FBI agents have collared a devops engineer accused of stealing rifling through colleagues' user accounts and stealing proprietary stock trading software.
Since 2010, Zhengquan Zhang was employed by New York finance house KCG that makes billions of dollars in trades a day via sophisticated algorithmic trading models and trading platforms. Investigators claim that between December last year and March this year, Zhang stole more than three million files from his employers, including source code for the trading system.
Zhang, 31, of Santa Clara, California, was arrested on Friday in the Golden State by the Feds, and was charged with the theft of trade secrets.
"As alleged, Zhengquan Zhang went to great lengths to surreptitiously steal confidential computer code from his employer," said Acting US Attorney for the Southern District of New York, Joon Kim. "Zhang allegedly installed code designed to steal his employer's proprietary information and illegally accessed colleagues' computer systems to further his theft."
Court documents [PDF] claim Zhang's employers were tipped off when one of their quantitative analysts tried logging in to his work desktop from home on Saturday, March 25. However, the analyst wasn't able to get in because someone else was using it. He found that the intruder had been going through his email archives.
The next day the analyst called the internal network security team, told them about the situation, and handed over the user ID of the intruder. The engineers allegedly identified the ID as belonging to Zhang, and promptly locked him out of the system.
On Monday morning, Zhang emailed the analyst apologizing for the intrusion, it is claimed. He said he was worried KCG was being taken over and he was concerned about losing his job, thus he was trying to find out more information, the court was told.
"I'm still questioning myself why I did that," Zhang allegedly wrote, before going on to explain he was able to get into the analyst's remote desktop because he had modified a company web app to siphon off employees' usernames and passwords, it is claimed. In a phone call, he also told the analyst he had entered several other accounts, it is alleged.
A subsequent investigation showed he'd done more than that, the court documents claim. Although Zhang was a software engineer at the firm, he wasn't normally allowed to view or touch the trading platform's source code. However, he managed to gain access to this source and an exfiltrated copy of it "thousands of times," according to prosecutors. Specifically, Zhang is accused of:
- Installing software to scan the network for encryption keys needed to access and build the trading source code.
- Exfiltrating the source code and email inboxes to an outside software development website, starting in December 2016. This website isn't named but it sounds like GitHub, GitLab, or similar.
- Stashing three million internal files on the network before uploading the data to the outside website.
- Smuggling the data out of the company via a backup proxy server.
When KCG staff had seen enough evidence, they filed a complaint, and Zhang was cuffed by agents in Cali.
Allegations ... the prosecution's case against Zhang
"Proprietary computer code may not be a tangible asset that people can observe, but it is indeed one of the most critical assets that companies possess," said FBI assistant director in charge of the FBI's New York Field Office, William Sweeney Jr.
"Significant investments are made to develop code, safeguard it and use it to generate revenue. The FBI is committed to enforcing laws that protect US companies from the theft of trade secrets." ®