[2019-05-08] Binance Confirms 7000BTC ($40m) Security Breach

[figmentofmyass]

I imagine CZ:
- Rollback, the funds must be SAFU!
- We can't rollback, that is not our currency!
- Get me the devs, the funds must be SAFU!
- Bitcoin devs can't do that either!
- Finds satoshi and rollback or I delist, funds must be SAFU!!!

to be fair, jeremy rubin floated the idea (as often happens after an event like this, like when mark friedenbach did the same after the bitfinex hack). not CZ. CZ just responded to jeremy's twitter post. it wasn't like CZ was intent on rolling back the network when the hack happened. a bitcoin dev just floated the idea and he fleshed out the idea in the hours following the hack. he probably should have done so in private rather than his live periscope.

obviously the idea was not well conceived or received so it was scrapped fairly quickly.

[1715397652]

1715397652

[1715397652]

1715397652

[1715397652]

1715397652

[stompix]

~

to be fair, jeremy rubin floated the idea (as often happens after an event like this, like when mark friedenbach did the same after the bitfinex hack). not CZ. CZ just responded to jeremy's twitter post. it wasn't like CZ was intent on rolling back the network when the hack happened. a bitcoin dev just floated the idea and he fleshed out the idea in the hours following the hack. he probably should have done so in private rather than his live periscope.

obviously the idea was not well conceived or received so it was scrapped fairly quickly.

He might not have been been the one with the idea but for him to even start discussing this is enough:

After speaking with various parties, including @JeremyRubin, @_prestwich, @bcmakes, @hasufl, @JihanWu and others, we decided NOT to pursue the re-org approach

lols

So it went like this?
- CZ, we can make the funds SAFU
......
- JW, no funds SAFU u idiot, we f*** up with BCH I'm not destroying BTC also, SAFU your *****!

[Slow death]

Binance is collecting millions in fees. Can it be given an excuse to be this incompetent?

I think you're looking at this tragic event in a very wrong way. They are not incompetent, they are not to blame for have thieves in this crypto world. The biggest problem is the thieves, no one can say that it has an impenetrable security system... there is always some damn thief who will find a way to steal in the system that is considered the safest in the world. We must fight to reduce the actions of these criminals and there must be very harsh penalties against these criminals

[bbc.reporter]

@Slow death. The solution is for the exchange to be smarter than the thieves. The thieves will never stop trying as long as there is something valuable in the vault.

Wondering why people put so many btc in their accounts, exchange is good for trading, but not for storing values.

Those people are called whales. They trade cryptocoins by the 100s of thousands of dollars or maybe more in each trade.

Also, I do not know why a rollback was in the discussion for Mr. Changpeng hehehe.

[squatter]

@Slow death. The solution is for the exchange to be smarter than the thieves. The thieves will never stop trying as long as there is something valuable in the vault.

You can only hire so many pen-testers. At best, you can outsmart most thieves, but never all of them. That's why there has been so much emphasis on reducing losses to limited hot wallets in these situations. All in all, this could have been a lot worse.

[shamc]

I'd guess it is negligence from their security team when testing API connections. Someone probably created one with an embedded Trojan that found a way in

[DooMAD]

No surprise here.  Just another ticking time bomb where the clock ran out.  The next one is already counting down.  Expect nothing to change.  We'll be having this same discussion again soon enough.

Binance is collecting millions in fees. Can it be given an excuse to be this incompetent?

I think you're looking at this tragic event in a very wrong way. They are not incompetent, they are not to blame for have thieves in this crypto world. The biggest problem is the thieves, no one can say that it has an impenetrable security system... there is always some damn thief who will find a way to steal in the system that is considered the safest in the world. We must fight to reduce the actions of these criminals and there must be very harsh penalties against these criminals

If not incompetent, then certainly arrogant.  To think you can keep thousands of BTC in a hotwallet where access is enabled via API keys and then pretend you aren't going to suffer the exact same fate as other exchanges that have lost funds in the same manner is astoundingly hard-headed.

[bbc.reporter]

@Slow death. The solution is for the exchange to be smarter than the thieves. The thieves will never stop trying as long as there is something valuable in the vault.

You can only hire so many pen-testers. At best, you can outsmart most thieves, but never all of them. That's why there has been so much emphasis on reducing losses to limited hot wallets in these situations. All in all, this could have been a lot worse.

Agreed. However, if you cannot run a secure exchange that holds 100s of millions of people's money then you have no right to be running an exchange. There will always be thieves that will certainly never change.

[Kemarit]

@Slow death. The solution is for the exchange to be smarter than the thieves. The thieves will never stop trying as long as there is something valuable in the vault.

You can only hire so many pen-testers. At best, you can outsmart most thieves, but never all of them. That's why there has been so much emphasis on reducing losses to limited hot wallets in these situations. All in all, this could have been a lot worse.

Agreed. However, if you cannot run a secure exchange that holds 100s of millions of people's money then you have no right to be running an exchange. There will always be thieves that will certainly never change.

Correct me if I'm wrong, but in 2018 there was a 'successful breach' in Binance. The hackers was able to get the users logins thorough phishing link, installing API access on the affected accounts. So in a sense, Binance by that time should have step up their security. But I guess the hackers was again, always one step of the game and this time they are very successful. I guess, no one is really safe, even though Binance, in my opinion, have implemented security features after that breached.

[DaCryptoRaccoon]

Number of things in the release to think about.

https://www.bbc.co.uk/news/technology-4819

Binance seem to have known exactly how this happens very quickly after the breach.  
Normal practice would tell you the first release is normally not as in depth as this they state that the hackers must have been patent before striking so were Binance aware of this before time? if not how would they know they were holding off?

Another thing they said the following to the bbc

According to Binance, the attackers used a variety of techniques to break in. They deployed viruses and used phishing attacks to get security information.

and then later

The hackers "had the patience to wait" and acquire access to a number of accounts before withdrawing the huge haul of bitcoins, according to Binance.

All this info from the first 24 hr's of Binance own investigation?
Unless they knew prior they had some kind of issue and they were monitoring the situation seems more likely story.

 

[figmentofmyass]

No surprise here.  Just another ticking time bomb where the clock ran out.  The next one is already counting down.  Expect nothing to change.  We'll be having this same discussion again soon enough.

I think you're looking at this tragic event in a very wrong way. They are not incompetent, they are not to blame for have thieves in this crypto world. The biggest problem is the thieves, no one can say that it has an impenetrable security system... there is always some damn thief who will find a way to steal in the system that is considered the safest in the world. We must fight to reduce the actions of these criminals and there must be very harsh penalties against these criminals

If not incompetent, then certainly arrogant.  To think you can keep thousands of BTC in a hotwallet where access is enabled via API keys and then pretend you aren't going to suffer the exact same fate as other exchanges that have lost funds in the same manner is astoundingly hard-headed.

historically, this was not a big hack. binance said they had 2% of customer funds in hot wallets. that's not unreasonable IMO and is the same standard coinbase uses. you can't run one of the largest spot exchanges in the world and not have thousands of BTC in a hot wallet.

there's also a big difference between "binance getting their wallets hacked" and what actually happened. from the statements CZ made, it appears these were individual account holders who got phished/hacked and had their API keys compromised who had their accounts all cleaned out at once. it doesn't sound like a server side compromise. i don't think an exchange should be crucified because some users were careless with their API keys and had their accounts cleaned out.

i suspect binance has warded off many attacks that other exchanges in the past failed to. yes they could have had better internal withdrawal controls but no system is perfect nor unbeatable. we should just be glad they are covering the losses if their system wasn't even compromised.

[bbc.reporter]

@Slow death. The solution is for the exchange to be smarter than the thieves. The thieves will never stop trying as long as there is something valuable in the vault.

You can only hire so many pen-testers. At best, you can outsmart most thieves, but never all of them. That's why there has been so much emphasis on reducing losses to limited hot wallets in these situations. All in all, this could have been a lot worse.

Agreed. However, if you cannot run a secure exchange that holds 100s of millions of people's money then you have no right to be running an exchange. There will always be thieves that will certainly never change.

Correct me if I'm wrong, but in 2018 there was a 'successful breach' in Binance. The hackers was able to get the users logins thorough phishing link, installing API access on the affected accounts. So in a sense, Binance by that time should have step up their security. But I guess the hackers was again, always one step of the game and this time they are very successful. I guess, no one is really safe, even though Binance, in my opinion, have implemented security features after that breached.

How high is the possibility that the hack was only a show used as an excuse to release Binance's secure asset fund for users, also known as SAFU? Would Binance be capable of this or are they plainly just incompetent?

[figmentofmyass]

How high is the possibility that the hack was only a show used as an excuse to release Binance's secure asset fund for users, also known as SAFU? Would Binance be capable of this or are they plainly just incompetent?

"safu" is just a word for "binance's reserves". it's already their money. i'm pretty sure the optics around getting hacked are not worth the payoff for binance no matter what.

side note, their usage of "safu" is not in the best taste either. it always irked me. the name is poking fund at wex users, who as we all know, lost everything.

[IconFirm]

the name is poking fund at wex users, who as we all know, lost everything.

WEX was an obvious scam right from the very beginning, anyone who didn't see it or do any research on them before handing over their coins only has themselves to blame.

I've yet to see any solid proof that this was the work of hackers either - has their been any or are we to believe that it's true "because binance says so"? My first thoughts were that it's another inside job like most centralized exchange hacks are.

[figmentofmyass]

the name is poking fund at wex users, who as we all know, lost everything.

WEX was an obvious scam right from the very beginning, anyone who didn't see it or do any research on them before handing over their coins only has themselves to blame.

i have mixed feelings about that. i don't think wex launched with any ill intentions. btc-e got all their $$ nabbed by its payment processors and the feds (along with domain, servers, etc). the first thing they did was refund 55-60% of all account value to users. they issued tokens for the debt, some of which they repaid over time. they seemed to have every intention of making good.

obviously something happened in june/july 2018. i'm not sure if it was a botched transfer of ownership, some sort of robbery or compromise, or something else. there are some suspicions the admins robbed the exchange at that point (and shut down withdrawals) to fund vinnik's fight against extradition to the USA. to me, that's when it became a scam. i don't see why they would pay back 60% of the money, run an exchange for a year, and then scam if it was a scam from the very beginning.

I've yet to see any solid proof that this was the work of hackers either - has their been any or are we to believe that it's true "because binance says so"? My first thoughts were that it's another inside job like most centralized exchange hacks are.

why though? they're not haircutting user funds (and stealing them). they're compensating users for everything.

[ololajulo]

Is just the case of the inevitable happening, Its a warning to every high rated exchanges of temerity of their fortified exchange services. We have not seen any exchange defend their staff of not participating in such hacks in the past and may not see. I think there should always be a way to compensate users though not necessarily satisfying. I wasn't surprised anyway but not happy with the chairman's response to the hack follow up

[IconFirm]

Correct me if I'm wrong, but in 2018 there was a 'successful breach' in Binance.

You're correct, they lost users KYC details in that hack. I consider all centralized exchanges either untrustworthy, unsafe or both - but a centralized exchange that has been "hacked" twice in two years should be considered extremely untrustworthy, unsafe & incompetent.

why though? they're not haircutting user funds (and stealing them). they're compensating users for everything.

Because I've not seem any solid proof yet. They should compensate anyone who lost funds, it's their fault, not once, but twice. What would happen if the third hack cleaned them out completely? - nobody would get compensated & I doubt everyone would be saying how trustworthy they are then.

[squatter]

Because I've not seem any solid proof yet.

Has any exchange ever provided solid proof of being hacked? I suppose an exchange would want to provide as little detail as possible about the inner workings of their security procedures to prevent further compromises.

What would happen if the third hack cleaned them out completely?

Hence the old adage, "not your keys, not your coins." This applies to all exchanges.

[bbc.reporter]

@squatter. This brings to us a question if it would be best for an exchange to have their code opensource for everyone to check and see for weaknesses in security and bugs.

It has worked for operating systems and some of the best cryptocoins, why can it not work of an exchange.

[stompix]

@squatter. This brings to us a question if it would be best for an exchange to have their code opensource for everyone to check and see for weaknesses in security and bugs.
It has worked for operating systems and some of the best cryptocoins, why can it not work of an exchange.

I'm pretty sure that after investing thousands of $ in their scripts the last thing they think about it is to make it public so thousands of clones would pop up .
Besides, making the code public will also help hackers, it will be simply a toss of a coin, who will find the flaw first, a good guy or a bad guy.