Natto Thoughts: Operators & Profiles

HAFNIUM-Linked Hacker Xu Zewei: Riding the Tides of China’s Cyber Ecosystem

Natto Team — Wed, 23 Jul 2025 16:01:48 GMT

                     Note added May 13 2026

The arrest of HAFNIUM-linked hacker Xu Zewei at Milan Malpensa Airport in July 2025 has reached a new chapter: on April 27, 2026, the DOJ announced that Xu had been successfully extradited from Italy and appeared in federal court in Houston. Originally posted July 23, 2025, this analysis remains relevant as the case moves from indictment to courtroom and several of the questions it raised now take on new urgency:

     The Overlapping Identities Question: Xu's defense — centered on his employment at GTA Semiconductor and claims of mistaken identity — will now be tested before a U.S. judge. Our original reporting examined these overlapping professional affiliations in detail, and they remain central to how the case will be argued on both sides.

     The Front Company Model on Trial: The indiscriminate, profit-driven contractor network the DOJ described when charges were first unsealed is now the subject of live court proceedings — moving the debate over how the MSS manages its hacker ecosystem from policy circles into a federal courtroom.

     HAFNIUM's Long Shadow: The indictment's timeline, stretching HAFNIUM's known activity back to February 2020 and encompassing more than 12,700 compromised U.S. organizations, are the facts a jury may now ultimately weigh.

     The Yu Pingan Comparison: The comparison drawn in our original reporting between Xu's case and that of malware developer Yu Pingan — caught, prosecuted, and ultimately returned to China — remains the most open question of all. Xu is among the first hackers linked to Chinese intelligence to face trial on U.S. soil, making the outcome a potential bellwether. Xu's co-defendant Zhang Yu remains at large.

On July 3, 2025, at Milan Malpensa Airport, Italian police arrested Xu Zewei (徐泽伟), whom U.S. authorities allege to be a hacker contracted by the Chinese state. Following the news about Xu’s arrest from Italian media, on July 8, the U.S. Department of Justice (US DoJ) issued a press release and unsealed an indictment, accusing Xu Zewei and his co-defendant Zhang Yu (张宇) of participating in hacking activities between February 2020 and June 2021. These activities were reportedly linked to the Advanced Persistent Threat (APT) group HAFNIUM (also known as Silk Typhoon or APT27), involving the theft of COVID-19 research from universities, exploitation of Microsoft Exchange Server vulnerabilities, and compromising thousands of computers worldwide, including those in the United States. As of this writing, Xu remains in custody near Milan and is undergoing extradition proceedings to the United States. During his initial court appearance, Xu asserted that he “has nothing to do with the case,” while Xu’s lawyer stated that “Xu is a victim of mistaken identity, his surname is common in China, and his mobile phone was stolen in 2020.” It was further argued that Xu is a technician employed by (Shanghai) GTA Semiconductor Co. Ltd., on holiday in Italy with his wife.

For Xu Zewei and his wife, their visit to Milan—a dream vacation—took an unexpected turn with the arrest. The circumstances surrounding Xu’s detention have prompted several questions: Is this Xu Zewei the individual sought by authorities? Could he be a victim of identity theft, as contended by his legal counsel? Which companies has Xu worked for? Xu claims employment with Shanghai GTA Semiconductor Co. Ltd (GTA) (上海积塔半导体), whereas the US DoJ asserts Xu worked for Shanghai Powerock Network Co. Ltd. (Powerock) (上海势岩网络科技发展有限公司). Further complicating the situation, findings by the Natto Team and others indicate that between 2022 and at least mid-2024, Xu served as director of security technology at Chaitin Tech (长亭科技), a Chinese cybersecurity firm established by members of Tsinghua University’s Blue Lotus CTF team. As the Natto Team has reported previously, Chaitin Tech is recognized for its top scanning products and vulnerability research capabilities and acts as a technical support unit for both the China National Vulnerability Database of Information Security (CNNVD) and the China National Vulnerability Database (CNVD).

This post aims to clarify the ambiguities surrounding Xu’s professional affiliations, which illustrate the interconnected nature of China’s cyber ecosystem, where talent may simultaneously pursue personal, business, and state interests. Meanwhile, the evolving operational methods of the Chinese Ministry of State Security are also noteworthy.

Zhou Shuai: A Hacker’s Road to APT27

Natto Team — Wed, 19 Mar 2025 16:03:17 GMT

On March 5, 2025, in addition to unsealing the i-SOON indictment, the US Department of the Treasury sanctioned Zhou Shuai (周帅) (a.k.a Coldface) — a Chinese hacker associated with allegedly state-backed cyber threat group APT27 — and Zhou’s company, Shanghai Heiying Information Technology Company (上海黑英信息技术有限公司). On the same day, the US Department of Justice (US DoJ) unsealed indictments charging Zhou Shuai and Yin Kecheng, his alleged co-conspirator, for malicious cyber activity tracing from 2011 to the present-day. Zhou Shuai’s name may be new to many of us. However, in the Chinese hacking world, Zhou Shuai is a renowned hacker who was among men of the moment - the first-generation Chinese patriotic hackers in the mid 90s. In his evolution into an allegedly state-sponsored hacker behind APT27, Zhou Shuai exemplifies a cohort of highly skilled Chinese hackers who have become a significant asset for Chinese state cyber operations.

Zhou Shuai: from Founding Member of Green Army to the Org…

Sichuan Silence Information Technology and Guan Tianfeng: Your Criminal Our Hero

Natto Team — Wed, 05 Feb 2025 17:02:14 GMT

The release of the DeepSeek AI chatbot in January 2025, shaking up stock markets and the American tech sector, set off an explosion of glee in Chinese social media. Chinese netizens portrayed the event as “the tipping point for the global technological rivalry with the United States and the ‘darkest hour’ in Silicon Valley,” according to the New York Times.

The previous month, Chinese social media users had expressed similar enthusiasm about the Chinese cybersecurity company Sichuan Silence Information Technology Company (Sichuan Silence), and one of its employees, Guan Tianfeng (关天烽), after the United States took action against that company. Less than a week after the Natto Team published the post “Sichuan Silence Information Technology: Great Sounds are Often Inaudible,” on December 10, 2024 the US Department of the Treasury sanctioned Sichuan Silence and its employee Guan Tianfeng for compromising tens of thousands of firewalls worldwide in April 2020. Also on December 10, the US D…

Self-Proclaimed Vigilante Hacker Casts Light on Chinese Criminals’ Global Cyber Scamming Sweatshops

Natto Team — Fri, 01 Sep 2023 03:47:00 GMT

In the past three years, cyber scam operations run by Chinese criminal groups have proliferated rapidly in China’s neighboring countries in Southeast Asia. These criminal groups have targeted not only Chinese-speaking victims in China and overseas but also English-speaking victims worldwide. In particular, organized Chinese criminal groups operating on the Thai-Myanmar border have become a global security menace, “threatening internet users worldwide with online scams and financial fraud, using trafficked ‘cyber slaves’ to carry out their crimes,” according to a June 2023 report by the United States Institute of Peace. A recent United Nations report pointed out criminal collectives have coerced hundreds of thousands of individuals in Southeast Asia into participating in unlawful online scams. These fraudulent activities include false romantic ploys, bogus investment pitches and illegal gambling schemes.

The Chinese government has worked with counterparts in Thailand, Myanmar and Laos …