[2019-05-08] Binance Confirms 7000BTC ($40m) Security Breach

[bbc.reporter]

The biggest and most trust worthy exchanges in the cryptospace should not be hacked. This will not give the users any confidence to trade or to deal more in the cryptospace.

Binance is collecting millions in fees. Can it be given an excuse to be this incompetent?



Changpeng Zhao, CEO of popular cryptocurrency exchange, Binance has confirmed that the platform witnessed a security breach for the first time with the hackers being able to withdraw 7000 BTC ($40 million) in one single transaction. The confirmation came after several leads within the crypto community rumored that such funds had left Binance’s hot wallets before the exchange announced a sudden “unscheduled server maintenance.”

As per the update released by the exchange, the incident took place on May 7, 2019, at 17:15:24 (UTC). The hackers employed a variety of techniques such as phishing, viruses and other attacks to obtain “a large number of user API keys, 2FA codes, and potentially other info,” Binance said.

Moving further, the exchange said the hackers were patient enough to “wait, and execute well-orchestrated actions through multiple seemingly independent accounts at the most opportune time,” thus allowing them to bypass existing security checks.

Read in full https://coinfomania.com/binance-hack-7000btc-security-breach/

[1715480347]

1715480347

[1715480347]

1715480347

[vit05]

That would leave a lot of exchanges bankrupt, but for the binance, neither tickles does. But it's one more case involving their API. It seems like an excellent tool for hackers to explore. Much better than trying to steal from users. Explore the failing system of them API + 2fa.

[CryptoBry]

Binance is supposed to be beyond hacking as we expect that it can avail of the best and the most expensive security technology available at hand. Unfortunately, nothing is really secured in our modern interconnected world as hackers, phishers, scammers and all their cohorts are one step ahead of the game. In fact, the best way to do is to hire those hackers into your side...this is a good idea that Binance should look into. The reality is that Binance can be hacked, what about ordinary guys and gals like us?

[serjent05]

The question is how would that large amount goes out of the Binance system?  I believe there is a cap of 25 BTC withdrawal even for upgraded one.  One of the comment on one of the article regarding that hack stated:



captured from: https://techcrunch.com/2019/05/07/binance-breach/

which make sense.

[hatshepsut93]

The article doesn't go into detail, does anyone know how exactly the credentials were stolen - were they taken from the servers or from clients? Either way, they should have added more security measures for scenarios like this, maybe some manual reviewing of withdrawals when there's a sudden spike of activity.

The question is how would that large amount goes out of the Binance system?  I believe there is a cap of 25 BTC withdrawal even for upgraded one.  One of the comment on one of the article regarding that hack stated:

captured from: https://techcrunch.com/2019/05/07/binance-breach/

which make sense.

7000/25 = 280

Hackers only needed to pwn 280 accounts in best case, so if it indeed happened, a few thousand of really wealth accounts can be enough to steal 7000 BTC.

[fisheater]

Wondering why people put so many btc in their accounts, exchange is good for trading, but not for storing values.

[figmentofmyass]

all of the articles repeat the same report from binance---that the hackers used "several techniques over a long period of time" such as "phishing, viruses and other attacks". combined with CZ's comments that the attack was coordinated across "multiple seemingly independent accounts" at once, it sounds like the attackers compromised accounts on the client side and quietly waited to execute an attack across many accounts at once.

thank goodness for the safu fund.....

[davis196]

Another reason why big centralized cryptocurrency exchange platforms are obsolete and we need to move to peer-to-peer crypto trading.Every time the crypto prices start increasing something bad happens.
Can't people understand that crypto exchange websites are the same as banks,except that they are more vulnerable.

[Juggy777]

The biggest and most trust worthy exchanges in the cryptospace should not be hacked. This will not give the users any confidence to trade or to deal more in the cryptospace.

Binance is collecting millions in fees. Can it be given an excuse to be this incompetent?

Changpeng Zhao, CEO of popular cryptocurrency exchange, Binance has confirmed that the platform witnessed a security breach for the first time with the hackers being able to withdraw 7000 BTC ($40 million) in one single transaction. The confirmation came after several leads within the crypto community rumored that such funds had left Binance’s hot wallets before the exchange announced a sudden “unscheduled server maintenance.”

As per the update released by the exchange, the incident took place on May 7, 2019, at 17:15:24 (UTC). The hackers employed a variety of techniques such as phishing, viruses and other attacks to obtain “a large number of user API keys, 2FA codes, and potentially other info,” Binance said.

Moving further, the exchange said the hackers were patient enough to “wait, and execute well-orchestrated actions through multiple seemingly independent accounts at the most opportune time,” thus allowing them to bypass existing security checks.

Read in full https://coinfomania.com/binance-hack-7000btc-security-breach/

I feel sad for users who had kept their money on Binance, and possibly have lost their coins forever. In my opinion this is a lesson for all do not store your coins on an exchange, as they’re bound to be hacked sooner or later. It’s pertinent to note that Binance Ceo has confirmed they’re not proceeding with a Rollback to recover the hacked coins.

[buwaytress]

Biggest and most trustworthy? Reputation is such a funny thing, isn't it? Mt Gox was by far the biggest and most trustworthy, so much so even devs recommended using them. The biggest names in Bitcoin owners also were using them. And both probably also said they had the best security at the time.

Did that prevent them from getting hacked?

If people aren't going to learn to not keep Bitcoin at these exchanges, then hackers aren't going to suffer from a lack of targets.

[1Referee]

I feel sad for users who had kept their money on Binance, and possibly have lost their coins forever. In my opinion this is a lesson for all do not store your coins on an exchange, as they’re bound to be hacked sooner or later.

Why feel sad? It's people's own responsibility to not store any number of coins in an exchange, regardless of the purpose. People haven't lost anything at the end of the day, there is the much memed but very important Safu fund that contains enough funds to cover this 7000BTC theft.

It’s pertinent to note that Binance Ceo has confirmed they’re not proceeding with a Rollback to recover the hacked coins.

There is no such a thing as 'not proceeding with a roll back'. This CZ asshole figured out that he couldn't get it done and therefore put his re-org plan to bed.

I had a lot of respect for him, but lost it all and will stop recommending people to use Binance as exchange. Toxic son of a b....

[Obao6]

Now is a good time for him to tell us to use his DEX.

[ePesoInitiative]

The question is how would that large amount goes out of the Binance system?  I believe there is a cap of 25 BTC withdrawal even for upgraded one.  One of the comment on one of the article regarding that hack stated:



captured from: https://techcrunch.com/2019/05/07/binance-breach/

which make sense.

This article explains how Binance's automation was exploited. The hacker may have not known any Binance private keys. The prize for hackers is so big that the best hackers have been targeting Binance for months. They were patient, a real pro or pros.

[BitHodler]

There is no such a thing as 'not proceeding with a roll back'. This CZ asshole figured out that he couldn't get it done and therefore put his re-org plan to bed.

I had a lot of respect for him, but lost it all and will stop recommending people to use Binance as exchange. Toxic son of a b....

I don't think he intended to inflict harm on Bitcoin. It was a very impulsive thought that popped up in his head he now seems to distance himself from. He always tries to come up with ways to solve problems.

Some times these ways are viable and some times they are not. CZ figured out that even he as most influential exchange operator couldn't get this something done. I am glad that this happened because it's an important lesson.

CZ admitted in one of his Tweets that Bitcoin's ledger is the most immutable ledger on the planet. He understands it now.

[roosbit]

This is an interesting line "The hackers employed a variety of techniques such as phishing, viruses and other attacks to obtain “a large number of user API keys, 2FA codes, and potentially other info,” Binance said."...are they saying users will not be compensated because the hack mimicked a normal trade/transaction?

[blurryeyed]

So yet another centralized exchange goes rogue, I'm not buying their explanations. I warned about trusting this exchange only a month ago in a different thread:

https://bitcointalk.org/index.php?topic=5115764.msg50029495#msg50029495

...sure enough, it's happened again.  Time & time again this happens with centralized exchanges & time & time again people keep using them - STOP IT!

As I said in that thread, trusted centralized exchanges don't exist & never will, because they are centralized.

If you must use an exchange, use a decentralized one or localbitcoins.

[pixie85]

This is an interesting line "The hackers employed a variety of techniques such as phishing, viruses and other attacks to obtain “a large number of user API keys, 2FA codes, and potentially other info,” Binance said."...are they saying users will not be compensated because the hack mimicked a normal trade/transaction?

But how did they withdraw 40 million dollars? Somebody has to be sitting there and checking this. I can't believe they are allowing automated withdrawals of 1 million dollars.

They used multiple accounts so even if there were 40 fake transactions it's still 1 million dollars per transaction. It doesn't happen very often that somebody withdraws BTC worth a million dollars all at once and 40 million in 1 day should be a big red light for the staff even if it's divided between many accounts.

[richardsNY]

CZ admitted in one of his Tweets that Bitcoin's ledger is the most immutable ledger on the planet. He understands it now.

If he really believed that, he wouldn't even think about bringing it up. Could it be ignorance? It could be, but you would expect him to know how Bitcoin works considering that it is what his exchange depends on the most. He also needs BTC to dump his BNB stash on people and accumulate as much BTC as possible before his ponzi coin and exchange go bust.

Now is a good time for him to tell us to use his DEX.

It's not a DEX. It's a centralized shithole to pump his BNB ponzi coin.

[webtricks]

all of the articles repeat the same report from binance---that the hackers used "several techniques over a long period of time" such as "phishing, viruses and other attacks". combined with CZ's comments that the attack was coordinated across "multiple seemingly independent accounts" at once, it sounds like the attackers compromised accounts on the client side and quietly waited to execute an attack across many accounts at once.

thank goodness for the safu fund.....

And what if these well-orchestrated actions actually coming from within the team or from Binance as a whole? Whom can we trust in the internet-space after all! Or it may be a marketing strategy, I have seen more aggressive marketing tactics than this. I won't be surprised if CZ comes back on Twitter tomorrow and announce this all was just a part of promotion of Binance's SAFU fund service!

Now is a good time for him to tell us to use his DEX.

DEX? You mean the type of exchange where bots run the game? The moment you put sell order, bot puts one with fraction less price. All you can do is sell at Buy Price and cry because creating own order which really gets filled is a dream on DEX!

[stompix]

It’s pertinent to note that Binance Ceo has confirmed they’re not proceeding with a Rollback to recover the hacked coins.

There is no such a thing as 'not proceeding with a roll back'. This CZ asshole figured out that he couldn't get it done and therefore put his re-org plan to bed.

I had a lot of respect for him, but lost it all and will stop recommending people to use Binance as exchange. Toxic son of a b....

I imagine CZ:
- Rollback, the funds must be SAFU!
- We can't rollback, that is not our currency!
- Get me the devs, the funds must be SAFU!
- Bitcoin devs can't do that either!
- Finds satoshi and rollback or I delist, funds must be SAFU!!!

I told you that when he said he is going to delist bitcoinsv we're opening a pandora's box?
Most of you said that yeah, it's a shit coin, must be delisted, let's hear your opinion when exchanges are going to force rollbacks ;P

Now is a good time for him to tell us to use his DEX.

DEX is just another unicorn that won't work and when it finally comes up you realize you've ended with a mule.

[figmentofmyass]

I imagine CZ:
- Rollback, the funds must be SAFU!
- We can't rollback, that is not our currency!
- Get me the devs, the funds must be SAFU!
- Bitcoin devs can't do that either!
- Finds satoshi and rollback or I delist, funds must be SAFU!!!

to be fair, jeremy rubin floated the idea (as often happens after an event like this, like when mark friedenbach did the same after the bitfinex hack). not CZ. CZ just responded to jeremy's twitter post. it wasn't like CZ was intent on rolling back the network when the hack happened. a bitcoin dev just floated the idea and he fleshed out the idea in the hours following the hack. he probably should have done so in private rather than his live periscope.

obviously the idea was not well conceived or received so it was scrapped fairly quickly.

[stompix]

~

to be fair, jeremy rubin floated the idea (as often happens after an event like this, like when mark friedenbach did the same after the bitfinex hack). not CZ. CZ just responded to jeremy's twitter post. it wasn't like CZ was intent on rolling back the network when the hack happened. a bitcoin dev just floated the idea and he fleshed out the idea in the hours following the hack. he probably should have done so in private rather than his live periscope.

obviously the idea was not well conceived or received so it was scrapped fairly quickly.

He might not have been been the one with the idea but for him to even start discussing this is enough:

After speaking with various parties, including @JeremyRubin, @_prestwich, @bcmakes, @hasufl, @JihanWu and others, we decided NOT to pursue the re-org approach

lols

So it went like this?
- CZ, we can make the funds SAFU
......
- JW, no funds SAFU u idiot, we f*** up with BCH I'm not destroying BTC also, SAFU your *****!

[Slow death]

Binance is collecting millions in fees. Can it be given an excuse to be this incompetent?

I think you're looking at this tragic event in a very wrong way. They are not incompetent, they are not to blame for have thieves in this crypto world. The biggest problem is the thieves, no one can say that it has an impenetrable security system... there is always some damn thief who will find a way to steal in the system that is considered the safest in the world. We must fight to reduce the actions of these criminals and there must be very harsh penalties against these criminals

[bbc.reporter]

@Slow death. The solution is for the exchange to be smarter than the thieves. The thieves will never stop trying as long as there is something valuable in the vault.

Wondering why people put so many btc in their accounts, exchange is good for trading, but not for storing values.

Those people are called whales. They trade cryptocoins by the 100s of thousands of dollars or maybe more in each trade.

Also, I do not know why a rollback was in the discussion for Mr. Changpeng hehehe.

[squatter]

@Slow death. The solution is for the exchange to be smarter than the thieves. The thieves will never stop trying as long as there is something valuable in the vault.

You can only hire so many pen-testers. At best, you can outsmart most thieves, but never all of them. That's why there has been so much emphasis on reducing losses to limited hot wallets in these situations. All in all, this could have been a lot worse.

[shamc]

I'd guess it is negligence from their security team when testing API connections. Someone probably created one with an embedded Trojan that found a way in

[DooMAD]

No surprise here.  Just another ticking time bomb where the clock ran out.  The next one is already counting down.  Expect nothing to change.  We'll be having this same discussion again soon enough.

Binance is collecting millions in fees. Can it be given an excuse to be this incompetent?

I think you're looking at this tragic event in a very wrong way. They are not incompetent, they are not to blame for have thieves in this crypto world. The biggest problem is the thieves, no one can say that it has an impenetrable security system... there is always some damn thief who will find a way to steal in the system that is considered the safest in the world. We must fight to reduce the actions of these criminals and there must be very harsh penalties against these criminals

If not incompetent, then certainly arrogant.  To think you can keep thousands of BTC in a hotwallet where access is enabled via API keys and then pretend you aren't going to suffer the exact same fate as other exchanges that have lost funds in the same manner is astoundingly hard-headed.

[bbc.reporter]

@Slow death. The solution is for the exchange to be smarter than the thieves. The thieves will never stop trying as long as there is something valuable in the vault.

You can only hire so many pen-testers. At best, you can outsmart most thieves, but never all of them. That's why there has been so much emphasis on reducing losses to limited hot wallets in these situations. All in all, this could have been a lot worse.

Agreed. However, if you cannot run a secure exchange that holds 100s of millions of people's money then you have no right to be running an exchange. There will always be thieves that will certainly never change.

[Kemarit]

@Slow death. The solution is for the exchange to be smarter than the thieves. The thieves will never stop trying as long as there is something valuable in the vault.

You can only hire so many pen-testers. At best, you can outsmart most thieves, but never all of them. That's why there has been so much emphasis on reducing losses to limited hot wallets in these situations. All in all, this could have been a lot worse.

Agreed. However, if you cannot run a secure exchange that holds 100s of millions of people's money then you have no right to be running an exchange. There will always be thieves that will certainly never change.

Correct me if I'm wrong, but in 2018 there was a 'successful breach' in Binance. The hackers was able to get the users logins thorough phishing link, installing API access on the affected accounts. So in a sense, Binance by that time should have step up their security. But I guess the hackers was again, always one step of the game and this time they are very successful. I guess, no one is really safe, even though Binance, in my opinion, have implemented security features after that breached.

[DaCryptoRaccoon]

Number of things in the release to think about.

https://www.bbc.co.uk/news/technology-4819

Binance seem to have known exactly how this happens very quickly after the breach.  
Normal practice would tell you the first release is normally not as in depth as this they state that the hackers must have been patent before striking so were Binance aware of this before time? if not how would they know they were holding off?

Another thing they said the following to the bbc

According to Binance, the attackers used a variety of techniques to break in. They deployed viruses and used phishing attacks to get security information.

and then later

The hackers "had the patience to wait" and acquire access to a number of accounts before withdrawing the huge haul of bitcoins, according to Binance.

All this info from the first 24 hr's of Binance own investigation?
Unless they knew prior they had some kind of issue and they were monitoring the situation seems more likely story.

 

[figmentofmyass]

No surprise here.  Just another ticking time bomb where the clock ran out.  The next one is already counting down.  Expect nothing to change.  We'll be having this same discussion again soon enough.

I think you're looking at this tragic event in a very wrong way. They are not incompetent, they are not to blame for have thieves in this crypto world. The biggest problem is the thieves, no one can say that it has an impenetrable security system... there is always some damn thief who will find a way to steal in the system that is considered the safest in the world. We must fight to reduce the actions of these criminals and there must be very harsh penalties against these criminals

If not incompetent, then certainly arrogant.  To think you can keep thousands of BTC in a hotwallet where access is enabled via API keys and then pretend you aren't going to suffer the exact same fate as other exchanges that have lost funds in the same manner is astoundingly hard-headed.

historically, this was not a big hack. binance said they had 2% of customer funds in hot wallets. that's not unreasonable IMO and is the same standard coinbase uses. you can't run one of the largest spot exchanges in the world and not have thousands of BTC in a hot wallet.

there's also a big difference between "binance getting their wallets hacked" and what actually happened. from the statements CZ made, it appears these were individual account holders who got phished/hacked and had their API keys compromised who had their accounts all cleaned out at once. it doesn't sound like a server side compromise. i don't think an exchange should be crucified because some users were careless with their API keys and had their accounts cleaned out.

i suspect binance has warded off many attacks that other exchanges in the past failed to. yes they could have had better internal withdrawal controls but no system is perfect nor unbeatable. we should just be glad they are covering the losses if their system wasn't even compromised.

[bbc.reporter]

@Slow death. The solution is for the exchange to be smarter than the thieves. The thieves will never stop trying as long as there is something valuable in the vault.

You can only hire so many pen-testers. At best, you can outsmart most thieves, but never all of them. That's why there has been so much emphasis on reducing losses to limited hot wallets in these situations. All in all, this could have been a lot worse.

Agreed. However, if you cannot run a secure exchange that holds 100s of millions of people's money then you have no right to be running an exchange. There will always be thieves that will certainly never change.

Correct me if I'm wrong, but in 2018 there was a 'successful breach' in Binance. The hackers was able to get the users logins thorough phishing link, installing API access on the affected accounts. So in a sense, Binance by that time should have step up their security. But I guess the hackers was again, always one step of the game and this time they are very successful. I guess, no one is really safe, even though Binance, in my opinion, have implemented security features after that breached.

How high is the possibility that the hack was only a show used as an excuse to release Binance's secure asset fund for users, also known as SAFU? Would Binance be capable of this or are they plainly just incompetent?

[figmentofmyass]

How high is the possibility that the hack was only a show used as an excuse to release Binance's secure asset fund for users, also known as SAFU? Would Binance be capable of this or are they plainly just incompetent?

"safu" is just a word for "binance's reserves". it's already their money. i'm pretty sure the optics around getting hacked are not worth the payoff for binance no matter what.

side note, their usage of "safu" is not in the best taste either. it always irked me. the name is poking fund at wex users, who as we all know, lost everything.

[IconFirm]

the name is poking fund at wex users, who as we all know, lost everything.

WEX was an obvious scam right from the very beginning, anyone who didn't see it or do any research on them before handing over their coins only has themselves to blame.

I've yet to see any solid proof that this was the work of hackers either - has their been any or are we to believe that it's true "because binance says so"? My first thoughts were that it's another inside job like most centralized exchange hacks are.

[figmentofmyass]

the name is poking fund at wex users, who as we all know, lost everything.

WEX was an obvious scam right from the very beginning, anyone who didn't see it or do any research on them before handing over their coins only has themselves to blame.

i have mixed feelings about that. i don't think wex launched with any ill intentions. btc-e got all their $$ nabbed by its payment processors and the feds (along with domain, servers, etc). the first thing they did was refund 55-60% of all account value to users. they issued tokens for the debt, some of which they repaid over time. they seemed to have every intention of making good.

obviously something happened in june/july 2018. i'm not sure if it was a botched transfer of ownership, some sort of robbery or compromise, or something else. there are some suspicions the admins robbed the exchange at that point (and shut down withdrawals) to fund vinnik's fight against extradition to the USA. to me, that's when it became a scam. i don't see why they would pay back 60% of the money, run an exchange for a year, and then scam if it was a scam from the very beginning.

I've yet to see any solid proof that this was the work of hackers either - has their been any or are we to believe that it's true "because binance says so"? My first thoughts were that it's another inside job like most centralized exchange hacks are.

why though? they're not haircutting user funds (and stealing them). they're compensating users for everything.

[ololajulo]

Is just the case of the inevitable happening, Its a warning to every high rated exchanges of temerity of their fortified exchange services. We have not seen any exchange defend their staff of not participating in such hacks in the past and may not see. I think there should always be a way to compensate users though not necessarily satisfying. I wasn't surprised anyway but not happy with the chairman's response to the hack follow up

[IconFirm]

Correct me if I'm wrong, but in 2018 there was a 'successful breach' in Binance.

You're correct, they lost users KYC details in that hack. I consider all centralized exchanges either untrustworthy, unsafe or both - but a centralized exchange that has been "hacked" twice in two years should be considered extremely untrustworthy, unsafe & incompetent.

why though? they're not haircutting user funds (and stealing them). they're compensating users for everything.

Because I've not seem any solid proof yet. They should compensate anyone who lost funds, it's their fault, not once, but twice. What would happen if the third hack cleaned them out completely? - nobody would get compensated & I doubt everyone would be saying how trustworthy they are then.

[squatter]

Because I've not seem any solid proof yet.

Has any exchange ever provided solid proof of being hacked? I suppose an exchange would want to provide as little detail as possible about the inner workings of their security procedures to prevent further compromises.

What would happen if the third hack cleaned them out completely?

Hence the old adage, "not your keys, not your coins." This applies to all exchanges.

[bbc.reporter]

@squatter. This brings to us a question if it would be best for an exchange to have their code opensource for everyone to check and see for weaknesses in security and bugs.

It has worked for operating systems and some of the best cryptocoins, why can it not work of an exchange.

[stompix]

@squatter. This brings to us a question if it would be best for an exchange to have their code opensource for everyone to check and see for weaknesses in security and bugs.
It has worked for operating systems and some of the best cryptocoins, why can it not work of an exchange.

I'm pretty sure that after investing thousands of $ in their scripts the last thing they think about it is to make it public so thousands of clones would pop up .
Besides, making the code public will also help hackers, it will be simply a toss of a coin, who will find the flaw first, a good guy or a bad guy.

[IconFirm]

Besides, making the code public will also help hackers, it will be simply a toss of a coin, who will find the flaw first, a good guy or a bad guy.

That's absolutely NOT how open source code works. It's actually the safest code because it is picked apart by the community to ensure that it is safe before it is released. When has Bitcoin been hacked? Closed code is notorious for having security issues & vulnerabilities, plus you have no idea what's in that code of course.

[stompix]

Besides, making the code public will also help hackers, it will be simply a toss of a coin, who will find the flaw first, a good guy or a bad guy.

That's absolutely NOT how open source code works. It's actually the safest code because it is picked apart by the community to ensure that it is safe before it is released. When has Bitcoin been hacked? Closed code is notorious for having security issues & vulnerabilities, plus you have no idea what's in that code of course.

The bitcoin code has proven to have flaws a lot of times and a lot of times new versions fixed have been rushed.
And this is exactly how open source code works, you let people know your code, you let everyone know how the code is written and how it works. Just because 20 guys said: ok this version is ok it doesn't mean it is.

And the supreme argument why it is not better like that is that nobody is doing!!!  

[Whittiesense]

 

Binance is supposed to be beyond hacking as we expect that it can avail of the best and the most expensive security technology available at hand. Unfortunately, nothing is really secured in our modern interconnected world as hackers, phishers, scammers and all their cohorts are one step ahead of the game. In fact, the best way to do is to hire those hackers into your side...this is a good idea that Binance should look into. The reality is that Binance can be hacked, what about ordinary guys and gals like us?

Wow! Hire them to your side! If only that was truly possible, because first of all they hide their true identities. Expect they make a publication stating their intention (with the peace flag). Then just maybe, one of them might show interest to work with the company or organization. But on a second thought, how much can the organization pay them when they can easily get their desired amount from their comfortable zone?. So the possibility of this happening is slim. Also , if they do agree to the terms and conditions, what's the guarantee that they will not be apprehended?  

[bbc.reporter]

Besides, making the code public will also help hackers, it will be simply a toss of a coin, who will find the flaw first, a good guy or a bad guy.

That's absolutely NOT how open source code works. It's actually the safest code because it is picked apart by the community to ensure that it is safe before it is released. When has Bitcoin been hacked? Closed code is notorious for having security issues & vulnerabilities, plus you have no idea what's in that code of course.

The bitcoin code has proven to have flaws a lot of times and a lot of times new versions fixed have been rushed.
And this is exactly how open source code works, you let people know your code, you let everyone know how the code is written and how it works. Just because 20 guys said: ok this version is ok it doesn't mean it is.

And the supreme argument why it is not better like that is that nobody is doing!!!  

I reckon that the only reason none of the exchanges are doing it is because none of them want their code to be copied and have a competing exchange with the same code. However, if the code is opensource, it would be developed and improved upon faster, patches for bugs and flaws will be coded faster and it might be the most secure code that an exchange can have.

Also, the closed source model has already been proven that it is not immune to attacks which they are protecting their software from.