BINANCE

DESCRIPTION OF EVENTS

"The hackers accumulated user account credentials over a long period of time." "Over a period of months, unknown persons set up phishing websites that mimicked Binance's own, and collected users' login details to attempt to access accounts and breach the platform." "The cyberattackers behind the scheme operated a fraudulent website, binance.com, which contained two dots at the bottom of two characters -- a small tweak that few would have recognized as fake in relation to the true binance.com domain." "If victims logged into the domain, these credentials were stored, and then a trading API key was created for each account."

"Don't get phished guys! See those two dots below "n"? Sometimes the site address gets underlined, so that you can't see the dots. Be very careful!"

"The earliest phishing attack seems to have dated back to early Jan. However it was around Feb 22, where a heavy concentration of phishing attacks were seen using unicode domains, looking very much like binance.com, with the only difference being 2 dots at the bottom of 2 characters. Many users fell for these traps and phishing attempts. After acquiring these user accounts, the hacker then simply created a trading API key for each account but took no further actions, until yesterday."

"Binance has rejected rumors of a security breach after users reported that their funds were being sold off without consent." "The chaos erupted on Wednesday when a sudden surge of strange market activity caught the eye of Binance itself and many users."

"Some users that reported suspicious trades had two-factor authentication (2FA) enabled and also said that unauthorized API keys had appeared spontaneously during the time trading went haywire."

"YES! I just spotted this. I've asked Binance to check the IP of the user who created the API key. Have you spotted the same issue? I take security EXTREMELY seriously. I created x2 API keys, and had them IP whitelisted to a water-tight locked down server. I logged into my account just now, and noticed that a 3rd API key has been created, without IP whitelisting. This was 100% not me. I need answers."

"In some cases, the coin was purchased after the conversion to BTC of user alt coins, while 31 accounts controlled by the fraudsters sold VIA in order to make a tidy profit." "Binance just sold all my alts at market rate and I have got just the Bitcoin now. Is it because of account getting hacked or Binance bot issue? Have raised a ticket for this."

"[A]round 566 bitcoin (now worth around $8.8 million) was taken from 142 users through the phishing campaign's fake sites between Dec. 19, 2017, and March 2, 2018, according to the DoJ indictment. At least some of the cryptocurrency was placed in a Bitfinex account "controlled by Kamasavidi.""

"On Mar 7, UTC 14:58-14:59, within this 2 minute period, the VIA/BTC market experienced abnormal trading activity." "The price of Viacoin (VIA), a cryptocurrency with small liquidity, was driven up by using these accounts." "Our automatic risk management system was triggered, and all withdrawals were halted immediately."

"Upon further scrutiny, the China-based company concluded that the only confirmed victims had registered API keys, which are used with trading bots, for automatic sales purposes, or otherwise."

"My account is also affected and all coins are soldout after that i buy order for viacoin at 260$!!! That can not be true!! 2fa is enabled and i never used a bot or somethibg like that!! I use firefox and chrome with no extensions, also i use the iOS app."

"All funds are safe," the executive added. "There were irregularities in trading activity, automatic alarms triggered. Some accounts may have been compromised by phishing from before. We are still investigating. All funds are safe."

"In order to stem the flow of unauthorized transactions, Binance temporarily suspended trading and has now begun reversing suspicious trading in order to restore some customer funds."

"Yesterday, within the aforementioned 2 minute period, the hackers used the API keys, placed a large number of market buys on the VIA/BTC market, pushing the price high, while 31 pre-deposited accounts were there selling VIA at the top. This was an attempt to move the BTC from the phished accounts to the 31 accounts. Withdrawal requests were then attempted from these accounts immediately afterwards." "The hackers were well organized. They were patient enough to not take any immediate action, and waited for the most opportune moment to act. They also selected VIA, a coin with smaller liquidity, to maximize their own gains."

"The suspicions of a hack, in combination with regulatory movements by the SEC, caused the value of Bitcoin to drop in value to less than $10,000."

"However, as withdrawals were already automatically disabled by our risk management system, none of the withdrawals successfully went out. Additionally, the VIA coins deposited by the hackers were also frozen. Not only did the hacker not steal any coins out, their own coins have also been withheld."

"After a thorough security check by Binance, we resumed withdrawals. Trading functionality was never affected. There are still some users whose accounts where phished by these hackers and their BTC were used to buy VIA or other coins. Unfortunately, those trades did not execute against any of the hackers’ accounts as counterpart. As such, we are not in a position to reverse those trades. We again advise all traders to take special precaution to secure their account credentials."

"However, many users are simply relieved that any of their funds have been restored, as Binance is under no obligation to recompense those who fall for phishing campaigns, and most companies would not." "The news that accounts will be restored to their status before the event will be a relief to users, and in an update on Thursday, Binance said the trading activity was due to a "large-scale phishing and stealing attempt."

"We again advise all traders to take special precaution to secure their account credentials," Binance added. "Protecting our traders is and has always been our highest priority."

"Way to step it up for your patrons Binance. At a time when very few companies take any pride in customer service-and especially in a largely unregulated industry-your response was so impressive. Many will point the blame at you or at those who's accounts were disrupted today but that couldn't be more unfair to either party. Rather than allowing the day to be painted by naysayers as a failure of crypto in general; Binance's industry leading security and customer service really came through for their patrons and the crypto world as a whole. Thank you again for everything, after today my confidence in Binance Exchange has increased significantly and so will my patronage there."

"One of the world’s largest digital currency exchanges is offering the equivalent of $250,000 in virtual money to anyone who helps track down the perpetrators of an attempted cryptocurrency heist last week." "Binance offered a $250,000 reward for any information that would have led to the arrest of those involved in the phishing campaign." “Binance is offering a $250,000 USD equivalent bounty to anyone who supplies information that leads to the legal arrest of the hackers involved in the attempted hacking incident on Binance on March 7th, 2018,” reads the exchange’s ‘wanted poster’.

"The bounty would be paid out in BNB, which is Binance’s own digital coin. In addition, the China-based exchange announced that it has set aside $10 million worth in digital currency reserves for rewards vis-à-vis future hacking attempts."

"The security team at Binance had passed on the investigators' findings to U.S. law enforcement, along with "other information and indicators," the exchange said. It also work with U.S. agencies to help identify the suspects."

"The DoJ and OFAC named Danil Potekhin and Dimitrii Kamasavidi, both from Russia, as the alleged perpetrators of the phishing campaign. Further, the Justice Department accuses both of also having carried out similar attacks on the Bittrex, Poloniex and Gemini cryptocurrency exchanges resulting in combined losses of $17 million."

"[T]wo individuals said to be responsible for the phishing attempt were charged by the U.S. Department of Justice (DoJ) in February [2020], and also sanctioned by the Department of the Treasury’s Office of Foreign Assets Control (OFAC) in September [2020]."

"Cryptocurrency exchange Binance has followed through with its pledge to reward anyone helping bring about the arrest of the bad actors who attacked the exchange in March 2018 and stole from users in a phishing campaign." "In a statement yesterday (November 11), Binance said it has awarded a team of “investigators” for identifying the perpetrators, which it says has led to the indictment of the accused."

"The exchange announced Wednesday that it has now awarded a bounty of $200,000 to private investigators, whom it did not identify, for providing a report identifying one of the alleged attackers and providing information on how the attack was carried out."

"Binance made the decision to hand over the promised bounty after [the] individuals said to be responsible for the phishing attempt were charged by the U.S. Department of Justice (DoJ), and also sanctioned by the Department of the Treasury’s Office of Foreign Assets Control (OFAC)."

"Binance further said it would award the private investigators another $50,000 once the attackers have been placed in custody." The organization added: “As a result of this cooperation, the culprits have been identified and sanctioned, and are currently being pursued. Though the suspects remain at large, we decided to award a $200,000 bounty to the investigators for their work, with the remaining $50,000 to be given once the attackers are in custody.”

“We have a strong team and community that collaborate to remove bugs, take down fraudsters, and improve our exchange’s security. This has resulted in a total of 247,787 USD in bounty rewards distributed to these valued members of the community,” said Binance in a press release shared with SuperCryptoNews.

Binance users faced a highly successful phishing attack, with a very similar domain name (only two dots below the n). The attackers didn't take any funds or do anything else at the time - only created an API key. At a later date (March 7th, 2018), the hackers liquidated all user assets to BTC and purchased VIA coin with the BTC. They had other accounts ready to sell the VIA coin at high prices. They then attempted a withdrawal of the bitcoin. Binance offered a bounty of $250k at the time.

However, Binance had risk control systems which detected the market change prior to the withdrawal and prevented it going through. The hackers lost their VIA and didn't get any user funds. Thanks to the bounty, the phishers were successfully identified by US authorities, and a $200k bounty was paid out. The remaining $50k will be paid when the phishers are in jail.

SlowMist Hacked - SlowMist Zone (Jun 26)
Binance Gives $200K to Investigators Who Helped Identify Actors Behind 2018 Attack - CoinDesk (Dec 12)
https://www.binance.com/en/support/announcement/360001547431 (Dec 12)
Binance cryptocurrency sell-off disaster blamed on mass phishing campaign | ZDNet (Dec 12)
Binance sold all my Alt coins at market rate : BinanceExchange (Dec 12)
*PLEASE READ* Regarding Unauthorized Market Sells : BinanceExchange (Dec 12)
Thoroughly Impressed with Binance : BinanceExchange (Dec 12)
Binance awards $200,000 bounty after cyber-attackers indicted in US | The Daily Swig (Dec 12)
Binance Gives $200K to Investigators Who Helped Identify Actors Behind 2018 Attack (Dec 12)
Binance Rewards Investigators Spearheading The 2018 Phishing Campaign Case (Dec 12)
@binance Twitter (Dec 12)
Binance awards $200K to investigators who identified phishing campaign attackers - AMBCrypto (Dec 12)
Binance Rewards US Law Enforcement Over Indictment of 2018 Phishing Attack Culprits (Dec 12)
Binance Awards $200,000 Bounty for DOJ Indictment of Attackers Behind 2018 Phishing Campaign - AZCoin News (Dec 12)
Using Phishing Tools Against The Phishers And Uncovering A Massive Binance Phishing Campaign (Dec 12)
https://m.facebook.com/binance/posts/1307344429599912 (Dec 12)
Cryptocurrency exchange announces bounty on hackers | WeLiveSecurity (Dec 12)
https://www.financemagnates.com/cryptocurrency/exchange/binance-grants-200000-to-investigators-for-identifying-exchange-hackers/ (Dec 12)
Cryptocurrency Exchange Binance Stops Digital Theft Campaign (Dec 12)
How Binance Prevented a Phishing Attack From Being a Hack (Dec 12)
Binance Exchange Rewards $200K Bounty For Identifying Hackers - CoinQuora (Dec 12)
https://www.justice.gov/usao-ndca/press-release/file/1317276/download (Dec 12)
Hackers, Not Users, Lose Money in Attempted Cryptocurrency Exchange Heist (Dec 12)
Nasty Ledger wallet scams. And how to avoid them. - Who Took My Crypto (Mar 20)

More case studies

Paper Wallet From
Ebay Bitcoin Thefts

NuBits Stablecoin
Depegged