Italian police have arrested Chinese national Xu Zewei at Milan’s Malpensa Airport on a U.S. warrant that accuses him of hacking computer networks to steal Covid-19 vaccine research. The 33-year-old, who also uses the names Zavier and David Xu, was taken into custody on 3 July and is being held pending extradition to the United States. A nine-count indictment unsealed in the Southern District of Texas alleges that Xu and an alleged accomplice, Zhang Yu, carried out computer intrusions between February 2020 and June 2021 under the direction of China’s Shanghai State Security Bureau, part of the Ministry of State Security. Prosecutors say the pair, operating as part of the HAFNIUM group, exploited Microsoft Exchange Server vulnerabilities to penetrate U.S. universities, a global law firm and other targets in order to obtain proprietary data on vaccines, treatments and testing for Covid-19. The charges include wire fraud, conspiracy, aggravated identity theft and intentional damage to protected computers. The Justice Department describes Xu as a state-sponsored “contract hacker”; he denies the allegations, telling an Italian court that investigators have confused him with someone else who shares his common surname. Extradition proceedings are expected to continue in Milan while U.S. authorities search for Zhang, who remains at large.