Conspiracy and Implementation
Between March and May 2023, three frontend development engineers of the iToken application, named Liu, Zhang 1, and Dong 2, conspired to implant a "backdoor" in the iToken application package. This manipulation allowed them to illegally obtain private keys, mnemonic phrases, and other data related to users’ digital wallets.
They subsequently uploaded this information to a database on a preconfigured VPS server, associated with a specific domain name, before transferring it to a local server. Investigators discovered that 27,622 mnemonic phrases and 10,203 private keys (all de-duplicated) had been illegally collected. This data was used to generate 19,487 unique digital wallet addresses.
Roles of the Involved Parties
Liu was responsible for writing the logical code for the request; Zhang 1 handled the setup of the VPS and the database, as well as the upload on the Android version of iToken; and Dong 2 was in charge of purchasing the domain name, encrypting the users’ private keys, and uploading on the iOS version of iToken.
Legal Consequences
Following their arrest, the three defendants confessed to their crimes. The court ruled that they had violated state regulations by using technical means to illegally obtain data from the computer information system, which constituted a particularly serious crime.
Thus, Liu, Zhang 1, and Dong 2 were found guilty of illegally obtaining data from the computer information system. They were sentenced to three years in prison and a fine of 30,000 RMB each.
In addition, they are prohibited from engaging in any activities related to network security management, network operation, or any related work for three years following the completion of their sentence.
