Indicted in Houston in 2023, a Chinese spy has finally been arrested for allegedly hacking a Texas university to steal COVID research on behalf of the People’s Republic of China (PRC).
Chinese national Xu Zewei, 33, was taken into custody in Milan, Italy, at the request of the United States. Chinese national Zhang Yu, 44, was also charged in a now unsealed nine-count indictment returned in November 2023. Yu remains at large.
“Although Chinese state sponsored hackers are on occasion indicted by the Department of Justice, it is exceedingly rare, indeed is virtually unheard of, to actually get your hands on them,” U.S. Attorney for the Southern District of Texas Nicholas Ganjei said at a news conference on Tuesday. “Since 2023, the United States has waited quietly, patiently for Xu [Zewei] to make a mistake that would put him within the reach of the American judicial system. Last week, he did just that, traveling from Shanghai to Milan, Italy. Once he touched down in Italy, he was promptly taken into custody by Italian authorities. He now awaits extradition to the United States. We are deeply grateful to our Italian partners for their assistance in this case.”
Both Zewei and Yu were allegedly involved in computer intrusions (hacking) between February 2020 and June 2021, including the massive HAFNIUM hacking campaign that compromised thousands of computers worldwide, at the direction of the PRC’s Ministry of State Security (MSS) Shanghai State Security Bureau (SSSB), according to the indictment. The MSS and SSSB are PRC intelligence services responsible for implementing PRC domestic counterintelligence, non-military foreign intelligence and other operations, the charges state.
In early 2020, they also targeted U.S.-based universities and leading immunologists and virologists to hack into computer systems and steal research they were conducting on COVID-19 vaccines, treatment and testing, the charges allege. Zewei and others provided information to SSSB officers, including the content of emails they hacked of virologists and immunologists engaged in COVID-19 research at a university in the Southern District of Texas, the charges allege.
“It is notable that the Chinese government directed theft of COVID-19 research” beginning in February 2020 after the outbreak of the virus in mainland China “and at a time when PRC officials were withholding information about the virus and its origin,” Ganjei said. “The hacking of these American universities is not just a violation of intellectual property rights, it’s an attack on American scientific innovation. The hacking of a US law firm is not just about computer crime. It’s about an attack on the American system of justice, which depends on the legal ability of clients to seek and obtain frank and confidential advice from their local counsel.”
“The Southern District of Texas has been waiting years to bring Xu [Zewei] to justice and that day is nearly at hand. As this case shows, even if it takes years, we will track hackers down and make them answer for their crimes. The United States does not forget,” Ganjei said.
“While the world was reeling from a virus that originated in China, the Chinese government plotted to steal U.S. research critical to vaccine development,” FBI Houston Special Agent in Charge Douglas Williams said. “Xu Zewei, an alleged hacker acting on behalf of China’s primary spy agency, targeted COVID-19 data using sophisticated cyber techniques and tradecraft. His landmark arrest by FBI Houston agents in Italy proves that we will scour the ends of the earth to hold criminal foreign adversaries accountable.”
Chinese spies allegedly stole information by exploiting vulnerabilities in Microsoft’s Exchange Server used to send, receive and store email messages, which was targeted by HAFNIUM, according to the charges. In March 2021, Microsoft confirmed its exchange had been targeted by PRC-sponsored hackers; in July 2021, U.S. and foreign governments said the PRC MSS orchestrated HAFNIUM.
A Texas university and Washington, D.C. law firm were hacked through the scheme after the Chinese spies allegedly installed web shells on their computers to enable remote administration, according to the charges. Doing so compromised the university’s network and enabled them to steal information from the law firm’s network about specific U.S. policy makers and government agencies, according to the charges.
Zewei was charged on multiple counts of wire fraud, identity theft, obtaining information by unauthorized access to protected computers, among other charges.
Yu remains at large. Anyone with information about his whereabouts is asked to contact the FBI by calling 1-800-CALL-FBI (1-800-225-5324).
An ongoing investigation is being conducted by the FBI’s Houston Field Office.
