Hackers Go Phishing, But Binance Cuts the Lines

Yesterday, posts began to flood the r/BinanceExchange subreddit complaining about unauthorized sell orders.  In one such post, u/shashankkgg laments that all of his altcoins were sold at market price:

“WTF is happening! Binance just sold all my alts at market rate and I have got just the Bitcoin now. Is it because of account getting hacked or binance bot issue? Have raised a ticket 715903 for this.”

Other users echoed the OP’s experience, with one user crying out, “Wtf??? All my coins got sold and i brought via coin? Did i just get hacked?”  Meanwhile, Viacoin’s price popped-off on Binance, and some users saw their bots unwillingly sell their altcoins to buy Viacoin in the throes of the debacle.  Theories began to surface that the API/bot sell-off was coordinated to pump Viacoin for the hacker(s) own profit.

After the initial outcry, an official thread by the Binance team assured users that they “are investigating reports of some users having issues with their funds” and that the “team is aware and investigating the issue as we speak.”  The post continues to reveal that “the only confirmed victims have registered API keys (to use with trading bots or otherwise).” As a precautionary measure, Binance temporarily suspended all withdrawals, while leaving deposits and trading fully functional.

Last night, the Binance team release a post on their support page detailing the incident.  They chalk it up to a massive, well-coordinated phishing attempt, but they ensure users that “[all] funds are safe and no funds have been stolen.”

According to Binance, the hacker(s) had been accumulating user accounts for some time, beginning sometime in January and really picking up steam in February.  The malicious actors used a practically identical domain name to nab user accounts, one that used an umlaut accent mark underneath two characters in the Binance name.

After hijacking user profiles, the hacker(s) created API trading bots for each account and waited until the right opportunity to make their next move.  That move came yesterday within a two minute period, and it involved artificially inflating the price of Viacoin, according to the post:

“Yesterday, within the aforementioned 2 minute period, the hackers used the API keys, placed a large number of market buys on the VIA/BTC market, pushing the price high, while 31 pre-deposited accounts were there selling VIA at the top. This was an attempt to move the BTC from the phished accounts to the 31 accounts. Withdrawal requests were then attempted from these accounts immediately afterwards.”

Thankfully, Binance’s risk management system kicked-in and suspended withdrawals once it spotted the abnormal trading action.  Because of this, the hackers could not actually reap the rewards of their bounty, and Binance froze the accounts they used to pump Viacoin before-the-fact.  So they ended up losing, not gaining, in the end, and Binance’s CEO announced that the exchange will be donating these coins to charity.

While the exchange reversed any irregular trades executed against the hacker(s)’s accounts, they couldn’t reverse the BTC/VIA trades from phished accounts.  In the post, the Binance team explains: “Unfortunately, those trades did not execute against any of the hackers’ accounts as counterpart. As such, we are not in a position to reverse those trades. We again advise all traders to take special precaution to secure their account credentials.”

Still, the team handled the debacle with *relatively* few losses.  The security measures they had in place were robust enough to catch the situation before it got out of hand, and the CZ and the rest of the Binance squad navigated the situation with transparency and poise.  This will hopefully serve as a model for risk management and damage control for other exchanges, as this certainly won’t be the last entry in the ever-continuous saga of hackers vs. exchanges.