Italy extradites Chinese national accused of running spear-phishing operation against US Covid researchers - first such extradition from Europe to US

Italy extradited Chinese national Xu Zewei to the US on Friday, where he is accused of running a years-long Chinese government-linked spear-phishing campaign that targeted US Covid-19 researchers, universities, and law firms. The case is notable because it's the first time a European country has extradited a Chinese state-linked hacker to the US, and signals tighter coordination between European and US prosecutors on China-attributed cyber operations. Xu was arrested in Milan in July 2024 on a US warrant; Italy's highest court approved the extradition this month after his appeals were exhausted. He could spend decades in US federal prison.

Check

If your research, healthcare, or legal organization worked on Covid-related materials, expect renewed targeting from China-linked groups now that one of their operators faces US prosecution.

Affected

Universities, research labs, hospitals, and law firms that worked on Covid-19 vaccine development, treatment research, public health policy, or related litigation between 2020 and 2024. Organizations named in the Xu Zewei indictment are at high risk for retaliation. More broadly: any organization holding biomedical research IP, particularly with Chinese researchers in their network.

Fix

Brief researchers and legal staff on the spear-phishing pattern: emails from people they actually know asking for documents or login help, with subtle indicators like off-pattern grammar or unusual sender domains. Add MFA to research-data and legal-discovery systems. Monitor outbound transfers of research datasets to unfamiliar destinations. Treat the extradition as a likely catalyst for retaliatory campaigns.