The users of the largest crypto exchange by trading volume, Binance, were affected by a hack of third-party software this morning, March 7, resulting in unauthorized transactions being made from their accounts. The CEO of Binance, Changpeng Zhao has since claimed that all users’ funds are safe and the exchange is operating normally.
Numerous concerned users took to Reddit and Twitter, and started complaining that their altcoins had been converted into Bitcoin without their permission, many of them not even logged into their accounts.
“Same happened to me. I had 100% USDT worth $1548. Today I logged in so I can buy some xrp, but my account balance is $200 out of $1548, and apparently I bought 5 VIA coins and exchanged my USDT to BTC while I was in the gym?”, Julian_007 wrote.
According to several posts on Reddit, their bitcoins were used to buy VIA coins for 0.025 BTC each. Upon receiving the bitcoins, the attackers managed to withdraw them in small amounts without attracting attention. It took Binance’s administration almost an hour to freeze withdrawals after getting the first complaints, Reddit user Profetu has claimed.
“The hacker accumulated VIA in advance (from Binance or other exchange and sent to Binance) then he set a huge sell order at 0.025BTC. Then using API made some account sell alts and buy VIA with that BTC, [and then withdrew] BTC.”, the user further suggested.
Some traders proposed a theory linking the attack with compromised API keys which users requested from Binance to use within applications like trading bots and chart monitoring services.
“Do you use any trading bots like profittrailer or gunbot? Do you have any API opened for any kind of services?”, Bonnie_channel asked.
This theory could explain how the attackers have managed to skirt the two-factor authentication applied by users. However, it doesn’t explain why users who never requested API keys were affected by the attack as well.
“That is what I am wondering! I never gave permission for this API key to be created. That is why I think it’s an issue on [Binance’s] end”, Reddit user shashankkgg wrote.
Binance later posted a tweet saying that all irregular trades have been reversed, and deposits, trading, and withdrawals are now fully operational.
According to Binance’s CEO, Changpeng Zhao, the hackers used a phishing website to obtain login data and redirect users to the original Binance website.
A user’s history. Can you see the two dots under the domain name? Phishing website that redirects to the real website after login. Additionally, after you log in once, it doesn’t let you access the phishing site again – will auto-redirect you to Binance (even after logging out)