Italy to extradite Chinese hacker accused of stealing COVID research

Italy’s decision to hand Xu Zewei to U.S. authorities turns a pandemic-era hacking case into a test of how far Europe will go in backing American cyber investigations against Chinese suspects. The 33-year-old Chinese national was arrested in Milan on July 3, 2025, at the request of the United States, and Italian officials have now decided to extradite him after a court ruled earlier in April 2026 that he could be sent to the U.S.

Xu is accused in a nine-count indictment unsealed in the Southern District of Texas of taking part in computer intrusions between February 2020 and June 2021. Prosecutors say the campaign targeted U.S.-based universities and leading immunologists and virologists working on COVID-19 vaccines, treatment and testing, putting scientists at the center of a hacking operation that reached into the public health response itself. The Justice Department also says the activity overlapped with exploitation of Microsoft Exchange Server vulnerabilities in the HAFNIUM campaign, which compromised thousands of computers worldwide.

The indictment ties the alleged intrusions to China’s Ministry of State Security and its Shanghai State Security Bureau, and says Xu worked for Shanghai Powerock Network Co. Ltd. That detail matters to U.S. prosecutors because it places the alleged hacking inside a state-directed system rather than a lone-cracker operation. The Justice Department has made the case part of a broader push to pursue state-sponsored cyber activity that blurs the line between criminal hacking, economic espionage and national security.

The public-health stakes are unusually direct. The alleged targets were not just government networks or private firms, but researchers chasing answers in the middle of the pandemic, when vaccine development, treatment design and testing capacity were all under pressure. Theft of that work would have threatened scientific competition and potentially slowed access to knowledge that affected hospitals, universities and patients far beyond the United States.

Xu’s lawyer, Enrico Giarda, has said his client had not received communications about the government’s decision and previously argued that the case involved mistaken identity. Earlier reporting from July 2025 said the Milan Court of Appeals validated Xu’s arrest, ordered pre-trial detention and later rejected a defense request for house arrest, citing serious indications of guilt. He was being held in Busto Arsizio, near Varese, after appearing at Milan’s Malpensa Airport.

If the extradition goes forward, Italy will have set a pointed precedent for future cooperation in Chinese cyber cases. The move suggests allied governments are treating these cases less as routine legal transfers and more as a measure of how seriously they will back U.S. efforts to confront cyber espionage that touches public health, scientific research and economic security at once.