[2019-05-08] Binance Confirms 7000BTC ($40m) Security Breach

[bbc.reporter]

The biggest and most trust worthy exchanges in the cryptospace should not be hacked. This will not give the users any confidence to trade or to deal more in the cryptospace.

Binance is collecting millions in fees. Can it be given an excuse to be this incompetent?



Changpeng Zhao, CEO of popular cryptocurrency exchange, Binance has confirmed that the platform witnessed a security breach for the first time with the hackers being able to withdraw 7000 BTC ($40 million) in one single transaction. The confirmation came after several leads within the crypto community rumored that such funds had left Binance’s hot wallets before the exchange announced a sudden “unscheduled server maintenance.”

As per the update released by the exchange, the incident took place on May 7, 2019, at 17:15:24 (UTC). The hackers employed a variety of techniques such as phishing, viruses and other attacks to obtain “a large number of user API keys, 2FA codes, and potentially other info,” Binance said.

Moving further, the exchange said the hackers were patient enough to “wait, and execute well-orchestrated actions through multiple seemingly independent accounts at the most opportune time,” thus allowing them to bypass existing security checks.

Read in full https://coinfomania.com/binance-hack-7000btc-security-breach/

[1714778532]

1714778532

[1714778532]

1714778532

[1714778532]

1714778532

[vit05]

That would leave a lot of exchanges bankrupt, but for the binance, neither tickles does. But it's one more case involving their API. It seems like an excellent tool for hackers to explore. Much better than trying to steal from users. Explore the failing system of them API + 2fa.

[CryptoBry]

Binance is supposed to be beyond hacking as we expect that it can avail of the best and the most expensive security technology available at hand. Unfortunately, nothing is really secured in our modern interconnected world as hackers, phishers, scammers and all their cohorts are one step ahead of the game. In fact, the best way to do is to hire those hackers into your side...this is a good idea that Binance should look into. The reality is that Binance can be hacked, what about ordinary guys and gals like us?

[serjent05]

The question is how would that large amount goes out of the Binance system?  I believe there is a cap of 25 BTC withdrawal even for upgraded one.  One of the comment on one of the article regarding that hack stated:



captured from: https://techcrunch.com/2019/05/07/binance-breach/

which make sense.

[hatshepsut93]

The article doesn't go into detail, does anyone know how exactly the credentials were stolen - were they taken from the servers or from clients? Either way, they should have added more security measures for scenarios like this, maybe some manual reviewing of withdrawals when there's a sudden spike of activity.

The question is how would that large amount goes out of the Binance system?  I believe there is a cap of 25 BTC withdrawal even for upgraded one.  One of the comment on one of the article regarding that hack stated:

captured from: https://techcrunch.com/2019/05/07/binance-breach/

which make sense.

7000/25 = 280

Hackers only needed to pwn 280 accounts in best case, so if it indeed happened, a few thousand of really wealth accounts can be enough to steal 7000 BTC.

[fisheater]

Wondering why people put so many btc in their accounts, exchange is good for trading, but not for storing values.

[figmentofmyass]

all of the articles repeat the same report from binance---that the hackers used "several techniques over a long period of time" such as "phishing, viruses and other attacks". combined with CZ's comments that the attack was coordinated across "multiple seemingly independent accounts" at once, it sounds like the attackers compromised accounts on the client side and quietly waited to execute an attack across many accounts at once.

thank goodness for the safu fund.....

[davis196]

Another reason why big centralized cryptocurrency exchange platforms are obsolete and we need to move to peer-to-peer crypto trading.Every time the crypto prices start increasing something bad happens.
Can't people understand that crypto exchange websites are the same as banks,except that they are more vulnerable.

[Juggy777]

The biggest and most trust worthy exchanges in the cryptospace should not be hacked. This will not give the users any confidence to trade or to deal more in the cryptospace.

Binance is collecting millions in fees. Can it be given an excuse to be this incompetent?

Changpeng Zhao, CEO of popular cryptocurrency exchange, Binance has confirmed that the platform witnessed a security breach for the first time with the hackers being able to withdraw 7000 BTC ($40 million) in one single transaction. The confirmation came after several leads within the crypto community rumored that such funds had left Binance’s hot wallets before the exchange announced a sudden “unscheduled server maintenance.”

As per the update released by the exchange, the incident took place on May 7, 2019, at 17:15:24 (UTC). The hackers employed a variety of techniques such as phishing, viruses and other attacks to obtain “a large number of user API keys, 2FA codes, and potentially other info,” Binance said.

Moving further, the exchange said the hackers were patient enough to “wait, and execute well-orchestrated actions through multiple seemingly independent accounts at the most opportune time,” thus allowing them to bypass existing security checks.

Read in full https://coinfomania.com/binance-hack-7000btc-security-breach/

I feel sad for users who had kept their money on Binance, and possibly have lost their coins forever. In my opinion this is a lesson for all do not store your coins on an exchange, as they’re bound to be hacked sooner or later. It’s pertinent to note that Binance Ceo has confirmed they’re not proceeding with a Rollback to recover the hacked coins.

[buwaytress]

Biggest and most trustworthy? Reputation is such a funny thing, isn't it? Mt Gox was by far the biggest and most trustworthy, so much so even devs recommended using them. The biggest names in Bitcoin owners also were using them. And both probably also said they had the best security at the time.

Did that prevent them from getting hacked?

If people aren't going to learn to not keep Bitcoin at these exchanges, then hackers aren't going to suffer from a lack of targets.

[1Referee]

I feel sad for users who had kept their money on Binance, and possibly have lost their coins forever. In my opinion this is a lesson for all do not store your coins on an exchange, as they’re bound to be hacked sooner or later.

Why feel sad? It's people's own responsibility to not store any number of coins in an exchange, regardless of the purpose. People haven't lost anything at the end of the day, there is the much memed but very important Safu fund that contains enough funds to cover this 7000BTC theft.

It’s pertinent to note that Binance Ceo has confirmed they’re not proceeding with a Rollback to recover the hacked coins.

There is no such a thing as 'not proceeding with a roll back'. This CZ asshole figured out that he couldn't get it done and therefore put his re-org plan to bed.

I had a lot of respect for him, but lost it all and will stop recommending people to use Binance as exchange. Toxic son of a b....

[Obao6]

Now is a good time for him to tell us to use his DEX.

[ePesoInitiative]

The question is how would that large amount goes out of the Binance system?  I believe there is a cap of 25 BTC withdrawal even for upgraded one.  One of the comment on one of the article regarding that hack stated:



captured from: https://techcrunch.com/2019/05/07/binance-breach/

which make sense.

This article explains how Binance's automation was exploited. The hacker may have not known any Binance private keys. The prize for hackers is so big that the best hackers have been targeting Binance for months. They were patient, a real pro or pros.

[BitHodler]

There is no such a thing as 'not proceeding with a roll back'. This CZ asshole figured out that he couldn't get it done and therefore put his re-org plan to bed.

I had a lot of respect for him, but lost it all and will stop recommending people to use Binance as exchange. Toxic son of a b....

I don't think he intended to inflict harm on Bitcoin. It was a very impulsive thought that popped up in his head he now seems to distance himself from. He always tries to come up with ways to solve problems.

Some times these ways are viable and some times they are not. CZ figured out that even he as most influential exchange operator couldn't get this something done. I am glad that this happened because it's an important lesson.

CZ admitted in one of his Tweets that Bitcoin's ledger is the most immutable ledger on the planet. He understands it now.

[roosbit]

This is an interesting line "The hackers employed a variety of techniques such as phishing, viruses and other attacks to obtain “a large number of user API keys, 2FA codes, and potentially other info,” Binance said."...are they saying users will not be compensated because the hack mimicked a normal trade/transaction?

[blurryeyed]

So yet another centralized exchange goes rogue, I'm not buying their explanations. I warned about trusting this exchange only a month ago in a different thread:

https://bitcointalk.org/index.php?topic=5115764.msg50029495#msg50029495

...sure enough, it's happened again.  Time & time again this happens with centralized exchanges & time & time again people keep using them - STOP IT!

As I said in that thread, trusted centralized exchanges don't exist & never will, because they are centralized.

If you must use an exchange, use a decentralized one or localbitcoins.

[pixie85]

This is an interesting line "The hackers employed a variety of techniques such as phishing, viruses and other attacks to obtain “a large number of user API keys, 2FA codes, and potentially other info,” Binance said."...are they saying users will not be compensated because the hack mimicked a normal trade/transaction?

But how did they withdraw 40 million dollars? Somebody has to be sitting there and checking this. I can't believe they are allowing automated withdrawals of 1 million dollars.

They used multiple accounts so even if there were 40 fake transactions it's still 1 million dollars per transaction. It doesn't happen very often that somebody withdraws BTC worth a million dollars all at once and 40 million in 1 day should be a big red light for the staff even if it's divided between many accounts.

[richardsNY]

CZ admitted in one of his Tweets that Bitcoin's ledger is the most immutable ledger on the planet. He understands it now.

If he really believed that, he wouldn't even think about bringing it up. Could it be ignorance? It could be, but you would expect him to know how Bitcoin works considering that it is what his exchange depends on the most. He also needs BTC to dump his BNB stash on people and accumulate as much BTC as possible before his ponzi coin and exchange go bust.

Now is a good time for him to tell us to use his DEX.

It's not a DEX. It's a centralized shithole to pump his BNB ponzi coin.

[webtricks]

all of the articles repeat the same report from binance---that the hackers used "several techniques over a long period of time" such as "phishing, viruses and other attacks". combined with CZ's comments that the attack was coordinated across "multiple seemingly independent accounts" at once, it sounds like the attackers compromised accounts on the client side and quietly waited to execute an attack across many accounts at once.

thank goodness for the safu fund.....

And what if these well-orchestrated actions actually coming from within the team or from Binance as a whole? Whom can we trust in the internet-space after all! Or it may be a marketing strategy, I have seen more aggressive marketing tactics than this. I won't be surprised if CZ comes back on Twitter tomorrow and announce this all was just a part of promotion of Binance's SAFU fund service!

Now is a good time for him to tell us to use his DEX.

DEX? You mean the type of exchange where bots run the game? The moment you put sell order, bot puts one with fraction less price. All you can do is sell at Buy Price and cry because creating own order which really gets filled is a dream on DEX!

[stompix]

It’s pertinent to note that Binance Ceo has confirmed they’re not proceeding with a Rollback to recover the hacked coins.

There is no such a thing as 'not proceeding with a roll back'. This CZ asshole figured out that he couldn't get it done and therefore put his re-org plan to bed.

I had a lot of respect for him, but lost it all and will stop recommending people to use Binance as exchange. Toxic son of a b....

I imagine CZ:
- Rollback, the funds must be SAFU!
- We can't rollback, that is not our currency!
- Get me the devs, the funds must be SAFU!
- Bitcoin devs can't do that either!
- Finds satoshi and rollback or I delist, funds must be SAFU!!!

I told you that when he said he is going to delist bitcoinsv we're opening a pandora's box?
Most of you said that yeah, it's a shit coin, must be delisted, let's hear your opinion when exchanges are going to force rollbacks ;P

Now is a good time for him to tell us to use his DEX.

DEX is just another unicorn that won't work and when it finally comes up you realize you've ended with a mule.