10 Key Facts About the Silk Typhoon Hacker Extradited Over COVID Research Attacks

The arrest and extradition of Xu Zewei, a Chinese national linked to the state-sponsored hacking group Silk Typhoon, marks a major step in international cybercrime enforcement. Accused of targeting U.S. organizations and government agencies during the height of the COVID-19 pandemic, his case highlights the intersection of espionage, public health research, and digital warfare. Below are ten critical details you need to understand about this landmark case, the group behind it, and what it means for global cybersecurity.

1. Who Is Xu Zewei and How Was He Caught?

Xu Zewei, 34, is a Chinese citizen alleged to be a core operative of the Silk Typhoon hacking group. He was arrested in Italy in July 2025 following a coordinated international effort led by the U.S. Federal Bureau of Investigation (FBI) and Italian law enforcement. According to the U.S. Department of Justice, Xu was traveling through Rome when Italian authorities detained him based on a provisional arrest warrant. His extradition to the United States was completed shortly after, making him the first known member of Silk Typhoon to face U.S. prosecution. The arrest underscores the growing cooperation between Western nations to combat state-sponsored cyber threats.

2. The Timing of the Attacks: February 2020 to June 2021

Xu is accused of orchestrating cyber attacks from February 2020 through June 2021—a period that coincides with the early and most intense phase of the COVID-19 pandemic. During these months, global research efforts were racing to develop vaccines, treatments, and diagnostic tools. The U.S. government and private sector were also adapting to remote work, expanding digital footprints that became targets. The indictment alleges that Xu and his co-conspirators specifically timed their operations to steal sensitive data related to COVID-19 research, including vaccine development and clinical trial results, exploiting the global health crisis for strategic advantage.

3. Targeting U.S. COVID Research Institutions

The primary targets of these attacks were American organizations involved in pandemic response, including the National Institutes of Health (NIH), the Centers for Disease Control and Prevention (CDC), pharmaceutical companies, and academic research centers. According to court documents, the group used phishing emails, credential theft, and exploitation of known software vulnerabilities to gain access to networks. Once inside, they exfiltrated terabytes of data, including proprietary vaccine formulas, trial participant information, and government response plans. The theft of this sensitive material could have compromised public health strategies and given foreign adversaries an edge in vaccine development.

4. Silk Typhoon: A Chinese State-Sponsored Threat Group

Silk Typhoon is the U.S. government’s designation for a hacking collective believed to operate under the direction of the Chinese Ministry of State Security (MSS). Also known by other names such as APT40 or Krypton, the group has been active since at least 2018, focusing on maritime, technology, and healthcare sectors. Its modus operandi involves long-term network intrusions, stealthy data exfiltration, and maintaining backdoor access for future operations. The group is notorious for targeting organizations that align with China’s Five-Year Plan priorities, and the COVID-19 research focus fits squarely within that framework.

5. How the Hacker Allegedly Infiltrated Networks

Xu is charged with using sophisticated spear-phishing campaigns to compromise high-value targets. The indictment describes how he and his team sent emails impersonating trusted colleagues or institutions, tricking recipients into clicking malicious links or opening infected attachments. These emails often contained attachments with names like “COVID-19_Update.pdf” or “Vaccine_Trial_Results.xls” to appear legitimate. Once a victim’s credentials were captured, the group would move laterally within the network, escalate privileges, and deploy custom malware to exfiltrate data. The hackers also used VPNs and Tor to obscure their location, but forensic analysis traced the IP addresses back to China-based infrastructure.

6. The Charges: Conspiracy, Fraud, and Computer Intrusion

Xu Zewei faces a total of eight criminal counts in the United States, including conspiracy to commit computer fraud, wire fraud, and identity theft. The most serious charge—violating the Computer Fraud and Abuse Act (CFAA)—carries a potential sentence of up to ten years per count. Additionally, he is accused of trafficking in stolen authentication devices, a charge that reflects his role in obtaining and distributing hacked credentials. If convicted on all counts, Xu could face decades in prison. Legal experts note that the breadth of charges signals the U.S. government’s intent to send a strong deterrent message to state-sponsored hackers.

7. International Extradition: From Italy to the U.S.

Xu’s extradition from Italy was not automatic—it required a formal request from the U.S. and compliance with Italian extradition laws. Italian judges reviewed evidence including digital forensics, witness statements, and intelligence sharing between the FBI and the Italian National Police. The process took several months after his arrest in July 2025. Xu reportedly fought extradition, claiming he was a diplomat entitled to immunity, but the Italian courts rejected this argument. His transfer to the U.S. marks a significant victory for international law enforcement cooperation in cybercrime, as hackers have often exploited legal loopholes to avoid prosecution across borders.

8. Diplomatic Fallout and China’s Response

China has denounced the extradition as a “politically motivated witch hunt” and accused the U.S. of violating international law. The Chinese Foreign Ministry released a statement asserting that Xu is a “law-abiding citizen” and that the charges are fabricated. Beijing has threatened reciprocal actions, including expelling American diplomats or increasing cyber operations against U.S. targets. However, the lack of evidence from China’s side has made it difficult to counter the detailed forensic findings presented by the FBI. Analysts believe this case could further strain U.S.-China relations, already tense over trade, human rights, and technology competition.

9. What This Means for Cybersecurity Post-Pandemic

The case has prompted renewed calls for stronger cybersecurity for health research institutions. In response, the U.S. government has increased funding for the Cybersecurity and Infrastructure Security Agency (CISA) to protect critical healthcare infrastructure. Additionally, many hospitals and research labs have adopted multi-factor authentication, improved endpoint detection, and launched employee training programs to recognize phishing attempts. The incident also led to the creation of an international task force—the Global Health Security Cyber Coalition—to share threat intelligence and coordinate responses to attacks on pandemic-related research in real time.

10. The Future of State-Sponsored Cyber Attacks

Xu’s extradition serves as a warning, but experts caution that state-sponsored hacking will continue. Groups like Silk Typhoon are highly adaptable, shifting targets as geopolitical priorities change. The U.S. indictment highlights that no single arrest will dismantle these networks—they are backed by government resources and have redundancy built in. However, the public nature of this case may raise the cost of cyber espionage for China, as other countries become more willing to collaborate on arrests. Moving forward, a mix of legal pressure, improved defenses, and diplomatic engagement will be essential to reduce the frequency and impact of such attacks.

Conclusion
Xu Zewei’s extradition is a landmark event in the fight against state-sponsored cybercrime, but it is only one battle in a long war. The Silk Typhoon case reveals how vulnerable critical research can be during a global crisis and underscores the need for relentless vigilance. As the trial proceeds, the world will watch whether this deterrence strategy succeeds in protecting future scientific endeavors—or if hackers will simply find new ways to strike.