Binance stole 0.509 BTC via API

[spat]

Hello, I have withdrawn 0.509 bts. the mobile phone was turned off, nothing came to the mail, only the confirmation of the bts was successfully displayed, wrote to the support they answered that they brought it out through the API, I did not create any API, I saw that on 12/21/21 an API was created on my account with the output permission, I have no notifications I didn’t receive IPA creation Binance says it’s not our problem your Mile was compromised

Upon verification, we noticed that the payout was requested by the API, specifically from the following IP address: xxx.xxx.xxx.xxx
If you have not created the API key, it means that the email associated with your Binance account has been compromised. In order to generate an API key, it is a standard security practice to send you an email to confirm this action as your own operation. We checked our logs and found that we sent the following email when the API key was generated from your account:
Create new API key from xx.xxx.xx.xx - 2021-12-21 18:36:47 (UTC)
Binance API withdrawal reminder has been activated xx.xxx.xx.xx - 2021-12-21 18:37:30 (UTC)
If you cannot remember having connected to the API, please delete the key from the API management: https://www.binance.com/de/my/settings/api-management
Going forward, we regret to inform you that funds have been withdrawn from our platform and due to the anonymity of the blockchain, we cannot know the identity of the target wallet. Nonetheless, Binance has an attitude of working with law enforcement agencies around the world. Should you wish to conduct an official investigation, we recommend that you report the incident to the police.
Authorities can contact the relevant department by creating a ticket via this link: https://www.binance.com/en/support/law-enforcement from an official email address.
If you are based in Europe, we recommend that you visit the following link to report the incident: https://www.europol.europa.eu/report-a-crime/report-cybercrime-online
Please note that after submitting the application, you will need to contact the officer directly for updated information on your case. In fact, police inquiries are handled by another dedicated team, not customer support, and we cannot post updates directly in chat.
Thank you for contacting the Binance Security team.
TLDR: API withdrawal. We cannot withdraw the funds. Please contact the API provider.

API withdrawals do not require a 2FA number. You were sent emails while creating the API.
Unfortunately we cannot return the money. Your best bet is to go to the police, but funds are most likely lost forever.

Output IP 185.19.85.182
Btc adress  bc1qk4g3nfp2qem9wpr0kmkmhgu8glh9w8stp9ysuf     Txid
6fc100b992994af97c56bcb26baea595c3ba4e3aac444ed609dc1a26190d8a38

[1714876778]

1714876778

[1714876778]

1714876778

[1714876778]

1714876778

[1714876778]

1714876778

[1714876778]

1714876778

[1714876778]

1714876778

[Tytanowy Janusz]

I see 2 options:

1- binance is selectively scamming people (less likely)
2- your email is compromised. (more likely)

I advice you to report the incident to Europol (just like binance suggested) and, what is even more important now, change your email password, change passwords of all accounts that are associated with this email, log in to all accounts that are associated with this email and check API section (maybe you have created api keys, by scammer, on other platforms too), change email if possible.

"Create new API key from xx.xxx.xx.xx - 2021-12-21 18:36:47 (UTC)"

Is it your IP under xx.xxx.xx.xx?

[spat]

Yes

[Tytanowy Janusz]

Yes

So my bet is that someone had access to your PC without your knowledge. Friend/girlfriend/family member. Otherwise scammer would not create API key ... he would simply withdraw your money without it. I think someone who had access to your PC created API because he was not ready to steal your founds when he had access yo your PC (safe, untraceable wallet), so he created API key to do that later.


edit:
Or he created API key to bypass 2fa veryfication:

API withdrawals do not require a 2FA number. You were sent emails while creating the API.

According to this you need 2fa and email for withdrawal but only email to create API and withdraw via API. Well its a vulnerability isn't it?

Did you had 2fa enabled?

[spat]

Yes  2fa enabled

[vv181]

IIRC, Binance required 2FA for the creation of an API key.

So, I don't know for sure how you used your devices, but it's likely your mobile phone is compromised that make the attacker gaining an access to your phone. Well, the only things you can do is already mentioned, to report it to the police, and also, you should reinstall your phone into a clear OS.

[DaveF]

What email provider are you using? Do they have access logs?
Since the xx. IP was yours, was there anyone else around you house / that machine at that time?

The IP that the request came from 185.19.85.182 is part of datawire:

Code:

inetnum:        185.19.84.0 - 185.19.85.255
netname:        DATAWIRE-DATACENTERS
descr:          CUSTOMERS ZG01
country:        CH
admin-c:        DA4314-RIPE
tech-c:         DA4314-RIPE
status:         ASSIGNED PA
mnt-by:         DATAWIRE-NOC
created:        2013-09-23T14:18:55Z
last-modified:  2013-09-23T14:18:55Z
source:         RIPE

role:           DATAWIRE AG
address:        Hinterbergstrasse 22
admin-c:        SH3634-RIPE
tech-c:         SH3634-RIPE
nic-hdl:        DA4314-RIPE
mnt-by:         DATAWIRE-NOC
created:        2012-01-03T15:42:22Z
last-modified:  2013-08-25T14:21:45Z
source:         RIPE # Filtered
abuse-mailbox:  abuse@datawire.ch

So either someone who is hosting with them did it or there is a compromised machine there.

Unless the person who did this makes a mistake it's going to just about impossible to trace the funds, but file a police report and see if your insurance covers theft like this.

-Dave

[JeromeTash]

I am not a fan of Binance exchange, but what I think is that they didn't steal the 0.509 BTC like your title suggests. Someone else probably compromised your email and Binance account and stole the funds using the API key loophole.

You may have not seen the confirmation emails because the person behind the attack has access to your compromised email address and can delete the messages before you see them.
If I may ask. Does your email address have 2FA enabled?

[spat]

No unfortunately was not activated

[o_e_l_e_o]

Every regular on this forum knows that I am centralized exchanges' biggest critic, but Binance are not to blame here and did not steal anything from you. If an API key was created for your account that you did not create yourself, then your account has been compromised. If it was done from your IP address, then either your compute/phone or home network has also been compromised, or you did something really stupid like log on to your Binance account from a public computer in an internet cafe or library or something similar.

Revoke all API keys, change all your passwords, enable 2FA on everything, figure out which device was compromised and format and clean install your OS to wipe any malware from it, and figure out if anyone had physical access to your devices.

[JeromeTash]

No unfortunately was not activated

Sorry about that. An email addresses' 2FA verification is probably the most important one of them all. I was one time hacked, and I could have lost a lot of money even with my 2FA enabled exchange accounts but do you know what saved me?

My email address had 2FA enabled. The password was the same across all my accounts, including my email address, but the attacker failed to access my email address due to 2FA. It was like the last line of defense for me, and it saved me so much.

[Quickseller]

What email provider are you using? Do they have access logs?
Since the xx. IP was yours, was there anyone else around you house / that machine at that time?

The IP that the request came from 185.19.85.182 is part of datawire:

That IP address has a history of doing bad things. There was a report of someone sending what I presume to be malware in April 2020.

My guess is the OP's computer was/is infected with malware, and the API keys and acknowledging the email confirmation was done while remotely controlling the OP's computer.

[BitMaxz]

If all of your trading activity on Binance was made on mobile then there is a possibility that your phone is auto-sync to someone else email or apps that could steal your data.
Can you tell us what phone model you currently using?
Chinese or clone phones are easily infected by malware and viruses due to weak security. So if you are using these phones you are already infected.

[Quickseller]

If all of your trading activity on Binance was made on mobile then there is a possibility that your phone is auto-sync to someone else email or apps that could steal your data.
Can you tell us what phone model you currently using?
Chinese or clone phones are easily infected by malware and viruses due to weak security. So if you are using these phones you are already infected.

The OPs cloud account being compromised would not account for the OP's IP address creating the API key.

Malware on phones, while not impossible, would be unlikely IMO, especially considering the amount involved. iPhones for example, are locked down, such that apps are prevented from accessing information without specific approval from the user.