.
Xu, alongside co-defendant and Chinese national Zhang Yu, are believed to have undertaken the attacks based on directions given by the Ministry of State Security’s (MSS) Shanghai State Security Bureau (SSSB).
“Beginning in late 2020, Xu and his co-conspirators exploited certain vulnerabilities in Microsoft Exchange Server, a widely used Microsoft product for sending, receiving and storing email messages,” the Justice Department said. “Their exploitation of Microsoft Exchange Server was allegedly at the forefront of a massive campaign targeting thousands of computers worldwide and known publicly as ‘Hafnium.'”
Silk Typhoon, which overlaps with UNC5221, is known for its use of zero-day vulnerabilities and successful compromises of technology firms in supply chain attacks. The group is said to have targeted over 60,000 U.S. entities, successfully victimizing more than 12,700 in order to steal sensitive information through the Hafnium campaign.
In previous disclosures, Silk Typhoon has demonstrated a preference for targeting sectors tied to intellectual property and national resilience, such as healthcare, defense, and critical infrastructure. Their campaigns often involve a mix of credential harvesting, supply chain compromise, and long-term access operations—indicative of a broader mandate focused on both immediate and strategic intelligence collection.
The Justice Department has also claimed that Zewei worked for a company named Shanghai Powerock Network Co. Ltd. when the attacks were carried out, lending further credence to other reports that China is leveraging an array of contractors and private firms to launch state-sponsored espionage campaigns in an effort to obscure the government’s involvement.
While Hafnium is widely categorized as an advanced persistent threat (APT), analysts linking its activity to UNC5221 have mapped key techniques—like initial access through CVE-2021-26855 and lateral movement via PowerShell scripts—to MITRE ATT&CK patterns. The overlap reflects a broader APT ecosystem that blends zero-day exploitation, outsourced contractor operations, and long-term access strategies—core themes in ongoing discussions around attribution and cyber defense posture.
According to a report from Reuters, Xu has opposed the extradition request, claiming a case of mistaken identity. Xu’s lawyer added his surname is quite common in China and that his mobile phone had been stolen from him in 2020.
“Unfortunately, the impact of this arrest won’t be felt immediately. There are several teams composed of dozens of operators who are going to continue to carry out cyber espionage,” John Hultquist, Chief Analyst, Google Threat Intelligence Group (GTIG), said in a statement shared with The Hacker News.
“Government sponsors are not going to be deterred. The arrest is unlikely to bring operations to a halt or even significantly slow them, but it may give some of these talented young hackers a reason to think twice before getting involved in this work.”
English-language cybercrime forum, has shed further light on the shadowy hack-for-hire scene in the country. The cache allegedly contains non-public documents related to VenusTech, a major IT security vendor in China with a focus on serving government clients, and Salt Typhoon, per SpyCloud.
The VenusTech documents, leaked by a user named IronTooth, reference already hacked organizations, in addition to containing contract information showing various Chinese government entities to which the company offers its services.
The second batch is said to include details about several employees behind the Salt Typhoon hacking group and information on 242 hacked routers. Also leaked by ChinaBob, the DarkForums user who has advertised the dataset, is a spreadsheet that purportedly shows transactions between various governments customers and their sellers.
The document lists three different seller companies: Sichuan Zhixin Ruijie Network Technology Company Limited, Beijing Huanyu Tiangiong Information Technology Company Limited, and Sichuan Juxinhe Network Technology Company Limited. It’s worth noting that Sichuan Juxinhe was sanctioned by the U.S. Treasury Department earlier this January for its ties to Salt Typhoon.
“While the origin of these leaks is uncertain, this data appearing for sale on a Western hacking forum fits into a few overarching trends that we have observed from monitoring Chinese cybercriminal communities: China’s state-sanctioned data collection and intelligence apparatus is leaky [and] cybercriminals from the Sinosphere appear to be increasingly present in Western digital crime spaces,” SpyCloud said.
Found this article interesting? Follow us on Twitter ï‚™ and LinkedIn to read more exclusive content we post.
