Who is the Chinese hacker the US is accusing of stealing vaccine secrets?

Italian authorities have arrested a Chinese citizen accused by the United States of playing a key role in a state-sponsored cyber espionage operation that allegedly targeted American vaccine research during the Covid-19 pandemic.

The individual, 33-year-old Xu Zewei, was apprehended on July 3 at Milan Malpensa Airport shortly after arriving on a flight from Shanghai.

The arrest, executed under an international warrant issued by the United States District Court for the Southern District of Texas, stems from allegations that Xu participated in a large-scale cyber campaign aimed at breaching sensitive American computer systems between February 2020 and June 2021.

US prosecutors believe Xu was affiliated with the Hafnium group, a hacking collective linked to the Chinese state that has previously been accused of launching cyber intrusions into Microsoft Exchange servers and targeting government, research and health sector entities worldwide.

More from Explainers

Trade talks on, but India responds to Trump tariffs on auto with a ‘right’ to retaliate at WTO India draws red lines on key sectors as interim trade deal with US nears July 9 deadline: Report

How was Xu arrested?

Xu’s detention was carried out by Italian police around 11:00 am local time, as he landed in Milan from China.

According to internal documentation from Italy’s International Police Cooperation Service, the Chinese citizen is known to use the aliases “Zavier Xu” and “David Xu”, and was flagged in advance by the US Embassy in Rome, which had alerted Italian law enforcement to his impending arrival.

Upon arrest, Judge Veronica Tallarida of Milan’s Fifth Criminal Appeal Division formally validated the action on July 4, citing Xu’s lack of any connections to Italy and identifying a “concrete risk of flight.”

The judge ordered his preventive detention at Busto Arsizio prison, located in the province of Varese, and authorised the seizure of his mobile phone and electronic belongings for forensic examination.

Editor’s Picks

1

Why Giorgia Meloni's 'anti-protest' law has divided Italy 2

Is Xi Jinping's dream of being China's 'president for life' unravelling?

Xu, who reportedly has no prior criminal record or links to Italy, claimed to be an IT technician employed by GTA Semiconductor Co Ltd, and stated through his legal representation that he was visiting the country as a tourist.

His lawyer, Enrico Giarda confirmed Xu’s intention to oppose extradition to the United States.

What are the allegations against Xu?

The US indictment alleges that Xu was involved in a sophisticated hacking operation that aimed to infiltrate American institutions conducting vital coronavirus-related research at the height of the pandemic.

According to materials filed by the FBI, Xu was part of a campaign that sought to access proprietary data from virologists, immunologists, and academic institutions, with a particular focus on the University of Texas — a major hub for Covid-19 vaccine development.

The US Department of Justice, in its formal request for extradition, laid out several serious charges against Xu, including:

• Wire fraud

• Conspiracy to commit wire fraud

• Unauthorised access to protected computers

• Aggravated identity theft

If found guilty, Xu could face a maximum sentence of 32 years in federal prison. Authorities claim the cyber operation went beyond health data, allegedly extending into attempts to acquire classified US policy-related information.

The operation has been attributed to Hafnium, a group previously linked to Chinese state security apparatuses and also known by Microsoft as Silk Typhoon.

The FBI believes this group was behind a broad 2020 cyber offensive that compromised thousands of systems globally, exploiting software vulnerabilities to obtain confidential data from public and private entities alike.

Will Xu be extradited to the US?

The Italian Ministry of Justice confirmed that a formal request for extradition from the US has been received, and the Milan Prosecutor General’s Office is currently reviewing the documentation.

According to a July 1 memorandum sent by the US Department of Justice to Italian counterparts, Washington warned of the risk of Xu fleeing custody if released on bail or placed under house arrest.

The memo referenced a past high-profile incident involving Russian businessman Artem Uss, who escaped from Italian house arrest in 2023 after a court approved his extradition to the US.

Uss reappeared shortly afterward in Russia, resulting in international embarrassment and criticism of Italy’s judicial oversight.

Another recent case also haunts Italy’s extradition history: earlier this year, an Italian court revoked the arrest of an Iranian engineer wanted by the US for allegedly exporting sensitive high-tech goods to Tehran.

The decision came days after the release of Italian journalist Cecilia Sala by Iran, raising concerns over so-called “hostage diplomacy.”

In light of these past experiences, the US has urged Italian officials to keep Xu in custody throughout the extradition process.

Who will Italy choose - US or China?

The arrest may test the delicate foreign policy posture adopted by Prime Minister Giorgia Meloni, who has consistently described the United States as Italy’s foremost strategic ally.

Meloni has cultivated a close relationship with US President Donald Trump and continues to prioritise transatlantic cooperation, even as Italy navigates its withdrawal from the Belt and Road Initiative, China’s global infrastructure strategy spearheaded by President Xi Jinping.

Nevertheless, Meloni has signaled that Italy remains interested in maintaining diplomatic ties with Beijing, and the current arrest risks triggering a backlash from Chinese authorities.

The timing is particularly delicate, as Deputy Prime Minister Matteo Salvini is expected to visit China later this week on an official mission.

Beijing has in the past responded harshly to accusations of state-backed cyber operations. In 2020, following the indictment of two other Chinese nationals by the US for similar attempts to access American coronavirus research, China’s Global Times responded by asserting, “It seems that some US politicians have totally lost their minds.”

The paper dismissed the allegations as baseless and accused the US of seeking to “dodge its own culpability and failures” during the pandemic.

What happens next?

Xu is scheduled to appear before the Milan Court of Appeal for formal identification and to state whether he consents to extradition. If, as expected, he contests the US request, the case could stretch over several weeks or longer.

Italy’s judicial authorities will evaluate the legal sufficiency of the US charges, as well as any political or humanitarian considerations that may arise during the proceedings.

Meanwhile, the seized digital devices from Xu are being analysed as part of the broader investigation into the alleged cyber operations.

The outcome of the extradition process will likely serve as a bellwether for future Italy-US-China legal interactions.

With inputs from agencies

With inputs from agencies