A man charged with conducting cyberattacks for the Chinese government has been sent to the United States and could face over ten years in prison if found guilty. 

Last year, the U.S. Justice Department alleged that Xu Zewei operated as a contractor for the Chinese Ministry of State Security to carry out a number of cyberattacks. Prosecutors claimed Xu and his accomplice Zhang Yu targeted multiple U.S. universities in early 2020 to obtain research associated with the COVID-19 pandemic. Additionally, they reportedly hacked thousands of email servers running Microsoft Exchange starting in March 2021, as part of a broad campaign linked to a Chinese-supported hacking group called Hafnium, which later became known as Silk Typhoon.

Xu was apprehended in Italy last year following a request from U.S. authorities. His attorney in Italy, Simona Candido, informed TechCrunch that Xu was extradited to the United States on Saturday and is currently detained in Houston, Texas. 

As per the U.S. Bureau of Prison’s website, an individual with the same name is being held at the Federal Detention Center in Houston. 

Once this story was released, the Justice Department made a public announcement regarding Xu’s extradition.

Xu’s attorney in the U.S., Dan Cogdell, told TechCrunch that during a court session on Monday morning, Xu entered a plea of not guilty to all charges. 

Court documents indicate that Xu appeared for his initial session in federal court and was placed back into custody. 

As the Justice Department stated when it first brought charges against the accused hackers, Xu purportedly worked for Shanghai Powerock Network, a Chinese company that prosecutors claimed “conducted hacking” on behalf of Beijing. Xu and his fellow hackers were said to have reported their actions directly to Chinese state officials in Shanghai.

Together with Zhang, he was part of the Hafnium group that is alleged to have exploited previously unknown security vulnerabilities in Microsoft Exchange servers aiming to breach multiple American entities, including defense contractors, law firms, think tanks, and infectious disease researchers. 

Prosecutors assert that Hafnium hackers focused on over 60,000 organizations in the U.S. and succeeded in breaching more than 12,700 of them. 

The Chinese Embassy in Washington, D.C. did not respond to a request for comments.  

The Financial Times reported that the Chinese Foreign Ministry objected to Xu’s extradition and accused the U.S. government of “fabricating cases.” 

For years, the U.S. government has indicted alleged Chinese hackers, many of whom remain unapprehended. In 2022, Yanjun Xu received a 20-year sentence for hacking crimes, marking the first instance where a Chinese government intelligence officer was extradited to the United States, according to the DOJ. 

This story was revised to include the DOJ’s announcement of Xu’s extradition, details from new court records, and statements from Xu’s lawyer.