Cyber Threat Actor: Zhengquan Zhang
| Actor Type | Location | Known Incidents |
Insider - Disgruntled
|
China
|
1 incident |
|---|
Profile
Zhengquan Zhang, alsoknown by the alias Zhengquan Zhang, is an individual who was employed as an IT engineer at KCG Holdings, a Wall Street securities firm. He began working for the company in March 2010, initially in its New York office and later transferred to its San Francisco location. Over time he was promoted to a supervisor role overseeing other engineers and gained responsibility for managing the source code of the firm's trading platform and associated algorithms. His known location is China, although his employment was based in the United States.
Zhang's activities were directed against the financial services sector, specifically targeting a securities firm that operates trading platforms and proprietary algorithms. The geographic focus of his actions was the United States, where KCG Holdings maintains its primary operations. His strategic objective appeared to be financial gain motivated by a fear of impending job loss amid rumors of a corporate acquisition. He sought to obtain proprietary source code that could be used for personal advantage or leverage.
The tactics employed by Zhang included installing malware on company servers to harvest credentials from other users, a technique that allowed him to impersonate legitimate accounts. He leveraged his promoted supervisor privileges to access the Unix‑based network infrastructure and identify monitoring proxy servers operated by a third party. To evade detection, he rerouted traffic through backup proxy servers managed directly by KCG, thereby concealing the exfiltration of stolen source code. The malware facilitated remote access to employee workstations, enabling him to open folders and read archived email without triggering security alerts.
Attribution to Zhang is based on internal logs linking the malicious activity to his computer, an FBI investigation, and his own admission in an email to a former supervisor after his access was revoked. No public evidence connects him to a state‑sponsored group or a larger criminal consortium; he acted as an individual insider. The incident culminated in the Department of Justice charging him with one count of theft of trade secrets, a offense that carries a maximum penalty of ten years imprisonment and a substantial fine. This case represents a notable example of an insider threat that combined credential harvesting, privilege abuse, and network traffic manipulation to steal intellectual property from a financial institution.
