China's Silk Typhoon Hacker Extradited to US Over COVID Research Cyberattacks

A Chinese national linked to the Silk Typhoon advanced persistent threat (APT) group has been handed over to U.S. authorities after being arrested in Italy in July 2025. Xu Zewei, 34, faces a federal indictment charging him with conspiracy to commit computer fraud, theft of trade secrets, and wire fraud for his alleged role in a series of cyber intrusions targeting COVID‑19 research institutions. The extradition marks a significant milestone in the Justice Department’s efforts to hold state‑sponsored cyber actors accountable for attacks on critical biomedical research.

According to an FBI affidavit, Silk Typhoon operators used spear‑phishing emails that masqueraded as communications from health agencies, delivering a custom backdoor designated “Wexe.” The malware exploited a zero‑day vulnerability in a widely‑deployed VPN appliance, allowing the threat actors to harvest credentials and move laterally within compromised networks. Once inside, the group employed living‑off‑the‑land techniques, leveraging legitimate system tools to exfiltrate sensitive data related to vaccine development, therapeutic trials, and genomic sequencing. Forensic analysis linked the intrusions to infrastructure previously attributed to Silk Typhoon, including command‑and‑control servers hosted in a European cloud provider.

The impact of the campaign extends beyond intellectual property theft; U.S. officials warn that the loss of early‑stage research data could set back global pandemic preparedness efforts. The Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services cooperated with the FBI to identify affected laboratories and mitigate ongoing exposure. In a joint statement, the DOJ emphasized that the extradition demonstrates the United States’ commitment to pursuing cybercriminals regardless of geographic boundaries and highlighted Italy’s pivotal role in facilitating the arrest.

The case underscores the growing convergence of nation‑state cyber espionage and the targeting of public‑health research during global crises. While the extradition of Xu Zewei marks a victory for law enforcement, security researchers caution that Silk Typhoon and similar groups will continue to adapt their tactics. Organizations are urged to reinforce phishing defenses, patch critical vulnerabilities promptly, and implement robust endpoint detection to counter APT activity.