The breaches were described in detail for the first time Tuesday, in conjunction with the news that one of the alleged hackers, Xu Zewei, 33, was arrested in Italy last week, and could soon be extradited to the United States.
Xu and another man, Zhang Yu, were indicted for the hack in 2023, according to court records. The indictment against them was unsealed Tuesday.
"We never lost sight of our goal to bring the perpetrators of these cyber intrusions to justice. Now, at least some of the story can be told," said Nicholas Ganjei, the interim U.S. attorney for the Southern District of Texas. "We eagerly await Mr. Xu's speedy extradition to the United States, and when he arrives, we look forward to extending him a warm Texas welcome."
The men are accused of working on behalf of China's Ministry of State Security, and of engaging in the hacks that stole COVID-19 vaccine and medical research from Texas and North Carolina research institutions and accessed confidential information at a D.C.-based law firm. They are accused of being part of a state-sponsored hack group, known as HAFNIUM or Silk Typhoon, that targeted U.S. institutions.
Both men, who are identified as tech executives — are accused of supervising attacks that targeted vulnerable Microsoft servers by placing "web shells," a type of malicious code, within them that allowed them to steal usernames, passwords and research data.
The indictment alleged that the men were directed by China's spy agency to target and access the emails of Texas virologists and immunologists.
DOJ and FBI officials on Tuesday declined to name the institutions that were hacked, citing their privacy as victims of a crime.
The hacks began sometime around February 2020, just a month before the COVID-19 virus became widespread in the United States. By that time the disease was already ravaging China, though the country was publicly denying its spread within its borders.
"Xu is one of the first hackers linked to the Chinese intelligence services to be captured by the FBI," said Doug Williams, the special agent in charge of the FBI 's Houston office. "His activities read like a movie script and include secret taskings from spies, overseas front companies, and using state-of-the-art tools to commit cyber espionage."
Xu and Zhang had access to computer systems for weeks or months before they were detected, according to the indictment.
The breach was eventually discovered. In 2021, the FBI obtained a warrant that allowed it to remotely access hundreds of infected computers and remove the web shells, Williams said. The operation was the first of its kind in the United States, Williams said.
Information collected during the reverse hack was used to develop the case against Xu and Zhang, according to the indictment.
The men are each charged with nine felonies, including conspiracy to commit identity theft, wire fraud and unauthorized access to protected computers. If convicted, they could be sentenced to up to 20 years in prison on the most serious counts, and could be fined up to $250,000
Despite the indictment in 2023, the men remained fugitives until last Thursday. Xu was arrested at Milan's Malpensa Airport after flying to Europe from Shanghai, officials said. As of Tuesday, he was being held by Italian authorities as the U.S. seeks extradition.
Xu's lawyer told Reuters that he was the victim of mistaken identity.
Zhang remains at large and is believed to be in China, officials said.
It's unclear if any stolen research was ever used or published in China or if the hack delayed the development of COVID-19 vaccines.
Xu's arrest is the second time in as many weeks that the local office of the FBI has announced the arrest of a Chinese citizen in connection with spying. Last week, the agency arrested Liren "Ryan" Lai, a Chinese national, who was accused of attempting to recruit members of U.S. Navy as spies for China.
It's also not the first time that Houston's medical research institution have been threatened by Chinese espionage. In 2019, MD Anderson fired three scientists after the National Institutes of Health raised concerns about their ties to China.
© 2025 the Houston Chronicle. Distributed by Tribune Content Agency, LLC.
