I3 needs to like put warnings about this sort of thing in their newsletter to explain the permanence of such mistakes. This is the downside of AGS. Such an easy scam to run given the various I3 sites and fragmented feel of what is officially under I3's control. Just put in backdoor to send out the wallet/private key and have it functional 100% otherwise. At some point the compromised person upgrades their wallet from official sources and never even realizes they were compromised. Not until the thief decides to pounce.
I'd like to say I don't want to scare people, but I really think I do want to scare people. Pay attention where you download things from. Only get them from the bitshares github, or the official spot for windows/macos binaries. Or don't keep your AGS/PTS key online....