Italy Extradites Chinese Hacker Accused of COVID Vaccine Espionage to US

The Italian Ministry of Justice has completed the extradition of a 33-year-old Chinese national accused of orchestrating cyber-espionage operations targeting COVID-19 vaccine research, closing a nine-month legal battle that tested Italy's role in transnational digital crime enforcement. Zewei Xu, an IT manager from Shanghai, was transferred to U.S. custody in late April 2026 following final judicial clearance from Italy's highest court.

Why This Matters:

• Legal precedent: Italy demonstrated its commitment to the 1983 bilateral extradition treaty with the United States, reinforcing cooperation on cyber-crime at a time when digital espionage cases are escalating.

• National security angle: The case underscores Italy's position as a transit hub for suspects wanted by foreign governments, raising questions about airport security protocols.

• Diplomatic signal: The move comes amid broader Italian efforts to strengthen cyber-security partnerships with Washington, including a Memorandum of Understanding extended through January 2027.

• COVID-19 context: The charges relate to alleged theft of sensitive vaccine data during the earliest, most critical phase of the pandemic in February 2020.

The Arrest and Accusations

Italian police detained Xu at Milan Malpensa Airport on July 3, 2025, acting on a U.S. arrest warrant issued through Interpol channels. The FBI alleges Xu was a member of an elite cyber-intrusion team known as Hafnium (also designated Silk Typhoon or APT27), which U.S. intelligence agencies link directly to the Ministry of State Security of the People's Republic of China, specifically the Shanghai State Security Bureau.

According to court documents submitted by American prosecutors, Xu and at least one co-conspirator—Zhang Yu, who remains at large and is believed to be in China—exploited vulnerabilities in Microsoft Exchange servers to infiltrate academic and research institutions across the globe. Their primary targets included the University of Texas Medical Branch in Galveston and other Houston-area research centers working on COVID-19 vaccines, treatments, and diagnostic technologies.

The intrusions allegedly began in early 2020, before the virus spread widely in the United States and while Chinese authorities were publicly downplaying the severity of the outbreak within their own borders. Prosecutors claim the hackers installed persistent "web shell" backdoors, granting long-term remote control over compromised systems and enabling the extraction of confidential research data, email communications, and internal memos from prominent virologists and immunologists.

In total, the global cyber-intrusion campaign is believed to have compromised thousands of computer systems worldwide, including government networks and servers belonging to U.S. political officials. The scope of the operation reflects what Western intelligence agencies describe as a state-sponsored effort to gain strategic advantage in the race for pandemic countermeasures.

Legal Process in Italy

Xu has consistently maintained his innocence, arguing through his legal team that he is a victim of mistaken identity. Despite this defense, Italian courts moved methodically through the extradition process mandated by the bilateral treaty framework.

On January 27, 2026, the Milan Court of Appeal ruled that the U.S. extradition request met all legal criteria under Italian and international law, including the principle of "double criminality"—meaning the alleged offenses are punishable in both jurisdictions. Xu's lawyers immediately appealed to the Court of Cassation, Italy's supreme judicial authority, challenging the decision on procedural and human rights grounds.

On April 16, 2026, the Cassation panel rejected the defense appeal, removing the final judicial obstacle to extradition. Within days, the Italian Ministry of Justice issued the necessary political-administrative clearance, and Xu was handed over to U.S. law enforcement officials. The extradition was executed around April 25-26, 2026, according to multiple Italian news agencies.

What This Means for Residents

For people living in Italy, the case highlights several practical realities about the country's role in international law enforcement and its evolving cyber-security posture:

Airport vigilance: Italy's major hubs—particularly Malpensa, Fiumicino, and Marco Polo—are increasingly used as transit points by suspects fleeing or traveling through Europe. Interpol warrants can trigger arrests without prior warning, even for travelers simply changing planes.

Bilateral treaty obligations: Italy's 1983 extradition treaty with the United States, supplemented by a 2003 EU-U.S. agreement and a 2006 bilateral judicial assistance pact, creates a robust legal framework for transferring suspects. However, Italy retains the right to refuse extradition in cases involving political offenses, risk of the death penalty (unless the U.S. provides assurances), or potential violations of Italian constitutional rights.

Cyber-security cooperation: The Xu case arrives as Italy deepens its digital defense collaboration with Washington. In July 2025, the Cyber Security Foundation (an Italian nonprofit) signed a Memorandum of Understanding with the U.S. Department of Homeland Security's Cyber Crimes Center. The agreement, renewed through January 2027, focuses on threat intelligence sharing, training programs, and analysis of emerging technologies like artificial intelligence and quantum computing.

This institutional partnership reflects a broader recognition that cyber-espionage and ransomware attacks pose direct threats to Italy's critical infrastructure, including energy grids, banking systems, and healthcare networks.

Broader Context: China and Espionage in Italy

The Xu extradition is not an isolated incident. In March 2026, the Italian Ministry of Interior ordered the expulsion of eight Chinese nationals suspected of conducting surveillance and intimidation operations against Chinese dissidents living in Italy. Three were forcibly repatriated, one remained in detention in Rome, and four had already left the country.

Italian authorities described this as an unprecedented case of transnational repression, marking the first time the country has issued mass expulsions based on allegations of foreign state-directed harassment within its borders. The individuals allegedly worked to identify critics of the Chinese government residing in Italy, gathering intelligence for possible intimidation or coercion.

These parallel cases underscore growing tensions between Rome and Beijing over espionage activities, even as Italy attempts to balance economic ties with China—particularly regarding infrastructure investments and trade—with security concerns raised by NATO and EU partners.

Charges and Potential Penalties

In the United States, Xu faces multiple federal charges, including wire fraud, identity theft, conspiracy, and unauthorized access to protected computer systems. If convicted on all counts, he could face up to 20 years in federal prison.

The U.S. Department of Justice has characterized the case as part of a strategic effort to hold state-sponsored hackers accountable, even when they operate from the relative safety of their home countries. While Zhang Yu—Xu's alleged co-conspirator—remains beyond the reach of American law enforcement, the arrest and extradition of Xu sends a signal that international travel exposes cyber-criminals to the risk of capture and prosecution.

Implications for Digital Security

The Hafnium campaign's targeting of COVID-19 vaccine research represents a high-profile example of how cyber-espionage can directly threaten public health and scientific progress. By stealing proprietary research data, state-sponsored hackers can accelerate their own vaccine development programs, undermine intellectual property protections, and compromise the competitive advantage of Western pharmaceutical companies and universities.

For Italy, the case reinforces the importance of hardening digital defenses across research institutions, universities, and hospitals—sectors that have historically lagged behind financial services and government agencies in cyber-security investment. The extended U.S.-Italy cyber cooperation agreement aims to address these vulnerabilities through joint training, threat assessments, and technology sharing.

As digital espionage evolves in sophistication and scale, Italy's courts and law enforcement agencies will likely face more extradition requests involving cyber-crimes. The Xu case establishes a clear precedent: Italy will honor its treaty obligations and cooperate with allies in prosecuting state-sponsored hackers, even when the accused claims mistaken identity and the requesting country is an ocean away.