Overview of the Incident
Between March and May 2023, three frontend developers—identified as Liu, Zhang 1, and Dong 2—colluded to implant a malicious “backdoor” within the iToken APP software package. This illicit endeavor facilitated unauthorized access to sensitive digital wallet information, including private keys and mnemonic phrases belonging to users.
Details of the Malicious Activity
The trio transferred the stolen data to a Virtual Private Server (VPS) they had established, where it was stored within a database linked to a specific domain before being downloaded to their local systems. In total, they extracted 27,622 mnemonics and 10,203 unique private keys, which were then utilized to create 19,487 distinct digital wallet addresses.
Roles of the Developers
- Liu: Responsible for programming the request logic.
- Zhang 1: Tasked with the VPS setup and database management specifically for the iToken application on Android.
- Dong 2: In charge of acquiring the domain and encrypting user private keys for the iToken app on iOS.
Legal Consequences
After investigators apprehended the three, they admitted to their criminal actions. The court found that their conduct constituted a severe infringement of state laws against computer data theft, justifying their prosecution. Consequently, all three were sentenced to three years in prison and each was fined 30,000 RMB for their offenses related to the illegal procurement of data from a computer information system.
Post-Incarceration Restrictions
Additionally, upon completing their prison terms, Liu, Zhang 1, and Dong 2 are barred from engaging in any roles connected to network security management or operation for a period of three years.
