Note added May 13 2026

The arrest of HAFNIUM-linked hacker Xu Zewei at Milan Malpensa Airport in July 2025 has reached a new chapter: on April 27, 2026, the DOJ announced that Xu had been successfully extradited from Italy and appeared in federal court in Houston. Originally posted July 23, 2025, this analysis remains relevant as the case moves from indictment to courtroom and several of the questions it raised now take on new urgency:

     The Overlapping Identities Question: Xu's defense — centered on his employment at GTA Semiconductor and claims of mistaken identity — will now be tested before a U.S. judge. Our original reporting examined these overlapping professional affiliations in detail, and they remain central to how the case will be argued on both sides.

     The Front Company Model on Trial: The indiscriminate, profit-driven contractor network the DOJ described when charges were first unsealed is now the subject of live court proceedings — moving the debate over how the MSS manages its hacker ecosystem from policy circles into a federal courtroom.

     HAFNIUM's Long Shadow: The indictment's timeline, stretching HAFNIUM's known activity back to February 2020 and encompassing more than 12,700 compromised U.S. organizations, are the facts a jury may now ultimately weigh.

     The Yu Pingan Comparison: The comparison drawn in our original reporting between Xu's case and that of malware developer Yu Pingan — caught, prosecuted, and ultimately returned to China — remains the most open question of all. Xu is among the first hackers linked to Chinese intelligence to face trial on U.S. soil, making the outcome a potential bellwether. Xu's co-defendant Zhang Yu remains at large.

On July 3, 2025, at Milan Malpensa Airport, Italian police arrested Xu Zewei (徐泽伟), whom U.S. authorities allege to be a hacker contracted by the Chinese state. Following the news about Xu’s arrest from Italian media, on July 8, the U.S. Department of Justice (US DoJ) issued a press release and unsealed an indictment, accusing Xu Zewei and his co-defendant Zhang Yu (张宇) of participating in hacking activities between February 2020 and June 2021. These activities were reportedly linked to the Advanced Persistent Threat (APT) group HAFNIUM (also known as Silk Typhoon or APT27), involving the theft of COVID-19 research from universities, exploitation of Microsoft Exchange Server vulnerabilities, and compromising thousands of computers worldwide, including those in the United States. As of this writing, Xu remains in custody near Milan and is undergoing extradition proceedings to the United States. During his initial court appearance, Xu asserted that he “has nothing to do with the case,” while Xu’s lawyer stated that “Xu is a victim of mistaken identity, his surname is common in China, and his mobile phone was stolen in 2020.” It was further argued that Xu is a technician employed by (Shanghai) GTA Semiconductor Co. Ltd., on holiday in Italy with his wife.

For Xu Zewei and his wife, their visit to Milan—a dream vacation—took an unexpected turn with the arrest. The circumstances surrounding Xu’s detention have prompted several questions: Is this Xu Zewei the individual sought by authorities? Could he be a victim of identity theft, as contended by his legal counsel? Which companies has Xu worked for? Xu claims employment with Shanghai GTA Semiconductor Co. Ltd (GTA) (上海积塔半导体), whereas the US DoJ asserts Xu worked for Shanghai Powerock Network Co. Ltd. (Powerock) (上海势岩网络科技发展有限公司). Further complicating the situation, findings by the Natto Team and others indicate that between 2022 and at least mid-2024, Xu served as director of security technology at Chaitin Tech (长亭科技), a Chinese cybersecurity firm established by members of Tsinghua University’s Blue Lotus CTF team. As the Natto Team has reported previously, Chaitin Tech is recognized for its top scanning products and vulnerability research capabilities and acts as a technical support unit for both the China National Vulnerability Database of Information Security (CNNVD) and the China National Vulnerability Database (CNVD).

This post aims to clarify the ambiguities surrounding Xu’s professional affiliations, which illustrate the interconnected nature of China’s cyber ecosystem, where talent may simultaneously pursue personal, business, and state interests. Meanwhile, the evolving operational methods of the Chinese Ministry of State Security are also noteworthy.