There’s something endearingly surreal about imagining the FBI feeling compelled to remind Beijing-backed hackers that they could be arrested if they leave China. It sounds like one of those warnings written in household appliance manuals: don’t put your cat in the microwave, don’t dry your hair in the bathtub, don’t cross a border if you’ve spent the last few years hacking computer systems on behalf of a state apparatus. Progress sometimes involves having to explain the obvious in a serious tone.
The news, of course, is serious. A Chinese citizen, Xu Zewei, arrested in Milan in July 2025, has just been extradited to the United States and is accused of having participated in hacking campaigns in 2020 and 2021 mandated by the Chinese government, while working for a local contractor. According to the US Department of Justice, those intrusions would have affected universities, immunologists and virologists involved in research on vaccines, treatments and tests for COVID-19. China, through the mouthpiece of the embassy in Washington, rejects everything: the case fabricated for political reasons, unjustified accusations, defamation.
Up to this point we are in the usual fog where cyberespionage, criminal justice, diplomacy and press releases meet. An uncertain landscape in which everyone sees something, but no one sees the same thing. The curious point, however, remains that clarification from FBI Assistant Director Brett Leatherman: the protection that Chinese hackers enjoy in China does not extend when they cross a border. Translated from bureaucratese: as long as you are at home perhaps no one will touch you, but if you come for shopping, sightseeing or an aperitif in a country that collaborates with the United States, the physical world suddenly comes back to exist.
It’s a useful clarification, but it sounds strange. It would be as if in the 1980s someone had had to remind Colombian drug traffickers that they could be arrested once they left Colombia. Or as if a robber, entering Switzerland after having emptied a bank in France, was surprised because the stolen goods did not guarantee him diplomatic immunity. Ultimately, the principle doesn’t seem revolutionary: if you commit a crime, it doesn’t matter much who patted you on the back before leaving the house.
Yet, in the digital world this evidence fails. Perhaps because we still have the bad habit of thinking that what happens beyond the screen belongs to another state of matter, a kind of moral vapor in which responsibilities dissolve. If a group physically enters a university laboratory and takes away documents on vaccine research, everyone understands the problem. If, however, it does so by crossing vulnerabilities in a mail server, the nuances suddenly emerge: contractor, plausible deniability, strategic interests, hybrid operations. All true, of course, but the victim is usually of little interest in knowing whether the thief has a balaclava, a tie or a consultant badge. States use, tolerate, recruit or allow useful individuals to thrive. In other times, no different things happened: the corsairs had letters of marque and cannons; today they have exploits, credentials and command servers. The difference is that the digital sea has no visible customs and many are convinced that simply navigating it will never be reached. Then comes an airport, a hotel room, a document check, and the other world collides with the physical one.
All true, unless the situation is different because if we were at war, the picture changes. Not because everything suddenly becomes clean, but because the legal and political categories are no longer the same. There is a considerable distance between a criminal and a prisoner of war, more or less that between a robbery and a military operation. The problem is that the cyber dimension loves gray areas: state enough to have protection, private enough to deny responsibility, criminal enough to cause damage and patriotic enough to sell itself as a service to the nation. Governments like this ambiguity very much when it is convenient and much less so when someone ends up in handcuffs in Milan. So it turns out that plausible deniability is a great umbrella until an arrest warrant rains down that makes it small, holey and rather ridiculous. The lesson is less technical than it seems. The Internet has not abolished borders, it has only made them intermittent. For years we have described the Internet as a space without borders; then we realize that the passports still exist, the airports as well, and the courts have not been dismantled. Cybercrime can travel at the speed of light, but those who commit it continue to have a body, a suitcase and, sometimes, a ticket that then becomes one-way. Ultimately, digital promises impunity because it seems immaterial; justice belies it when it reminds us that even clouds, sooner or later, stop in front of a fairly high mountain.
