A cryptocurrency exchange says a large-scale phishing campaign was behind abnormal trading activity that affected some of its users.
The trouble started on 7 March when some Binance users posted to Reddit about problems involving their accounts’ alternative coin amounts. Here’s what one person said:
Binance just sold all my alts at market rate and I have got just the Bitcoin now. Is it because of account getting hacked or binance bot issue? Have raised a ticket 715903 for this.
A few of those experiencing problems revealed that a suspicious trading API appeared on their account at around the same time they noticed the strange market goings-on. Many of them also had two-factor authentication (2FA) enabled, leading them to wonder if Binance was suffering from some type of vulnerability.
Within an hour of the first user posting their complaint, the cryptocurrency exchange acknowledged the issues in a Reddit update and revealed it had disabled withdrawals while it looked into them.
This investigation led Binance to conclude that a “large scale phishing and stealing attempt” had laid the groundwork for the abnormal trading activity.
According to a statement published by the cryptocurrency exchange, hackers spent weeks accumulating users’ login credentials with phishing attacks that led to Unicode-based lookalike domains. They then abused those credentials to create API keys for each compromised account and waited until 7 March.
A user’s history. Can you see the two dots under the domain name? Phishing website that redirects to the real website after login. Additionally, after you log in once, it doesn't let you access the phishing site again – will auto-redirect you to Binance (even after logging out) pic.twitter.com/WOKhKrp7tx
— CZ (not giving crypto away) (@cz_binance) March 7, 2018
Binance explains what happened next:
Yesterday, within the aforementioned 2 minute period, the hackers used the API keys, placed a large number of market buys on the VIA/BTC market, pushing the price high, while 31 pre-deposited accounts were there selling VIA at the top. This was an attempt to move the BTC from the phished accounts to the 31 accounts. Withdrawal requests were then attempted from these accounts immediately afterwards.
Users were overall impressed with Binance’s response. After freezing the VIA coins deposited by the hackers, the cryptocurrency exchange credited most affected users’ accounts with an amount of Bitcoin that was equivalent to or close to the total of their stolen alternative coin funds.
There were some cases in which bad actors hacked users’ accounts and purchased alternative coins with their stored Bitcoins. Those transactions “did not execute against any of the hackers’ accounts as counterpart,” according to Binance, so they cannot be reversed.
With that said, Binance is urging all users to take adequate steps to protect their accounts with a strong password and 2FA and to stay on the lookout for phishers.
The cryptocurrency exchange has since resumed withdrawals.