Root-cause analysis not yet published. The incident description below contains all currently available signal — review the attack transaction directly for definitive forensics.
According to the official WeChat account of Ping An Xuhui, employees Zhang, Dong, and Liu from Company A decided in early March 2023 to insert a backdoor program into a certain cryptocurrency wallet software to obtain users' private keys. The three individuals illegally obtained over 27,000 mnemonic phrases and more than 10,000 private keys, successfully converting over 19,000 digital wallet addresses. In April 2024, the Xuhui District People's Court sentenced Liu, Zhang, and Dong to three years in prison for the crime of illegally obtaining data from a computer information system and fined each of them 30,000 RMB. It is worth noting that Company A is suspected to be the former Huobi company. In an exclusive report by WuShuo in 2023, it was revealed that due to the installation of trojans by former employees, some users' mnemonic phrases or private keys of iToken (formerly Huobi Wallet) were leaked. HTX responded that the trojan installation was the personal act of former Huobi employees before the acquisition, leading to the theft of others' mnemonic phrases and private keys. Attack method (per SlowMist): Insider Manipulation. Reported loss: -.
- chain
- —
- protocol
- iToken
- bug_class
- private-key
- date_occurred
- 2023-03-01
- loss_usd
- —
- source_id
- sm:itoken::2023-03-01