China’s network of profit-driven hackers has spiraled. Brett Leatherman, assistant director of the FBI’s cyber division, calls it out of control. Private firms there cast wide nets, snag vulnerable systems, steal data—and hawk it to Beijing or anyone on the dark web. Plausible deniability for the state. But cross a border? No shield.
Xu Zewei learned that the hard way. The 34-year-old Chinese national got yanked from Italy to a Houston courtroom. Arrested in Milan last July by Polizia Postale. Extradited over the weekend before April 30. Now he faces nine felony counts: conspiracies in wire fraud, unauthorized access, intentional damage to protected computers, aggravated identity theft. Penalties stack to decades. His alleged partner, Zhang Yu, 44, still loose.
Prosecutors tie Xu to Shanghai Powerock Network Co. Ltd. General manager there. Federal authorities link the firm straight to Hafnium—now dubbed Silk Typhoon by the FBI. That’s the crew behind the 2021 Microsoft Exchange zero-days. Four flaws, CVE-2021-26855 among them. Web shells planted worldwide. Hundreds of thousands of servers hit. Over 12,700 U.S. organizations alone, per Leatherman. Microsoft patched in March 2021; FBI and CISA warned days later. Justice disrupted some shells that April. But damage lingered.
And the targets? Early 2020, amid pandemic chaos. U.S. universities. Immunologists. Virologists racing on vaccines, treatments, tests. Xu reported successes to Shanghai State Security Bureau officers under China’s Ministry of State Security. February 19: Texas university network breached. February 22: Specific virologist emails tasked—and grabbed. Gigabytes swiped from one school. Later, a global law firm with D.C. offices. Intruders rifled mailboxes for ‘Chinese sources,’ ‘MSS,’ ‘HongKong.’ All under SSSB direction, indictment says (U.S. Department of Justice).
Leatherman laid it bare to reporters. ‘Motivated by profit, this network of private companies and contractors in China cast a wide net to identify vulnerable computers, exploit those computers, and then identify information that it could sell directly or indirectly to the PRC government.’ No buyer from Beijing? They flip to ‘cyber dealers.’ Dark web sales. Chaos follows. ‘This leads to a less secure environment that is ripe for further lawlessness.’
His warning cuts sharp. ‘The protection you assume from operating inside China does not extend the moment you cross a border.’ Echoed in Reuters and Straits Times on April 30. Beijing pushes back. Foreign Ministry spokesman Lin Jian: U.S. ‘fabricating charges through political manipulation.’ No embassy comment.
Xu’s case isn’t isolated. FBI Houston investigated. DOJ’s Office of International Affairs sealed the extradition with Italian help. Acting U.S. Attorney John G.E. Marck: Crimes ‘struck at the heart of American science and security.’ Assistant AG John A. Eisenberg vows pursuit of those stealing from U.S. businesses, universities. Leatherman again: ‘Xu will now answer for his alleged role in HAFNIUM, a group responsible for a vast intrusion campaign directed by China’s Ministry of State Security that compromised more than 12,700 U.S. organizations.’
Powerock fits a pattern. One of many ‘enabling’ outfits. Shanghai Firetech too, where Zhang worked. SSSB tasked them. Contractors obscure Beijing’s hand, FBI says. Cast those wide nets—more victims, more leaks, data peddled wide. DOJ noted this in a July 2025 announcement on similar ops.
Industry pros know the score. Exchange hacks exposed emails, docs. Remediation dragged. Some web shells hung on into 2021. CISA pinned HAFNIUM to MSS that July (The Register). iTnews tallies North American victims north of 12,700. COVID thefts? Timed when America needed breakthroughs most.
But extraditions like this shift the game. Rare for state-linked actors. FBI’s reach grows. Contractors rethink trips. Leatherman’s message lands: Risk everywhere. Italy proved it. Who’s next?
Zhang Yu tops the tip line: 1-800-CALL-FBI. Indictment’s allegation only. Presumption of innocence holds. Yet the ecosystem churns. Profit fuels it. Beijing directs. U.S. chases.
WebProNews is an iEntry Publication