Binance Finds Over 100 Malicious Phishing Domains Targeting Cryptocurrency Exchange Users

  • Binance's research found over 100 malicious domains targetting cryptocurrency exchange users
  • The dmaoins were advertised on search engines, and tricked users by looking just like the exchanges they were copying
  • The list shows hackers try to phish users from othr exchanges, centralized and decentralized.

Binance, one of the biggest cryptocurrency exchanges out there, recently revealed that it found over 100 malicious domains trying to phish cryptocurrency exchange users, while attempting to find those responsible for the attack that saw it liquidate user’s balances earlier this month.

As covered, Binance was liquidating user’s funds because hackers managed to phish them by creating websites that looked like that of the exchange’s on malicious domains to obtain their login credentials. Although the hackers didn’t manage to cash out their ill-gotten funds, they manipulated the VIA/BTC trading pair in a sophisticated theft attempt.

In response, Binance launched a $250,000 bounty for information that would help lead to the hackers’ arrest. Although its investigation isn’t over, the cryptocurrency exchange managed to find domains associated with the cybercriminals’ phishing operation.

The exchange’s team noted:

“Given the scale of the operation, we believe this may be the work of a group rather than an individual, but we certainly aren’t ruling out the possibility.”


The list Binance put forth contains over 100 malicious domains, and the exchange notes it isn’t an exhaustive list as there are more to identify. The domains were mostly using a “bullet-proof European webhost.”

The malicious domains notably don’t just target Binance, but most major cryptocurrency exchanges. Fake domains for Poloniex, HitBTC, Bittrex, and others can be found on the list. To get users on these domains, the cybercriminals used “numerous search engine advertising campaigns.”

Google’s recent ban on cryptocurrency ads is set to hinder criminals’ ability to advertise their malicious domains. The ban saw Google get sued by a Russian entrepreneur, although other platforms, including Twitter, made a similar move.

Binance further revealed there are two common names amongst the registrations of the malicious domains. By running a reserve lookup of the names in question, the company’s investigators managed to find a variety of other domains who’re seemingly malicious as well.

One of the hackers’ victims shared the IP address associated with the API key creation on their account. The IP leads back to Lipetsk, Russia. This, however, could not be an accurate location as the hacker(s) was likely using a VPN. Binance added:

“However, after cross-referencing this information against the registrants of the domains above, it is safe to assume that the attacker(s) may reside in Eastern Europe.”


The exchange also found suspicious transactions on the VIA blockchain. These were made one and two hours prior to the incident. A total of 31 transactions containing a total of 4,000 VIA each were found.

At the end of its update, Binance called on the cryptocurrency community to keep on helping it catch those responsible for the attack it managed to thwart. As an incentive, it reminded the community that $250,000 are still up for grabs.