Binance Hot Wallet Theft

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' and 'General Prevention' sections to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Binance

Binance, the largest exchange in the world, was hacked, and 7076 bitcoin ($41,238 USD) were taken through a complex series of API keys, 2FA codes, and other information. The funds were taken from Binance's hot wallet. Binance's platform suspended deposits and withdrawals for some time while doing their investigation. Binance has offered to cover all losses through the hot wallet insurance through their SAFU (Safe Asset Fund for Users) under which 10% of trading fees are set aside in a separate cold storage for future emergencies.

This exchange or platform is based in Malta, or the incident targeted people primarily in Malta.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19][20][21][22][23][24][25][26][27][28][29][30][31][32]

About Binance

"Binance is a cryptocurrency exchange which is currently the largest exchange in the world in terms of daily trading volume of cryptocurrencies. It was founded in 2017 and is registered in the Cayman Islands."

"Binance was founded by Changpeng Zhao, a developer who had previously created high frequency trading software. Binance was initially based in China, but later moved its headquarters out of China following the Chinese government's increasing regulation of cryptocurrency."

"Binance, which is based in Taiwan, announced on Tuesday that hackers were able to withdraw about 7,000 bitcoin through a single transaction, amounting to $40 million." "Binance was hacked through its hot wallet, reporting $41 million worth of stolen bitcoin on May 7." "We have discovered a large scale security breach today, May 7, 2019 at 17:15:24 (UTC). Hackers were able to obtain a large number of user API keys, 2FA codes, and potentially other info. The hackers used a variety of techniques, including phishing, viruses and other attacks." "The hackers were able to pass security checks completely, although the company acted quickly and halted all withdrawals once aware of the breach."

"Early Tuesday, Changpeng “CZ” Zhao, the chief executive of Binance, took to Twitter to reveal that has platform had to undergo “unscheduled server maintenance” that would “impact deposits and withdrawals”. Interestingly, CZ noted that the “funds are #safu”, evidently trying to reassure users that nothing was amiss." "Binance is not releasing specific details about how the hack was performed at this time, but from what little information has been made public, it is thought that a number of account credentials were collected through phishing attacks and targeted malware."

"The hackers had the patience to wait, and execute well-orchestrated actions through multiple seemingly independent accounts at the most opportune time. The transaction is structured in a way that passed our existing security checks. It was unfortunate that we were not able to block this withdrawal before it was executed. Once executed, the withdrawal triggered various alarms in our system. We stopped all withdrawals immediately after that."

"It is believed that these accounts were then used to initiate a withdrawal of 7074 BTC from the exchange’s hot wallet into multiple wallets controlled by the attacker." “According to reports, hackers used malware and phishing methods to siphon 7,000 BTC – about $41 million – at the time, in a single transaction.” “The hacker apparently patiently executed timely actions through multiple seemingly independent accounts, which is why it wasn’t caught by Binance’s security checks. The withdrawal of the stolen funds triggered Binance’s alarms, but unfortunately they were not able to stop it before it was executed.”

"On Periscope, Zhao gave more details about the hack, saying that it was a very advanced effort executed by “very patient” hackers who waited until they had a number of high net worth accounts." "The company does not know yet exactly how many users were affected."

“Binance said that the wallet affected only had 2% of the company’s total funds.” "The above transaction is the only affected transaction. It impacted our BTC hot wallet only (which contained about 2% of our total BTC holdings). All of our other wallets are secure and unharmed." “The funds from the Binance hack were immediately transferred in several transactions involving much smaller wallets with some eventually converted to fiat and withdrawn.”

"Most importantly, deposits and withdrawals will need to REMAIN SUSPENDED during this period of time. We beg for your understanding in this difficult situation." "Due to irregular trading on some APIs, Binance will restrict all currently existing API keys to have trading functionality only. These keys will then be removed in full at 2019/05/08 1:30 PM (UTC)."

"The company is currently working with other exchanges to block deposits from hacked addresses. It will be about a week before Binance can release withdrawals or accept deposits again because it needs to “make sure we completely eradicate any trace of hackers in all our accounts and data and that is a pretty tedious process,” Zhao said. He encouraged everyone to change their API keys and two-factor authentication."

In response to questions about potentially issuing a rollback, Zhao said “to be honest we can do that probably within the next few days but there are concerns that if we were to do a rollback on the bitcoin network on that scale, it may have some negative consequences in terms of destroying credibility for bitcoin, so our team is still deciding on that and running through the numbers and checking everything. We will try to maintain very high transparency.” He added that the idea came from the bitcoin community. “I actually did not know we could do that, but there are serious consequences for doing that, so we will take that very cautiously.”

"Crypto users took notice and despite Binance’s native token BNB dropping 16 percent in the days following the hack, consumer confidence is reflected in the fact it was trading up over 60 percent just two weeks later."

"Binance customers won’t lose money, though, thanks to its “Secure Asset Fund for Users,” an emergency insurance fund it’s had in place since July 2018." Binance “insist[ed] that it will refund any affected users.” "Binance will use the #SAFU fund to cover this incident in full. No user funds will be affected." "[Zhao] added that Binance will be able to cover the bitcoin lost without help."

"Also, this was not the largest outlay of cash percentage-wise we have had to endure. Back in Sept 2017, when the Chinese government issued a letter banning ICOs and “recommending” projects to return money to investors. The news alone caused many tokens to drop below their ICO prices, and many project teams couldn't return the whole amount to users. While $BNB stayed strong at about 6x the ICO price, Binance did help a number of projects raise money on our platform that were affected by this policy. So we did a quick calculation: if we were to help cover the losses for our users and for those projects, it would cost us roughly $6,000,000 USD. Putting that in perspective, while we only raised $15,000,000 two months prior, we spent a bunch of money and were barely cash flow neutral at the time. We decided to do it anyway. I was in a moving subway when the team called me, and we made that decision together in less than 5 minutes. That was more than 35% of all the cash we had at that time. The goodwill that that decision generated eventually brought us many users from China and all over the world, helping to fuel our growth. So, this time, this $40m represented a much smaller % of our cash reserves, plus we had the #SAFU fund that could fully cover it."

This exchange or platform is based in Malta, or the incident targeted people primarily in Malta.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

  • Known history of when and how the service was started.
  • What problems does the company or service claim to solve?
  • What marketing materials were used by the firm or business?
  • Audits performed, and excerpts that may have been included.
  • Business registration documents shown (fake or legitimate).
  • How were people recruited to participate?
  • Public warnings and announcements prior to the event.

Don't Include:

  • Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
  • Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Binance Hot Wallet Theft
Date Event Description
May 7th, 2019 Main Event Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.

Technical Details

This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

Total Amount Lost

The total amount lost has been estimated at $41,238,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

General Prevention Policies

While the most secure storage by far is a multi-signature wallet with all keys properly held by trained individuals, security of hot wallets can be improved by having additional experts review the security of systems. Our proposed framework sees 2 reviews prior to launch, and regular reviews on an ongoing basis. In the event of a breach, a comprehensive industry insurance fund would be available, which handles fraud and covers additional events beyond self-insurance.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Infographic: An Overview of Compromised Bitcoin Exchange Events (Jan 30, 2020)
  2. Upbit Is the Seventh Major Crypto Exchange Hack of 2019 - CoinDesk (Feb 4, 2020)
  3. Secure Asset Fund for Users (SAFU) - Definition | Binance Academy (Feb 13, 2020)
  4. The biggest cryptocurrency scams and arrests of 2019 - Business Insider (Feb 15, 2020)
  5. Binance Is Not Authorized to Operate in Malta, Financial Regulator Says (Feb 23, 2020)
  6. Most Significant Hacks of 2019 — New Record of Twelve in One Year (Feb 23, 2020)
  7. A Look Back on Some of the Most Devastating Crypto Hacks | Fintech Singapore (Feb 27, 2020)
  8. Top 6 Biggest Bitcoin Hacks Ever (Mar 2, 2020)
  9. Bitcoin Scams and Cryptocurrency Hacks List - BitcoinExchangeGuide.com (Mar 5, 2020)
  10. SlowMist Hacked - SlowMist Zone (Jun 26, 2021)
  11. The 23 exchange hacks of 2019 (Aug 8, 2021)
  12. https://www.pymnts.com/cryptocurrency/2019/major-crypto-hacks/ (Dec 12, 2021)
  13. Binance - Wikipedia (Nov 9, 2021)
  14. https://www.binance.com/en/support/announcement/360028031711 (Dec 25, 2021)
  15. Transaction: e8b406091959700dbffcff30a60b190133721e5c39e89bb5fe23c5a554ab05ea | Blockchain Explorer (Dec 25, 2021)
  16. https://www.binance.com/en/support/announcement/360027851252 (Dec 25, 2021)
  17. https://www.binance.com/en/support/announcement/360028425911 (Dec 25, 2021)
  18. Binance says more than $40 million in bitcoin stolen in ‘large scale’ hack – TechCrunch (Dec 25, 2021)
  19. @cz_binance Twitter (Dec 25, 2021)
  20. Binance hack: If bitcoin is so safe, why is it a target for thieves? - Vox (Dec 25, 2021)
  21. Breaking: Binance Hot Wallets Lose 7,000 Bitcoin (BTC) In "Large Scale" Security Breach (Dec 25, 2021)
  22. @binance Twitter (Dec 25, 2021)
  23. @cz_binance Twitter (Dec 25, 2021)
  24. Binance hot wallet hacked - 7000 BTC stolen : ethereum (Dec 25, 2021)
  25. https://micky.com.au/crypto-security-what-we-can-learn-from-the-binance-hack/ (Dec 25, 2021)
  26. https://www.binance.com/en/blog/all/security-incident-recap-336904059293999104 (Dec 25, 2021)
  27. Binance Twitter AMA with CEO Changpeng Zhao (CZ) - YouTube (Dec 25, 2021)
  28. Bitcoin price today, BTC live marketcap, chart, and info | CoinMarketCap (May 16, 2021)
  29. Binance margin trading confirmed, security breach update & more - CZ's AMA May 2019 - YouTube (Dec 25, 2021)
  30. normal_rc comments on CZ Binance suggests reorging the BTC blockchain to rollback 7000 stolen BTC transaction. (Oct 17, 2022)
  31. 2019 In Review: Major Blockchain/Crypto Security Incidents | MyCrypto Blog (Dec 28, 2022)
  32. Security Incident Recap | Binance Blog (Oct 27, 2023)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Binance_Hot_Wallet_Theft&oldid=5788"