How International Cooperation Led to the Extradition of a Chinese Cybercriminal: A Step-by-Step Guide

Introduction

In July 2025, Italian authorities arrested 34-year-old Xu Zewei, a Chinese national allegedly linked to the state-sponsored hacking group Silk Typhoon. His extradition to the United States marked a significant milestone in combating cyberattacks on American organizations and government agencies, including targets involved in COVID‑19 research. This guide breaks down the multi‑step process that law enforcement and international partners followed to bring Xu Zewei from arrest to U.S. custody. Whether you are a cybersecurity professional, legal expert, or simply interested in how global justice works, these steps reveal the intricate collaboration required to hold state‑sponsored hackers accountable.

What You Need

• Solid Digital Evidence – Forensic data linking the suspect to specific attacks (IP logs, malware signatures, communication records).
• Legal Framework – Extradition treaties between the requesting and host countries (U.S.–Italy agreement).
• International Cooperation – Established channels like Interpol, mutual legal assistance treaties (MLATs), and diplomatic coordination.
• Prosecution Team – Federal prosecutors, cybersecurity analysts, and intelligence liaisons.
• Secure Communication Lines – Encrypted channels for sharing sensitive evidence without exposing sources.

Step‑by‑Step Process

Step 1: Identify and Investigate the Threat

Cyberattacks on U.S. research institutions during the COVID‑19 pandemic (February 2020 – June 2021) triggered alarms. Investigators from the FBI and CISA analyzed breached systems, traced malicious IP addresses, and identified patterns linked to Silk Typhoon. This initial phase requires constant threat monitoring and collaboration with affected organizations. In the Xu Zewei case, the attacks targeted government agencies and health research centers, leading to a formal investigation.

Step 2: Gather Digital Forensics and Attribution

Once a threat is identified, forensic experts collect digital evidence: server logs, stolen data artifacts, and malware code. Attribution involves linking these artifacts to a known threat group. Silk Typhoon’s tactics, tools, and procedures (TTPs) were already documented by cybersecurity firms. Analysts matched Xu Zewei’s digital footprint to the group’s operations, establishing probable cause for an arrest warrant.

Step 3: Build a Legal Case and Secure Arrest Warrants

Federal prosecutors (e.g., from the U.S. Attorney’s Office) assemble an affidavit detailing the cybercrimes, impact, and evidence. A federal magistrate judge issues an arrest warrant. Simultaneously, the U.S. State Department prepares a provisional arrest request for Italy, citing the existing extradition treaty. Xu Zewei’s warrant alleged his role in orchestrating attacks on American COVID‑19 research infrastructure.

Step 4: Coordinate with International Partners

The U.S. engages Interpol to issue a Red Notice, enabling law enforcement across 196 countries to locate and detain the subject. Through diplomatic channels, the U.S. provides Italy with a formal extradition request package, including the arrest warrant, evidence summary, and legal arguments. Regular liaison meetings between FBI legal attachés in Rome and Italian authorities ensure smooth cooperation.

Step 5: Execute the Arrest in a Third Country

Italian police arrested Xu Zewei in July 2025 based on the U.S. provisional arrest request. He was taken into custody and held pending extradition proceedings. The arrest must comply with Italian law, including reading of rights and notifying the Chinese consulate (although as a Chinese national, diplomatic notification was handled per bilateral agreements).

Step 6: Extradite via Legal Channels

Extradition involves a formal hearing before an Italian court. The judge evaluates whether the charges meet the dual criminality principle (both Italy and U.S. consider the acts crimes) and if sufficient evidence exists. Xu Zewei’s legal team may challenge extradition on human rights or political motivation grounds. In this case, the court approved extradition, and the Italian Ministry of Justice issued the surrender order. Xu Zewei was then handed over to U.S. Marshals at an Italian airport for transfer.

Step 7: Arraignment and Prosecution in the United States

Upon arrival in the U.S., Xu Zewei appears before a federal judge for arraignment. He is formally charged with computer intrusion, theft of trade secrets, and conspiracy (likely under the Computer Fraud and Abuse Act). The prosecution presents the evidence collected over years. The trial or plea negotiations follow. Meanwhile, law enforcement briefs the affected research institutions to help them strengthen defenses.

Tips for Similar Cases

• Start early: Build relationships with international law enforcement before an incident occurs. Memoranda of understanding can speed up future extractions.
• Preserve evidence chain of custody: Ensure digital evidence is collected and stored according to legal standards to withstand challenges in foreign courts.
• Exercise patience: International extradition often takes years. Maintain pressure through diplomatic channels without jeopardizing the case.
• Consider public impact: Share de‑identified threat intelligence with the cybersecurity community to help others defend against similar attacks.
• Review extradition treaties: Not all countries extradite their own nationals for cybercrimes. Pre‑plan alternative strategies, such as sanctions or travel alerts.

Following these steps, the U.S. successfully brought a Silk Typhoon hacker to face justice. The same blueprint can be adapted to apprehend other state‑sponsored cybercriminals, reinforcing the message that no digital border can shield illegal activities from coordinated international legal action.