Wu said author | Colin Wu
The story began in May 2022, when Huobi Wallet announced that it would be renamed iToken and received a $200 million investment from Huobi Group, claiming that it would be committed to becoming a decentralized investment platform to help users access DeFi and dAPP. iToken will use half of Huobi Group's $200 million investment as risk reserves for its newly launched wealth management function, and the other half for daily operations.
In October 2022, Justin Sun bought Huobi for more than 1 billion US dollars. Today, it seems like a premium deal. But he didn’t expect that the Huobi that Li Lin left him would have more troubles.
In September 2023, Wu said that due to a Trojan set by a former employee, the mnemonics or private keys of some users of iToken (formerly Huobi Wallet) have been leaked. According to user feedback, this week the iToken system prompted users that some wallet addresses have security risks. The security agency submitted a report and Refundyourcoins implemented asset protection, transferring funds in some user addresses to a safe address. Refundyourcoins will launch a retrieval function to facilitate the retrieval of assets, involving four chains: BTC ETH TRX XRP. HTX, which has been renamed from Huobi, responded to Wu that it has nothing to do with HTX. It set up a Trojan for the personal behavior of former Huobi employees before the acquisition to steal other people's mnemonics and private keys, and is currently under investigation. HTX will actively cooperate to combat crime.
Subsequently, users continued to report that their iToken wallets had been stolen.
It was not until July 2024 that the official account of the Xuhui District Political and Legal Committee of Shanghai, Ping An Xuhui, disclosed the details of this bizarre case:
In May 2023, citizen Ou opened the virtual currency wallet software developed by Company A (Company A here should be Huobi and the wallet is iToken) in a coffee shop to check whether his virtual currency (worth millions of RMB at the time) had increased in value, but found that all the virtual currency in his account was gone. After checking on his own, Ou found that someone had emptied his virtual currency a month ago.
By analyzing the program, Ou noticed that there was a backdoor program in the virtual currency wallet software that automatically obtained the virtual currency wallet address and private key, and tracked the suspicious user information based on it. In August 2023, Ou went to the Xuhui Public Security Bureau to report the case with the evidence he had collected. A few days later, the suspects, Zhang, Dong, and Liu, who were also employees of Company A, were brought to justice one after another.
After the three were arrested, they confessed that in early March 2023, after discussion, they decided to add a backdoor program to a virtual currency wallet software to obtain the user's private key. The three divided the work and cooperated with each other. Liu was responsible for writing the backdoor program, Dong was responsible for purchasing the server and domain name and encrypting the obtained private key, and Zhang was responsible for setting up the server and database. When a user installs the software with a backdoor program for the first time, the backdoor program will automatically operate after 5 days and upload the private key, mnemonic and other information to the database under the domain name. After running for a certain period of time, the backdoor program will stop stealing relevant information on its own.
In order to evade investigation, at the end of May 2023, after saving the stolen private keys and the corresponding parsed digital wallet addresses, the three destroyed the server and database, and agreed to use these private keys to illegally obtain users' virtual currency two years later. As a result, they were arrested by the public security organs three months later. However, for Ou's losses, all three confessed that they did not break the "agreement" and illegally obtain virtual currency in advance. After identification, the three illegally obtained more than 27,000 mnemonics and more than 10,000 private keys, and successfully converted more than 19,000 digital wallet addresses.
In April 2024, after the Xuhui District People's Procuratorate filed a public prosecution in accordance with the law, the Xuhui District People's Court sentenced the defendants Liu, Zhang A, and Dong to three years in prison and a fine of RMB 30,000 for the crime of illegally obtaining computer information system data.
The prosecutor in charge determined that Liu, Zhang A, and Dong did not transfer Ou’s virtual currency, so who is the real murderer?
It turned out that a backdoor program was also implanted in the virtual wallet software on another platform used by Ou, by Zhang Mouyi, who once worked at Huobi. After Zhang Mouyi was arrested, he confessed that in July 2021, he used his professional knowledge and understanding of virtual currency to write a code in the client code to collect user private keys and mnemonics. When a user trades virtual currency, the code will automatically obtain the mnemonics or private keys used by the user for signing operations, and send them to Zhang Mouyi's mailbox via email.
In April 2023, due to personal financial pressure, Zhang Mouyi learned Ou Mou's virtual wallet address through his illegally obtained mnemonic words and private keys, transferred all the virtual currencies in it to his own wallet address, and immediately converted them into other digital assets or virtual currencies. After identification, Zhang Mouyi illegally obtained more than 6,400 user private keys and mnemonics. In April 2024, the Xuhui District People's Procuratorate filed a public prosecution in accordance with the law, and the Xuhui District People's Court sentenced the defendant Zhang Mouyi to three years in prison and a fine of RMB 50,000 for the crime of illegally obtaining computer information system data.
Sun Yuchen said that our company cooperated with the Xuhui police in Shanghai to successfully investigate a crime of illegally obtaining computer information system data. The court finally sentenced the defendant to fixed-term imprisonment and fined him. At the beginning of the investigation of the case, our company actively cooperated with relevant departments to carry out various investigations and evidence collection. The clear on-chain data made it impossible for criminals to hide, and assisted the police in quickly solving the case.
HTX stated that the people involved in the case were all old employees before Huobi was acquired. In 2023, HTX conducted a large-scale comprehensive audit and found relevant problems. Huobi HTX has quickly taken necessary measures to protect the safety of user assets, and fully cooperated with the relevant departments in the investigation, and finally brought the people involved to justice. In the future, Huobi HTX will continue to strengthen internal management, improve risk control mechanisms, and continuously improve security measures.
However, Sun Yuchen responded by saying, "Since we discovered and cracked down on crimes in a timely manner, user assets have been fully protected and no user assets have been lost," which has aroused doubts from some users. Among the iToken stolen users, more than a dozen users still said that they did not receive any response to their stolen assets. There is no more information on whether the tens of thousands of mnemonics and private keys stolen by the four hackers have been leaked.
Ping An Xuhui full text:
https://mp.weixin.qq.com/s/mPvlKzE-3cXNnmP2dmMlSw
Justin Sun responded:
https://x.com/justinsuntron/status/1816878454014640433