From Milan to Houston: The Rare Extradition of an Alleged Chinese State Hacker and What It Reveals About US Cyber Enforcement

On April 28, 2026, a 34-year-old Chinese national named Xu Zewei appeared in US District Court in Houston, shackled and facing nine federal counts that could send him to prison for up to 62 years [1]. He had been flown in from Milan over the weekend, extracted from Italian custody in a coordinated operation between the FBI and Italy's Cyber Division of the National Police [2]. According to federal prosecutors, Xu spent more than a year — from February 2020 to June 2021 — hacking US universities, stealing COVID-19 vaccine research, and exploiting Microsoft Exchange Server vulnerabilities as part of the campaign known as HAFNIUM, now more widely referred to as Silk Typhoon [3].

The case is only the second known instance of a Chinese national linked to state-directed cyber operations being physically extradited to the United States for trial. The first, Xu Yanjun, a Ministry of State Security officer who targeted GE Aviation trade secrets, was lured to Belgium in 2018, extradited to Ohio, convicted, and sentenced to 20 years in prison [4]. That record — two extraditions across more than a decade of indictments — tells its own story about the limits of US cyber law enforcement when the accused operate from inside China.

The Charges: COVID Research Theft and the HAFNIUM Campaign

The indictment, filed in the Southern District of Texas, lays out two overlapping campaigns [1].

In the first, beginning in early 2020, Xu and a co-conspirator named Zhang Yu — who remains at large — allegedly targeted US-based universities, immunologists, and virologists conducting COVID-19 research. Prosecutors say Xu was directed by an officer of the Ministry of State Security's Shanghai State Security Bureau (SSSB) to break into university networks, access email accounts of specific researchers, and exfiltrate data on vaccine development, treatments, and testing [1][3].

In the second campaign, beginning in late 2020, Xu and his co-conspirators allegedly exploited zero-day vulnerabilities in Microsoft Exchange Server, a widely used email platform, to install web shells — backdoor scripts enabling persistent remote access — across thousands of organizations [3]. Microsoft publicly attributed this campaign to a group it called HAFNIUM in March 2021, and the FBI and CISA issued joint advisories shortly after [5]. The scope was enormous: prosecutors allege the intrusions compromised more than 12,700 US organizations, including law firms, defense contractors, policy think tanks, and additional universities [3][6].

Xu allegedly carried out these operations while employed by Shanghai Powerock Network Co. Ltd., which the DOJ described as one of many "enabling" companies in China that conduct hacking operations for the government [1][3]. This contractor model — private firms doing intelligence work under state direction — has become a recurring feature of Chinese cyber operations and has drawn increasing attention from US law enforcement [7].

The nine counts include conspiracy to commit wire fraud, two counts of wire fraud, conspiracy to cause damage to protected computers and commit identity theft, two counts of unauthorized access to protected computers, two counts of intentional damage to a protected computer, and aggravated identity theft. The wire fraud counts alone each carry a maximum sentence of 20 years [1].

Italy's Role: The Extradition Mechanism

Xu was arrested in Milan in July 2025 at the request of the FBI, with the assistance of the Cyber Division of the Italian National Police, led by Prefect Vittorio Pisani [2][8]. The legal basis for the transfer was the US-Italy extradition treaty, signed in 1983 and in force since 1984 [9].

Italy's decision to cooperate was not without diplomatic risk. China's Ministry of Foreign Affairs said Beijing "strongly deplores and firmly opposes" the extradition, accusing the US of "fabricating charges through political manipulation" and urging Italy to "respect facts and law, immediately correct its mistake" and avoid "becoming an accomplice of the US" [10][11]. Chinese authorities reportedly attempted to block the extradition in its final days [8].

Italy's willingness to proceed despite this pressure reflects its position as a NATO ally with a functioning extradition treaty with the United States, but also a specific political context. Italy had joined China's Belt and Road Initiative in 2019 under a previous government, drawing criticism from Washington and other European capitals. The current Italian government under Prime Minister Giorgia Meloni withdrew from the BRI in 2023 and has since moved to align more closely with US positions on China. Cooperating on a high-profile extradition fits that trajectory.

The United States and China have no extradition treaty — nor does China have one with the United Kingdom, Canada, Germany, Japan, or India [9]. This means Chinese nationals indicted by the DOJ can only be apprehended if they travel to a country that does have such an arrangement with Washington. FBI Director Kash Patel indicated that authorities worked to ensure Xu would be in Italy before moving to have him arrested, telling Fox News, "We created an opportunity with our partners in Italy to have him apprehended there" [8].

The Indictment Track Record: Dozens Charged, Almost None in Custody

Since 2014, the DOJ has brought cyber-related charges against more than 50 Chinese nationals across a series of high-profile indictment announcements [7][12]. The pattern has been consistent: the Justice Department holds a press conference, names the defendants, details their alleged hacking campaigns, and issues arrest warrants. The defendants, almost invariably located in China, do not appear in court.

Source: US Department of Justice

Data as of Apr 28, 2026CSV

The 2014 indictment of five PLA Unit 61398 officers — the first time the US charged foreign military personnel with cyber espionage — set the template [13]. None of the five were arrested or appeared in US court. The same was true for APT10 members charged in 2018, the four PLA members indicted for the Equifax breach in 2020, APT40 members charged in 2021, and the 12 i-Soon contractors and Ministry of Public Security officers charged in March 2025 [7][12].

Against that backdrop, the extradition of Xu Zewei is genuinely unusual. "Extraditing these individuals demonstrates a united stance... bringing real-world consequences to China's notorious targeting," said Aaron Shraberg of the threat intelligence firm Flashpoint [3]. FBI Cyber Division Assistant Director Brett Leatherman said the case "demonstrates the FBI's reach extends well beyond US borders" [6].

But the ratio speaks for itself: of the roughly 54 Chinese nationals charged with cyber offenses by the DOJ since 2014, only two have been physically brought to US custody. The rest remain fugitives, functionally beyond the reach of American courts as long as they stay in China.

The Patel Connection: A Controversial Trip Reframed

The extradition intersected with a separate political controversy involving FBI Director Kash Patel. In early 2026, Patel traveled to Italy during the Milan-Cortina Winter Olympics, a trip that drew scrutiny after he was photographed attending hockey matches and seen in videos chugging beer at Olympic events [14][15]. Critics questioned whether the travel was genuinely for official business, and the trip became part of a broader pattern of questions about Patel's use of government aircraft, including a reported hunting trip to Texas and a flight to a wrestling event [15][16].

Patel has pointed to the Xu Zewei extradition as vindication. "We were able to bring him to Houston for prosecution, which is most of what I was doing when people said I was on vacation in Italy," he told Fox News Digital [8]. The FBI said the trip included meetings with Italian law enforcement and Olympic security coordination, and that it helped lay groundwork for the arrest [8].

The timeline raises questions, however. Xu was arrested in Milan in July 2025 — months before Patel's Olympic visit in early 2026 — and was not extradited until April 2026 [2][3]. Whether Patel's in-person meetings meaningfully accelerated or enabled the extradition, versus whether the extradition would have proceeded through normal channels regardless, is not independently verifiable from publicly available information. The DOJ Inspector General's office has received a formal complaint from Citizens for Responsibility and Ethics in Washington (CREW) requesting an investigation into Patel's travel [16].

Diplomatic Context: Tariffs, Trade Talks, and Timing

The extradition landed during a complicated moment in US-China relations. The two countries reached a tariff reduction agreement in November 2025, lowering rates imposed during the April 2025 trade escalation from 125% to 10% [17]. President Trump visited China in late March 2026, and ongoing Section 301 investigations into Chinese industrial practices are proceeding with public hearings scheduled for late April and May 2026 [17].

Whether the timing of the extradition was a law enforcement decision made independently of foreign policy considerations, or whether it carried a diplomatic signal, is a question multiple analysts have raised. Prosecutions of Chinese nationals have historically been timed around political moments — the 2014 PLA indictments came during a period of bilateral tension over cyber theft, and the Obama administration used them as leverage leading to the 2015 US-China cyber agreement [13].

The current administration has not publicly characterized the extradition as a diplomatic message, and DOJ officials have framed it in purely law enforcement terms [1]. But the juxtaposition of a rare extradition with ongoing trade negotiations is difficult to ignore.

The Case for Caution: Critics of Aggressive Indictment Strategies

Not everyone in the national security community views public indictments and extraditions as unalloyed wins. A steelman case against the current approach involves several arguments.

First, publicizing rare extradition successes can inadvertently signal to Chinese intelligence how the US identifies and tracks hackers operating abroad, potentially compromising methods used to monitor their travel and communications. Each successful case reveals a data point about US capabilities.

Second, pressing allied nations to extradite Chinese nationals creates diplomatic friction at a time when the US needs broad cooperation on issues from semiconductor export controls to South China Sea security. China's response to this extradition — publicly condemning Italy and demanding it "correct its mistake" — illustrates the political cost imposed on cooperating governments [10].

Third, there is the question of reciprocity. China has detained Americans using exit bans and criminal charges that the US government has characterized as wrongful [18]. The number of Americans wrongfully detained in China peaked at 20 in 2019 and stood at nine as of late 2024, after three — Mark Swidan, Kai Li, and John Leung — were released as part of a diplomatic agreement [18][19].

Source: Congressional-Executive Commission on China

Data as of Apr 28, 2026CSV

Some analysts have argued that aggressive prosecution of Chinese nationals increases the risk of tit-for-tat detentions of American citizens, business travelers, or academics in China [18]. The 58-nation coalition formed in 2021 condemning arbitrary detention of foreign nationals for diplomatic leverage — widely understood to target China's practices — reflected the scale of international concern about this dynamic [19].

Classified Evidence and Trial Challenges

If the case against Xu Zewei proceeds to trial, prosecutors will face a challenge that has complicated every major China-related cyber prosecution: how to present technical evidence that may derive from classified intelligence without revealing sources and methods [13].

The 2014 PLA Unit 61398 case sidestepped this problem because no defendants were in custody and no trial was held. The Mandiant cybersecurity firm's 2013 report had already publicly attributed the hacking to the PLA unit, providing a non-classified evidentiary foundation [13]. The Xu Yanjun espionage case, which did go to trial in Cincinnati, relied heavily on FBI undercover operations and cooperating witnesses rather than signals intelligence [4].

For the Xu Zewei prosecution, the DOJ will likely rely on the Classified Information Procedures Act (CIPA), which provides a framework for using classified material in criminal proceedings while limiting disclosure. Prosecutors can seek to substitute summaries or stipulations for classified documents, and judges can hold closed hearings to review sensitive evidence [1]. How much of the case rests on intelligence-derived evidence versus forensic analysis of compromised systems and network logs will become clearer as pre-trial proceedings unfold.

The Defendant's Position

Xu Zewei is being held in Houston pending further proceedings. He appeared in court on April 28 and is represented by counsel [1]. Chinese authorities have characterized the charges as fabricated [10], though Xu's own public statements, if any, have not been reported.

Under US law, Xu has the same procedural rights as any criminal defendant: the right to counsel, the right to a jury trial, the right to confront witnesses, and the presumption of innocence. These protections contrast with the treatment of Americans detained in China, where the Congressional-Executive Commission on China has documented proceedings "lacking due process," prolonged pre-trial detention, and restricted consular access [18][19].

Whether reciprocity norms are being consistently applied is a matter of perspective. The US government's position is that Xu will receive a fair trial under established legal procedures — a guarantee that, in the American view, China has not extended to detained Americans [18]. Beijing's position is that the charges themselves are politically motivated, rendering the fairness of the trial process secondary to the legitimacy of the prosecution [10].

Precedent and What Comes Next

The Xu Zewei case establishes a modest but real precedent. For US allies who harbor Chinese nationals under American indictment, Italy's decision demonstrates that cooperation is possible even under Chinese diplomatic pressure — and that the political costs, while real, are manageable for governments already aligned with Washington on China policy.

Whether other countries will follow Italy's lead remains uncertain. No government has publicly stated that it declined a US extradition request for a Chinese national due to Beijing's pressure, but the absence of prior extraditions — despite dozens of outstanding indictments — speaks to the difficulty of the ask. Countries that maintain closer economic ties with China, or that lack the political alignment that characterizes the current Italian government's stance, may calculate differently.

For the DOJ, the case reinforces a strategy that has been in place for over a decade: indict, publicize, and wait for opportunities. The vast majority of Chinese hackers charged by the US will never see an American courtroom. But the fact that Xu Zewei traveled outside China, was identified, arrested, held for nearly a year in Italian custody while extradition proceedings played out, and ultimately transferred to Houston sends a message — however narrow in its applicability — that operating on behalf of Chinese intelligence carries personal risk, at least beyond China's borders.

The co-defendant Zhang Yu, 44, remains at large [1]. If past is precedent, he is unlikely to leave China anytime soon.