PANews reported on April 16 that according to Yun Toutiao, from March to May 2023, three front-end development engineers, Liu, Zhang, and Dong, conspired to implant a "backdoor" in the iToken APP application package in advance, illegally obtaining other people's digital wallet private keys, mnemonics and other data, and uploaded them to the database of the pre-built VPS backend server corresponding to the specified domain name, and then downloaded them to the local server. After identification, a total of 27,622 mnemonics and 10,203 private keys were illegally obtained (all deduplicated), and the above mnemonics and private keys successfully converted 19,487 digital wallet addresses (deduplicated). Liu was responsible for writing the request logic code; Zhang was responsible for setting up the VPS and database, and uploading the iToken Android terminal; Dong was responsible for purchasing domain names, encrypting user private keys, and uploading the iToken IOS terminal.
After the three defendants were arrested, they all confessed to the above-mentioned criminal facts. The court believed that the three defendants had formed a gang, violated national regulations, and used other technical means to illegally obtain computer information system data. The circumstances were particularly serious. Their actions constituted the crime of illegally obtaining computer information system data and should be punished. The public prosecution agency's charges were established. The three defendants were all sentenced to three years in prison for the crime of illegally obtaining computer information system data and fined RMB 30,000. The defendants Liu, Zhang 1, and Dong 2 were prohibited from engaging in network security management, network operation and related work within three years from the date of completion of the sentence.
