Italian authorities arrested Xu Zewei, aka “Zavier Xu” and “David Xu,” a 33-year-old Chinese national, at Milan’s Malpensa Airport following his arrival from Shanghai. Xu is suspected of being involved in a high-profile, state-sponsored hacking campaign aimed at stealing sensitive US COVID-19 vaccine research during the global pandemic. The arrest was made on the basis of an international warrant issued by the United States, which is now seeking Xu’s extradition to face criminal charges.

Xu is alleged to be connected to Hafnium, also known as Silk Typhoon, a China-affiliated cyberespionage group previously linked to the 2021 compromise of Microsoft’s Exchange email servers. Hafnium is widely believed to operate on behalf of the Chinese state and has been accused of conducting large-scale cyber operations targeting US critical infrastructure and intellectual property.

According to US authorities, Xu was a key figure who orchestrated and executed cyber-attacks that targeted American researchers, including virologists, immunologists, and prestigious institutions such as the University of Texas. Xu and his associates allegedly attempted to access and exfiltrate proprietary data related to vaccine development, clinical trials, and other sensitive biomedical research.

US federal prosecutors charged the man with wire fraud, aggravated identity theft, unauthorized access to protected computers, and conspiracy. If convicted on all charges, Xu could face a prison sentence of up to 32 years. In 2020, the US DoJ indicted two other Chinese nationals in connection with a cyber theft operation aimed at stealing COVID-related research and trade secrets.

Additionally, the US authorities have sanctioned a North Korean cyber actor believed to be linked to the Andariel hacking outfit for organizing a scheme involving North Korean IT workers operating under stolen identities of US citizens in China and Russia.

Brazilian police arrest a suspect in a $100 million PIX breach

Brazilian police have arrested a suspect linked to a massive cyber-attack that saw more than 540 million reais (around $100 million) stolen from the country’s banking systems.

The attack targeted PIX, Brazil’s widely used instant payment system, which is utilized by over 76% of the population. Authorities say hackers exploited vulnerabilities in C&M software that connects financial institutions to the Central Bank for processing PIX transactions.

The suspect, João Roque, an IT employee at C&M, allegedly sold his system credentials to hackers earlier this year. According to São Paulo police, Roque confessed during questioning that he had been recruited by cybercriminals and provided them with unauthorized access to the system.

Using the employee’s credentials, attackers were able to execute a series of fraudulent PIX transactions in a single night. While no individual clients were affected, at least one financial institution suffered a loss of $100 million. Police are working to identify other perpetrators. It is said that four more people were involved in the cyber theft. So far, 270 million reais linked to the scheme have been frozen, as the investigation is underway.

Employees who went rogue definitely could cause problems for their former employers in terms of financial and reputational losses. In one such case, ransomware negotiation company Digital Mint has been reported investigating allegations that its former worker had been collaborating with ransomware actors for the cut from extortion payments.

A company official told Bloomberg that a criminal investigation is currently underway and that the Chicago-based company is not the focus of the probe. The employee was "immediately terminated" and there is no indication that DigitalMint was aware of or supported the individual’s actions.

Five arrested in the Netherlands over QR code bank phishing scheme

Dutch authorities have arrested five people, including four teenagers, in connection with a phishing operation that targeted customers of ABN AMRO bank. The group is accused of using fake QR codes sent via registered mail to steal victims' banking credentials.

An investigation was launched following multiple reports of phishing. Victims reported receiving registered letters that appeared to be from ABN AMRO, containing instructions to ‘secure’ their bank accounts by scanning a QR code. Instead, the code redirected them to a fake banking website, where their login details were harvested. Investigators conducted searches during the arrests and seized several items for forensic analysis.

In an unrelated case, a 22-year-old Dutch man was extradited from the United Arab Emirates to the Netherlands. He is suspected of running a DDoS-for-Hire operation, registering domain names with false identity documents, and laundering profits from websites offering pirated content and illegal services.

The suspect allegedly provided infrastructure for cyber-attacks, sold advertising space on his platforms, and rented server space to other cybercriminals. He now faces multiple cybercrime- and fraud-related charges.

Russian basketball player arrested in France on US ransomware charges

Russian professional basketball player Daniil Kasatkin has been arrested and detained in France at the request of the United States, which suspects him of involvement in a massive ransomware operation that targeted hundreds of companies and US federal institutions.

Kasatkin, 26, was taken into custody on June 21 at Paris’s Roissy-Charles de Gaulle airport after arriving in France with his fiancée. The arrest was confirmed during a hearing in Paris on July 8, where a French court ruled to keep him in custody under an extradition warrant.

The US accuses Kasatkin of participating in a cybercriminal group that allegedly launched ransomware attacks against nearly 900 organizations, including two federal agencies, between 2020 and 2022. According to US authorities, Kasatkin played a role in negotiating ransom payments.

Kasatkin faces charges in the US for “conspiracy to commit computer fraud” and “computer fraud conspiracy.” The basketball player, who previously studied in the United States and most recently played for Moscow’s MBA-MAI team, denies any involvement in the cyber-attacks.

Get a Demo

ImmuniWeb can help you to prevent data breaches and meet regulatory requirements.

A Canadian man charged in $550K cyber fraud targeting Hamilton city affiliate

Canadian authorities have charged a 32-year-old man from Surrey, British Columbia, in connection with a cyber fraud scheme that led to the misappropriation of more than $550,000 from a City of Hamilton affiliate.

The attack took place in February 2024, disrupting internal systems and forcing staff to rely on manual workarounds for routine operations, including vendor payments. During this period, a staff member at a municipal housing affiliate received a fake email purporting to be from a known contractor and transferred over $550,000 to a bank account under the perpetrator’s control.

The fraud was discovered in March 2024 when the legitimate vendor reported non-payment. An investigation traced the payment to a numbered company linked to the Surrey man. The police were able to recover around $417,000 after one of the accounts was frozen, but the city still suffered a net loss exceeding $130,000, along with additional legal and investigative costs.

On July 7, the accused voluntarily surrendered at Central Station in Hamilton, where he was arrested and later released on an undertaking. The man is scheduled to appear in court on August 14, 2025.