iToken's three front-end engineers jointly planned to implant a "backdoor" to steal encrypted wallets, and each sentenced to three years in prison.

PANews reported on April 16 that according to Yuntou, from March to May 2023, three front-end development engineers, Liu, Zhang and Dong, had colluded to illegally obtain other people's digital wallet private keys, mnemonics and other data by implanting a "backdoor" in the iToken APP application package in advance, and uploaded them to the database of the VPS back-end server built in advance corresponding to the specified domain name, and then downloaded to the local server. After identification, a total of 27,622 mnemonic words and 10,203 private keys were illegally obtained (all of which have been deduplicated). The above mnemonic words and private keys have been successfully converted into 19,487 digital wallet addresses (deduplicated). Liu is responsible for writing code for request logic; Zhang is responsible for building VPS and databases, uploading iToken Android; Dong is responsible for purchasing domain names, encrypting user private keys, and uploading iTokenIOS.

After being arrested, all three defendants confessed to the above-mentioned criminal facts. The court held that the three defendants formed a gang, violated state regulations, and used other technical means to illegally obtain computer information system data. The circumstances were particularly serious, and their actions constituted the crime of illegally obtaining computer information system data and should be punished. The public prosecution agency is convicted of the charges. All three defendants were sentenced to three years in prison and a fine of RMB 30,000 for illegally obtaining computer information system data. Defendants Liu, Zhang, Dong, and Dong, are prohibited from engaging in network security management, network operations and related work within three years from the date of completion of the execution of the punishment.