Insider charged with writing malware to steal Wall Street firm’s crown jewel algorithms

The accused senior systems administrator was caught only when his luck ran out, according to the FBI.
(Getty Images)

After seven years on the job at a multibillion-dollar Wall Street financial services firm, a senior systems administrator stands accused by the FBI of creating malware to steal valuable source code and encryption keys that gave him direct access to the data files that are the core of the company’s business.

Zhengquan Zhang, 31, was arrested on Friday morning at his Santa Clara, California, home by FBI agents who began investigating his actions last month. If convicted, he faces a maximum sentence of 10 years in prison.

Zhang worked for KCG Holdings, a firm with offices around the world and the United States. Zhang, an employee at the company’s San Jose office, did not respond to a request for comment.

The more than 3 million secret and proprietary files Zhang is accused of stealing make up the heart of KCG’s business, which earned more than $1.4 billion in revenue in 2016. A major portion of KCG’s business is based on the proprietary algorithmic trading models that aim to predict the market and then make trades as quickly as possible. Another big slice of the business is the trading platforms used by KCG employees to execute trades and bring in profit.


How important is this kind of code on Wall Street? Algorithms, not humans, are responsible for most of the activity on Wall Street. “The market’s ups and downs are determined not by traders competing to see who has the best information or sharpest business mind but by algorithms feverishly scanning for faint signals of potential profit,” according to one Wired article.

“Zhengquan Zhang went to great lengths to surreptitiously steal confidential computer code from his employer,” Joon H. Kim, the acting U.S. attorney for the Southern District of New York, said in a statement after the arrest. “Zhang allegedly installed code designed to steal his employer’s proprietary information and illegally accessed colleagues’ computer systems to further his theft. The theft charged here can happen to even the most sophisticated companies, but this arrest was made possible by the exemplary cooperation between the FBI and the victim company, which came forward promptly and alerted law enforcement of this alleged crime.”

The financial industry suffers the more attacks from malicious insiders than any sector other than healthcare, according to a recent study from IBM.

On the day of Zhang’s arrest, CKG CEO Daniel Coleman sent a letter directly to clients: “We wanted to make you aware of a security incident that we recently identified involving the theft of certain of KCG’s intellectual property by one of our employees working as a systems administrator. KCG discovered this matter, promptly notified authorities, and is working with them in their investigation.”

Like many Wall Street giants with valuable trade secrets to protect, KCG has strict cybersecurity rules for employees. Employees can’t access external email or file sharing websites on work computers and they cannot download any data from work computers onto a storage device like a USB drive. Zhang allegedly used remote desktop sessions from other employee’s accounts to access a wide range of data.


Zhang drew attention March 25 after four months of alleged theft. It was a Saturday, a day when most employees would normally not be working or logged into any work accounts. But while Zhang allegedly hijacked one of KCG’s analyst’s remote work accounts, that very employee was trying to login to his desktop. Because of the simultaneous connections, the analyst was repeatedly disconnected as he worked into the evening.

The analyst “was able to ascertain the unique identifier associated with the other user who was logging into [his] remote desktop,” the indictment reads. He then “notified [KCG’s] network security group of this unusual activity.”

Using the unique identifier, the security team pinpointed Zhang and quickly disconnected all of his access privileges. On that Monday, noticing his accounts were disconnected, Zhang sent an email to his supervisor admitting that he’d logged into numerous systems without authorization.

“I am still questioning myself why I did that,” he wrote.

The answer, Zhang said, was because he’d heard about a potential acquisition of KCG that could put his job at risk. KCG is current the target of a takeover by Virtu Financial.


Zhang told his supervisor, according to the FBI, that he hacked into other users accounts by modifying a web application used by KCG employees.

KCG said its subsequent investigation of Zhang revealed an exfiltration of source code for KCG’s trading models and platforms.

“Although our investigation is ongoing, all indications are that this individual was focused on obtaining KCG’s proprietary data and trade secrets, not client or employee related information,” KCG’s Coleman told clients. “KCG will vigorously defend its intellectual property.  The firm has enlisted a leading forensic security firm to assist us in our ongoing review of this matter. ”

“Proprietary computer code may not be a tangible asset that people can observe, but it is indeed one of the most critical assets that companies possess,” FBI Assistant Director-in-Charge William F. Sweeney Jr. said in a statement.

Read the indictment below:


Latest Podcasts