Xu Zewei Arrested: China's Hafnium Hacker Nabbed in Milan Sting!

This is your Digital Dragon Watch: Weekly China Cyber Alert podcast.

Welcome, cyber sleuths and digital dragons, to another episode of Digital Dragon Watch: Weekly China Cyber Alert. I’m Ting, your go-to for all things China, cyber, and a dash of hacking wit, so let’s dive right in—because the world’s not pausing for your firewall to update.

The big news this week: US authorities, in a rare display of cross-continental law enforcement, confirmed the arrest of infamous Chinese hacker Xu Zewei in Milan. Xu, age thirty-three, is accused of spearheading cyber espionage campaigns targeting COVID-19 research at US universities and orchestrating the notorious Hafnium attacks that compromised Microsoft Exchange servers everywhere from small businesses to global law firms. According to the Justice Department, Xu was a contract hacker for Shanghai Powerock Network, working directly for China’s Ministry of State Security via the Shanghai State Security Bureau. The charges are sprawling: conspiracy, wire fraud, unauthorized access—if there’s a cybercrime statute, Xu’s probably on it. His alleged partner-in-hack, Zhang Yu, remains on the loose, and the FBI wants tips. Meanwhile, China’s government loudly condemned the arrest, calling it “firmly opposed,” so expect those diplomatic cables to be extra encrypted this week.

But the week wasn’t just about COVID heists and extradition drama. In Europe, France’s cybersecurity agency ANSSI dropped a bombshell about the China-linked ‘Houken’ group, which has been exploiting zero-day flaws in Ivanti Cloud Service Appliance devices to worm its way into sectors like government, telecom, media, and finance. Houken, linked with the infamous UNC5174 crew, uses a mix of cutting-edge zero-days and a grab bag of open-source Chinese hacking tools. Their latest stunt? Self-patching the holes they exploited—talk about cleaning up after your own break-in.

Switching gears, Taiwan and China continued their digital cold war. Beijing accused Taipei of cyberattacks against tech firms in Guangzhou. In typical tit-for-tat, Taiwan’s National Security Bureau called the allegations disinformation, insisting this was another round of China’s digital intimidation. Also in the mix: concern over Chinese-owned apps like Douyin and Rednote possibly serving as Trojan horses for propaganda among Taiwan’s youth.

Stateside, the SAP July Patch Tuesday brought urgent warnings as critical deserialization bugs—previously exploited by alleged China-nexus groups—were patched. The vulnerabilities allowed unauthenticated remote exploits, with CVE-2025-30012 hitting a perfect 10.0 on the CVSS Richter scale. If you’re running SAP SRM or related legacy solutions, now’s not the time to delay patching.

The White House and State Department aren’t sleeping, either. They issued advisories on the rapid rise of AI-driven impersonation attempts, including deepfakes crafted to mimic Secretary of State Marco Rubio, targeting foreign dignitaries and US officials. This comes after a spring spike in warnings from the FBI about AI-generated social engineering attacks—so, pro tip: verify that voicemail from “Rubio” before you start sharing state secrets.

Expert recommendations this week are clear: patch edge devices and legacy enterprise applications, run regular threat hunts for unrecognized admin accounts or web shells, and educate users on AI-driven social engineering. For those in defense, academia, and critical infrastructure, assume your perimeter is being poked by both human and machine adversaries.

That wraps this week’s whirlwind of wires, hacks, and arrests. I’m Ting, reminding you to subscribe for your next byte of cyber truth—and keep your dragons digital, not literal. Thanks for tuning in. This has been a quiet please production, for more check out quiet please dot ai.

For more