FBI Exposes China's Out-of-Control Hacker-for-Hire Ecosystem
Severity: High (Score: 74.0)
Sources: Theregister
Published: · Updated:
Keywords: ecosystem, cyber, china, hacker-for-hire, control, boss, gotten
Severity indicators: ot
Summary
The FBI has highlighted the rampant hacker-for-hire ecosystem in China, which operates under the direction of the country's intelligence agencies. Brett Leatherman, assistant director of the FBI's cyber division, stated that these private companies exploit vulnerable computers to gather sensitive information for profit, often selling it to the Chinese government or on the dark web. The recent extradition of Xu Zewei from Italy marks a significant development, as he faces nine hacking-related charges linked to state-sponsored cyber operations. These operations included the exploitation of zero-day vulnerabilities in Microsoft Exchange, affecting over 12,700 organizations in the U.S. and targeting research institutions during the COVID-19 pandemic. The indictment details Xu's role in coordinating hacking activities and supervising other hackers under the direction of the Shanghai State Security Bureau. This situation underscores the serious implications for cybersecurity and international relations, as the FBI warns that the protections assumed by these hackers do not extend beyond China's borders. Key Points: • China's hacker-for-hire ecosystem is directed by state intelligence agencies. • Xu Zewei was extradited from Italy and faces multiple hacking charges. • The operations included exploiting Microsoft Exchange vulnerabilities affecting thousands of U.S. organizations.
Detailed Analysis
**Impact** Thousands of computers were targeted in intrusions directed by China’s Ministry of State Security (MSS) and Shanghai State Security Bureau (SSSB) between February 2020 and June 2021. The 2021 Microsoft Exchange zero-day campaign affected hundreds of thousands of servers globally, including 12,700 organizations in the United States. Affected sectors include American universities and COVID-19 research institutions, with sensitive vaccine and treatment data at risk. The ecosystem’s operations also enable third-party access to compromised systems and stolen data via dark web sales, increasing overall risk. **Technical Details** Attackers exploited zero-day vulnerabilities in Microsoft Exchange servers as part of the Hafnium/Silk Typhoon campaign. The threat actors operated under direction from MSS and SSSB, using private companies such as Shanghai Powerock Network and Shanghai Firetech Information Science and Technology Company. TTPs included unauthorized access, data theft, wire fraud, and intentional damage to protected computers. Specific CVEs exploited are not detailed in the articles. Xu Zewei and Zhang Yu coordinated hacking activities, with Xu managing operations and reporting results to SSSB. **Recommended Response** Apply all relevant patches for Microsoft Exchange zero-day vulnerabilities immediately. Deploy detections for unauthorized access and abnormal data exfiltration activities, focusing on indicators related to Hafnium/Silk Typhoon campaigns. Harden network perimeter defenses and monitor for signs of compromised credentials or lateral movement consistent with MSS-directed intrusions. No specific IOCs were provided; defenders should monitor for emerging threat intelligence updates related to these actors.
Source articles (2)
- FBI cyber boss: China's hacker-for-hire ecosystem 'out of control' — Theregister · 2026-04-30
China's "hacker-for-hire ecosystem has gotten out of control," according to Brett Leatherman, assistant director of the FBI's cyber division. This ecosystem includes private technology companies opera… - FBI cyber boss: China's hacker-for-hire ecosystem 'out of control' — Theregister · 2026-05-01
China's "hacker-for-hire ecosystem has gotten out of control," according to Brett Leatherman, assistant director of the FBI's cyber division. This ecosystem includes private technology companies opera…
Timeline
- 2020-02-01 — Xu Zewei begins hacking operations under MSS direction
- 2021-06-30 — Hafnium exploits zero-day vulnerabilities in Microsoft Exchange
- 2025-07-01 — Xu Zewei arrested in Italy
- 2026-04-30 — FBI announces Xu's extradition and charges
- 2026-05-01 — FBI cyber boss comments on hacker-for-hire ecosystem