FBI Unmasks Chinese Spy Hack Targeting UTMB COVID-19 Research

The FBI has laid bare a brazen Chinese cyber espionage operation that targeted some of America’s leading COVID-19 researchers. Xu Zewei, a 34-year-old Chinese national, is accused of hacking into the University of Texas Medical Branch (UTMB) email system and stealing 1.5 gigabytes of emails containing sensitive vaccine research data.

Xu’s alleged crimes came to light during a detention hearing in federal court, where FBI Special Agent Benjamin Hyman testified that Xu confirmed his haul in a text message to a Chinese intelligence official in February 2020. The official had asked if he had uncovered anything “juicy or good” from the intrusion.

Xu was arrested last year in Italy and extradited to the United States in a rare international law enforcement victory. He faces nine federal felonies, including wire fraud, intentional damage to a protected computer, and aggravated identity theft. U.S. Magistrate Judge Richard W. Bennett ordered Xu held without bond, citing a high flight risk.

The hack was not an isolated incident. Xu and an accomplice, Zhang Yu, allegedly worked at the behest of the Shanghai State Security Bureau — China’s equivalent of the CIA — targeting multiple U.S. universities for COVID-19 treatment information. The FBI traced Xu’s digital footprint through an IP address linked to code downloaded from GitHub and connected it to Xu’s Apple account, which contained personal photos and incriminating chat messages.

The operation exploited a known vulnerability (CVE-2019-11510) to steal the credentials of UTMB’s IT administrator, granting access to the institution’s virtual private network. The hackers targeted at least three virologists or immunologists, though authorities have not named them.

Xu’s defense attorney dismissed the government’s case as “ridiculous,” arguing it was implausible for a skilled hacker to use personal devices and email accounts that led directly to him. Meanwhile, FBI Cyber Division Assistant Director Brett Leatherman described Xu’s role in a vast “hacker-for-hire ecosystem” employed by the Chinese government, which uses private contractors to conceal state involvement while stealing sensitive information.

The Justice Department confirmed that the Chinese government attempted to interfere with Xu’s extradition. FBI Director Kash Patel traveled to Italy in February and signed a memorandum of understanding with Italian police that helped secure Xu’s transfer.

Though officials stopped short of confirming whether the stolen data led to breakthroughs in China’s pandemic response, the indictment underscores the ongoing threat of state-sponsored cyber theft. Xu remains in custody pending trial as the U.S. continues to confront the shadowy world of international cyber espionage.

This case exposes the lengths to which authoritarian regimes will go to steal American innovation and highlights the urgent need for robust cybersecurity and international cooperation to protect scientific research critical to public health and national security.