Binance Gets Hacked: 7000 Bitcoin Taken From Its BTC Hot Wallet in One Transaction

At 23:40 UTC on Tuesday (May 7), digital asset exchange Binance announced that it had suffered a major security breach—discovered at 17:15 UTC that day—as a result of which it lost 7000 BTC.

The first sign of trouble came at around 19:06 UTC on Tuesday when Changpeng Zhao (aka "CZ"), co-founder and CEO at Binance, sent out a tweet to announce "some unscheduled server maintenance":

Then, approximately, four and a half hours later, Binance sent out this tweet to explain why despots/withdrawals had been disabled:

Here are the facts and their implications according to Binance's announcement:

  • Binance detects "a large scale security breach" at 17:15:24  UTC on May 7.
  • The hackers had used various techniques ("phishing, viruses and other attacks") to obtain "a large number of user API keys, 2FA codes, and potentially other info;" Binance is continuing its investigation.
  • During this attack, only Binance's BTC hot wallet (which contained 2% of Binance's entire BTC holdings) was affected, and the stolen 7000 BTC (worth over $40 million) was withdrawn in a single Bitcoin transaction.
  • The hackers used multiple ("seemingly independent") compromised user accounts to perform the attack; Binance's security checks, sadly, did not detect what was going on, and alarms only got triggered once the withdrawal had been executed, at which point all withdrawals were disabled.
  • Binance will use its Secure Asset Fund for Users (SAFU), which was announced on 3 July 2018, to make sure that its users do not suffer any financial loss.
  • Binance has started a "security review" that is expected to take around one week. During this period, no deposits or withdrawals are possible, but trading is allowed to continue.

Here is a screenshot from Blockchain.com's blockchain explorer tool that shows the "7000 BTC transaction":

Binance Hack - 7000 BTC Transaction Screenshot.png

In case you are wondering how these funds were stolen in a single transaction, as Dovey Wan, a founding partner at crypto-focused investment firm Primitive Ventures explained on Twitter, "BTC block confirmation is slow so hacker finished all requests via API call and confirmed in 1 BTC transaction."

In a Periscope session that was scheduled for 03:00 UTC on Wednesday (May 8), CZ asked all Binance users to reset their Two-Factor Authentication (2FA) credentials since Binance doesn't know how many users affected. Also, he warned all API users to recreate their API keys.

Even more importantly, CZ mentioned that Binance is considering a "rollback" (reorganizing the Bitcoin blockchain) to recover the stolen funds, but did not like this idea because because it might "destroy credibility for Bitcoin."

The news has naturally affected the crypto markets, with almost all cryptoasets currently in the red.

According to CryptoCompare, at press time, BTC is trading at $5,844.34, down 2.26% in the past 24-hour period:

BTC - 24 Hour CC CHart - 8 May 2019.png

Binance Coin (BNB) has been harder hit:

BNB - 24 Hour CC Chart - 8 May 2019.png

These are a few reactions from the crypto community on Twitter:

  • Su Zhu (CEO and CIO at Three Arrows Capital): "Sometimes when I step back and think, am amazed by how crypto industry news has become mainstream and white glove finance news. Binance hack has made it to Bloomberg terminal front page, featuring along-side reportings on central bank activities."
  • Arianna Simpson (Founder & Managing Director at ASP): "Welllllll on the upside I guess the Binance hack is good marketing for their DEX initiative?"
  • Alex Krüger (Economist, Trader, and Analyst): "In a bear market this would have easily have caused a deluge. Either way, good excuse for bulls to take cover, bears to charge."
  • Justin Sun (Founder and CEO of TRON Foundation): "To support @binance , I will personally deposit 7000 BTC worth USDT (40 million USDT) into @binance to buy $BNB, $BTC , $TRX & $BTT if @cz_binance agrees. No need to #FUD! Funds are #SAFU! "
  • Gabor Gurbacs (digital asset strategist/director at VanEck/MVIS): "Good for @justinsuntron , @Tronfoundation and the exchange world to offer help to @binance and @cz_binance in times of need. That’s the spirit. Even if they don’t need help, we shall stand together during hard times. "
  • Twitter user @theonevortex: "Even if a friendly blockchain reorg was possible to specifically target the stolen funds it would absolutely set a terrible precedent in #bitcoin. The perception of immutability and digital gold would be lost entirely."
  • Katherine Wu (former director at Messari): "Update: hours after breach event @cz_binance is personally taking questions from twitter in live video. This level of transparency and response is absolutely commendable."

2019 is the year we may see the highest volume of security breaches. For many, now is the time to take decisive action after the Binance hack.

Featured Image Credit: Photo via Pixabay.com

Crypto Exchange Update: Binance, Bitfinex, Bitstamp, Huobi Global, and Poloniex

Siamak Masnavi

The "Crypto Exchange Update" covers the latest news from Binance, Bitfinex, Bitstamp, Huobi Global, and Poloniex for the week 14 October 2019 to 20 October 2019.

Binance

  • October 14: Binance announced that it would be launching the phase 9 of Binance Lending Products at 12:00 UTC on 16 October 2019. This is when 14-day fixed term lending products for BNB, BTC, BUSD, ETH, MATIC, and USDT became available.
  • October 15:
    • Binance.US listed Dash (DASH).
    • Binance and swiss firm Amun AG jointly announced the launch of a BNB Exchange-Traded Product (ETP) on the regulated segment of the SIX Swiss Exchange.
    • Binance announced support for the staking of Harmony (ONE) tokens on Binance starting on 16 October 2019.
    • Binance introduced the Binance Academy mobile app (available for both iOS and Android).
  • October 16: Binance announced that the next token to go on sale on its IEO platform Binance Launchpad would be Kava (KAVA).
  • October 17:
    • Binance.US listed Algorand (ALGO) and Zcash (ZEC).
    • Binance announced that it had completed the 9th quarterly BNB coin burn (2,061,888 BNB, worth roughly $36.7 million, was burnt).
  • October 18:
    • Binance Futures increased maximum leverage from 20x to 125x for BTC/USDT contracts. 
    • Binance.US said that from 18 October 18 2019, "USD deposits are eligible for FDIC insurance coverage."

Bitfinex

On October 17, Bitfinex announced the launch of the Bitfinex Affiliate Program. Bitfinex customers who join this program and become affiliates can potentially earn "unlimited commission" by sharing invite links across their social media channels.

Bitstamp

On October 15, Bitstamp, Europe's largest crypto exchange by trading volume, announced that it is integrating Ledger Vault’s technology to "enable advanced custody options." Bitstamp and Ledger's joint press release said that Ledger Vault Ledger Vault "will provide flexible wallet tech infrastructure that will allow Bitstamp to set up a sophisticated and very secure custody system with end-to-end hardware backed transfers and a strong multi-authorization governance model, ensuring there are no single points of failure and allowing better management of assets in storage."

Huobi Global

On October 15, Huobi Global said that it had "completed the repurchase and burn of HT for Q3 2019 (a total of 11.3321 million HT, approximately equivalent to 40.6369 million USDT), of which, 8.3389 million HT was directly repurchased from the secondary market, with 2.9932 million HT derived from HT fee income."

Then, on October 18, Huobi announced that it planned to launch a fiat gateway in Turkey that will allow local investors/traders to buy Tether (USDT) with the local currency (the Turkish Lira) via their bank accounts. Then, they can trade USDT against any of the 250 cryptoassets supported by Huobi Global.

Poloniex

On October 18, Poloniex announced that it was being spun out from its parent, FinTech startup Circle, into a new company, Polo Digital Assets, Ltd., "with the backing of a major investment group" so that it would be free "to focus on the needs of global crypto traders with new features, assets and services."

Unfortunately, there was some bad news for Poloniex's U.S. customers since Polo Digital Assets won't be supporting them, which means that (i) U.S. persons will not be allowed to create accounts on Poloniex; and (ii) from 1 November 2019, U.S. customers won't be able to do any more trading on Poloniex, though they can make withdrawals via Circle until 5 December 2019.

 

Featured Image Credit: Photo via Pixabay.com