Chinese State-Sponsored Hacker Arrested in Milan: How COVID-19 Research Became a Prime Target

Imagine waking up to discover that the very research meant to save lives during a global pandemic was quietly siphoned off by shadowy hackers, acting at the behest of a foreign government. It sounds like a plot straight out of a Hollywood thriller—but for American universities, immunologists, and government agencies, this nightmare was all too real.

In July 2024, U.S. authorities announced the arrest of Xu Zewei, a Chinese national accused of being the mastermind behind a series of cyberattacks targeting COVID-19 research, critical infrastructure, and policy makers. Xu’s arrest in Milan, and the nine-count indictment against him, shines a harsh spotlight on the escalating cyberwarfare tactics used by nation-states—and the new reality facing organizations on the digital front lines.

But what really happened? Who is Xu Zewei, and why did Chinese intelligence agencies target COVID-19 research? Most importantly, what does this mean for the future of cybersecurity and global trust in the era of digital espionage? Let’s break down this high-stakes story, one layer at a time.

The Backstory: Why COVID-19 Research Became a Cyber Espionage Goldmine

First, let’s set the stage. In early 2020, COVID-19 unleashed chaos across the globe. The scientific community raced to understand the virus, develop vaccines, and create life-saving treatments. Data, research findings, and intellectual property became more valuable than ever.

Here’s why that matters: For countries like China, rapidly accessing this knowledge could mean a strategic edge—not just in medicine, but in geopolitics and global influence. The stakes were enormous.

Enter the hackers. According to the U.S. Department of Justice (DoJ), Xu Zewei, aged 33, was part of a network of cybercriminals and private contractors operating on behalf of the People’s Republic of China (PRC). Their mission: infiltrate American universities, steal sensitive research, and report their findings directly to China’s powerful intelligence agencies.

But this wasn’t just about one man with a laptop. Xu’s operation illustrates a far broader—and more sophisticated—strategy.

Who Is Xu Zewei? The Face Behind the Digital Heist

Xu Zewei isn’t a lone wolf. According to U.S. authorities, Xu worked for Shanghai Powerock Network Co. Ltd., a private tech company with alleged ties to Chinese intelligence. His co-defendant, Zhang Yu, remains at large.

The method? State-sponsored outsourcing. The Chinese government, per the indictment, often leverages “an extensive network of private companies and contractors” like Powerock to do its dirty work—allowing the state to maintain plausible deniability.

In Xu’s case, his mission was clear: track down targets, exploit vulnerabilities, and exfiltrate sensitive data. The PRC’s Ministry of State Security (MSS), particularly the Shanghai State Security Bureau (SSSB), reportedly supervised and directed his actions.

Why does this matter? Because this model blurs the line between government operations and private enterprise, making attribution, prosecution, and even international diplomacy far more complicated.

How the Hackers Infiltrated COVID-19 Research: Tactics, Techniques, and Targets

So, how did Xu and his team pull it off?

1. Identifying Vulnerable Targets

Universities and Research Institutions: The hackers zeroed in on U.S.-based universities—especially those with immunologists and virologists leading vaccine and treatment research.
Government Agencies and Law Firms: The group’s ambitions didn’t end with academia; they also targeted government bodies and at least one global law firm.

2. Exploiting Zero-Day Vulnerabilities

Zero-Day Attacks: Xu’s team famously exploited zero-day bugs—security flaws unknown to the software vendor—in Microsoft Exchange Server. These are the cyber equivalent of secret doors, providing attackers with unprecedented access before patches become available.
The Hafnium Campaign: These efforts were part of the much larger “Hafnium” campaign, which Microsoft publicly attributed to China in March 2021 (Microsoft’s HAFNIUM Report). Hafnium’s attacks compromised tens of thousands of computers globally, leaving a digital trail that threatened sensitive government, academic, and private sector data.

3. Persistence and Remote Control

Web Shells: Once inside, the hackers installed “web shells”—malicious scripts that let them maintain remote control over compromised servers. Think of it as leaving a backdoor key under the mat for repeated access.
Data Exfiltration: The team systematically downloaded emails, research files, and sensitive communications. In one instance, after Xu reported breaching a Texas university, handlers from the SSSB directed him to specific professors’ mailboxes.

4. Reporting to Chinese Intelligence

Supervision and Orders: Each move was closely monitored. The hackers reported successes to their handlers, who then provided real-time instructions on which accounts to target or what information to prioritize.

Let me explain why this approach is so effective: By casting a wide net and exploiting little-known vulnerabilities, these attackers can strike quickly, often before anyone realizes a breach has occurred.

The Hafnium Campaign: A Turning Point in Global Cybersecurity

If you haven’t heard of Hafnium, here’s why it matters. This Chinese state-sponsored group orchestrated one of the most widespread cyber-espionage campaigns in recent history:

Scope: Over 60,000 U.S. organizations were targeted, with at least 12,700 confirmed as victims, according to the FBI.
Targets: From local governments and think tanks to businesses and universities, the attackers left no stone unturned.
Consequences: The campaign didn’t just lead to stolen data; it left countless organizations vulnerable to ransomware, fraud, and future exploitation by other criminals.

Assistant Director Brett Leatherman of the FBI’s Cyber Division summed up the gravity:

“Through HAFNIUM, the CCP targeted over 60,000 U.S. entities, successfully victimizing more than 12,700 in order to steal sensitive information. This arrest, carried out with our Italian law enforcement partners, demonstrates the FBI’s relentless commitment to holding CCP-sponsored hackers accountable for their crimes.”

The Hafnium attacks forced organizations and governments worldwide to reckon with the new realities of cyber conflict—where the battlefield is invisible, and the stakes are national security itself.

Beyond COVID-19: The Silk Typhoon Connection and Supply Chain Attacks

Xu Zewei’s story doesn’t end with COVID-19 research. According to John Hultquist, Chief Analyst at Google Threat Intelligence Group (source), Xu is affiliated with Silk Typhoon—a group notorious for:

Using zero-day vulnerabilities to compromise tech firms.
Launching supply chain attacks that infiltrate trusted software and hardware providers, then spread to customers worldwide.

This is like tainting the water supply at its source: once the software was compromised, every organization downstream was at risk.

Notably: Silk Typhoon isn’t alone. In 2020, as the pandemic raged, cyber-espionage actors from Iran, Russia, North Korea, and China all ramped up efforts to steal COVID-19 related research and government communications.

What the Indictment Reveals: Key Details and Legal Implications

The nine-count indictment against Xu and Zhang Yu paints a damning picture:

Timeline: The attacks spanned from February 2020 to June 2021.
Charges: Computer intrusion, conspiracy, wire fraud, and theft of trade secrets, among others.
International Cooperation: Xu was arrested in Milan at the request of the U.S.—a sign of growing collaboration between Western law enforcement agencies to counter cross-border cybercrime.

If convicted on all counts, Xu faces a substantial prison sentence. Zhang remains at large, a reminder of how elusive and global these actors can be.

But here’s the uncomfortable truth: Even high-profile arrests may only dent, not dismantle, these sprawling cyber-espionage networks.

Why State-Sponsored Hacking Is So Hard to Stop

Let’s address the question many readers are asking: Does arresting one hacker make a difference?

John Hultquist offered a sobering perspective:

“Unfortunately, the impact of this arrest won’t be felt immediately. There are several teams composed of dozens of operators who are going to continue to carry out cyberespionage. Government sponsors are not going to be deterred. The arrest is unlikely to bring operations to a halt or even significantly slow them, but it may give some of these talented young hackers a reason to think twice before getting involved in this work.”

Here’s why that matters:

Scale and Redundancy: Nation-states operate multiple teams, often with overlapping skills and targets.
Profit Motive and Careerism: For contractors, hacking for the government isn’t just ideology—it’s a lucrative career path.
Legal and Diplomatic Barriers: Extradition and prosecution are notoriously difficult when hackers operate from countries that don’t cooperate with U.S. law enforcement.

The Hidden Costs: What This Means for Universities, Businesses, and Individuals

It’s tempting to see cyber-espionage as a problem for “other people”—big companies or government agencies. But here’s the reality: We’re all downstream from these attacks.

Impacts on Academia and Research

Loss of Competitive Advantage: Stolen research can undercut years of hard work and billions in investment.
Reputational Damage: Universities risk losing trust from partners, students, and funders.
Increased Security Costs: Institutions must invest heavily in cybersecurity just to keep up.

Impacts on Businesses and Individuals

Business Disruption: Supply chain attacks can cripple even well-secured organizations if their partners are compromised.
Personal Data Exposure: When email servers are breached, sensitive communications, intellectual property, and personal data are all at risk.
Policy and Regulation: Organizations must now comply with stricter security and reporting rules (see the CISA guidelines).

Impacts on Global Trust

Erosion of International Cooperation: When vital research is stolen, it breeds suspicion and slows collaborative efforts.
Weaponization of Information: Stolen data can fuel misinformation campaigns, market manipulation, or even political leverage.

What Can Be Done? Steps Toward a More Secure Future

It’s easy to feel overwhelmed, but there are concrete actions that governments, organizations, and individuals can take:

For Organizations and Universities

Implement Zero Trust Architecture: Assume no device or user is safe and verify everything (NIST Zero Trust).
Timely Patch Management: Regularly update software and apply security patches to close vulnerabilities.
Employee Training: Educate staff on phishing, social engineering, and secure data practices.
Incident Response Plans: Prepare for the inevitable with clear protocols and regular drills.

For Policymakers

Enhanced International Cooperation: Push for stronger treaties, extradition agreements, and coordinated sanctions.
Investment in Cybersecurity Research: Fund programs dedicated to next-generation security solutions.
Public-Private Partnerships: Share threat intelligence more widely to level the playing field.

For Individuals

Strong Password Hygiene: Use unique passwords and enable two-factor authentication wherever possible.
Stay Informed: Follow reputable sources (like CISA or Krebs on Security) for the latest on cyber threats.

The Bigger Picture: Trust, Technology, and Geopolitics

At its core, the Xu Zewei case is about more than just lines of code or stolen data. It’s about trust—in science, in institutions, and between nations.

When hackers weaponize the digital world for strategic gain, they erode our collective confidence in the power of open research and free exchange of ideas. The fallout is measured not just in bytes, but in lost years, delayed cures, and fractured partnerships.

But as this arrest shows, the international community is waking up to the threat—and, slowly but surely, fighting back.

Frequently Asked Questions (FAQ)

Who is Xu Zewei and why was he arrested?

Xu Zewei is a Chinese national accused of leading state-sponsored cyberattacks targeting U.S. universities, government agencies, and law firms—especially those involved in COVID-19 research. He was arrested in Milan at the request of the United States and faces a nine-count indictment for computer intrusion, conspiracy, and theft of trade secrets.

What is the Hafnium campaign?

The Hafnium campaign refers to a wave of cyberattacks, attributed to Chinese state-sponsored actors, that exploited zero-day vulnerabilities in Microsoft Exchange Server. The campaign compromised tens of thousands of organizations worldwide, stealing sensitive data and leaving systems vulnerable.

Why did hackers target COVID-19 research?

COVID-19 research became a prime target because it offered valuable insights into vaccines, treatments, and testing. Countries sought a strategic advantage—both for public health and global influence—by acquiring this information ahead of competitors.

How did the hackers operate?

Hackers like Xu used a combination of zero-day exploits, phishing, and remote access tools (like web shells) to infiltrate organizations. They reported their findings to Chinese intelligence agencies, who often directed them to specific targets.

Will Xu’s arrest stop state-sponsored hacking?

While Xu’s arrest is a significant step, experts warn it won’t immediately halt Chinese cyber-espionage. Multiple teams and private contractors continue these operations, often shielded by state support.

How can organizations protect themselves from similar attacks?

Key steps include adopting zero trust security models, regularly patching software, training employees on cybersecurity, and preparing robust incident response plans. Staying informed on emerging threats is also vital.

Where can I learn more about cybersecurity best practices?

Final Takeaway: Vigilance, Collaboration, and the Future of Cybersecurity

The arrest of Xu Zewei is a stark reminder: Cybersecurity isn’t just a technical issue—it’s a matter of national security, economic competitiveness, and global trust. State-sponsored hacking, especially in times of crisis, reveals both our vulnerabilities and our capacity to adapt.

Whether you’re a university researcher, a business leader, or just a curious reader, the lesson is clear: Stay vigilant, keep learning, and invest in the partnerships and tools that will keep our digital world safer.

Want more insights on cybersecurity and global tech trends? Subscribe to our newsletter, or keep exploring our latest articles. The story is far from over—and staying informed is your best defense.

Discover more at InnoVirtuoso.com

I would love some feedback on my writing so if you have any, please don’t hesitate to leave a comment around here or in any platforms that is convenient for you.

For more on tech and other topics, explore InnoVirtuoso.com anytime. Subscribe to my newsletter and join our growing community—we’ll create something magical together. I promise, it’ll never be boring!

Stay updated with the latest news—subscribe to our newsletter today!

Thank you all—wishing you an amazing day ahead!

Chinese State-Sponsored Hacker Arrested in Milan: How COVID-19 Research Became a Prime Target

The Backstory: Why COVID-19 Research Became a Cyber Espionage Goldmine

Who Is Xu Zewei? The Face Behind the Digital Heist