Last week saw a sophisticated phishing-led attack on customers of Binance, but history – thankfully – didn’t repeat itself.
The recent, relatively meteoric rise of Binance to becoming the biggest – by volume – cryptocurrency trading site appears to have come at a cost: it has become a prime target for hackers and scammers. This week saw it become the target of a well planned, well timed, scam attempt that caused it to block all withdrawals from customer wallets, at least temporarily. The real story, though, is that it appears to have come out on the other side with its reputation intact – and perhaps avoided becoming the next Mt.Gox or Coincheck.
Around 3pm UK time on March 7th, posts from angry Binance users began to hit Reddit, telling of how trades were being made from their accounts seemingly apropos of nothing. For a while, as is the way with these things in the fast-moving world of Reddit, Twitter and Telegram, confusion reigned. Then, pretty quickly, a picture of events formed – and it became clear that what was happening was a coordinated attempt to scam users and get their money out of Binance by selling off a relatively obscure cryptocurrency with a relatively low market capitalisation, in this case Viacoin (VIA), at a pumped up price.
In more detail, the plan went as follows:
1. Set up multiple Binance accounts, 31 apparently, to buy Viacoin (VIA) cheaply. Then set bots to sell your cache of coins at a very inflated price-point. It would appear that this was set at something around 0.025BTC – around £160, or 10,000% of Viacoin’s usual value.
2. Make sure your accounts scoop up all of the Via available for sale on the Binance exchange – that is why low market capitalisation matters – as then you have cornered the buying options
3. Access hacked accounts and convert all the Altcoin assets within them to Bitcoin
4. Then – and this is the key – set bots linked to the hacked accounts to buy Viacoin with Bitcoin at your set selling price
5. Let the bots do their thing, swap the accrued Bitcoin for cash, and get out quickly.
While that may, to a layman, seem like a circuitous way to steal from accounts you already have access to, it was part of a reasonably long game the hackers had been playing to get around the fact that ever tighter security is making it more and more difficult to outright hack a site. It’s also a theoretically effective way to try to ‘clean’ the crypto before cashing out, and thus avoid being traced. It also has to do with the way the hackers gained access to all those Binance accounts, and what they did with them when they had it.
Reports of spoofed Binance phishing sites have been doing the rounds on Reddit and social media for months. Indeed, unbeknownst to most people, the genesis of this hack was spotted by Reddit user Games_sans_frontieres in February, when they took to the r/cryptocurrency subreddit to warn people about a particular Binance spoof site that was using a unicode-altered version of the Binance URL (look at the two small dots underneath the two ‘n’ characters in the picture below). The site was being promoted through Google, and could potentially be clicked accidentally following a Google search for Binance – with the hyperlink underlining potentially blocking the altered characters.
This URL was later identified by Binance’s creator, Changpen Zhao (aka CZ), as being the site responsible for stealing user details and two-factor security information from his customers.
A user’s history. Can you see the two dots under the domain name? Phishing website that redirects to the real website after login. Additionally, after you log in once, it doesn’t let you access the phishing site again – will auto-redirect you to Binance (even after logging out) pic.twitter.com/WOKhKrp7tx
— CZ (not giving crypto away) (@cz_binance) March 7, 2018
What the hackers did with these logins, it appears, was then create API keys – which grant remote access to accounts from third-party software – to allow their bots to complete the series of trades outlined above. It was a subtle play, and one that allowed them to accumulate a large amount of accounts across January and February and plan their big move without alerting the attention of users.
They went unnoticed because, unless a users specifically checks their list of API keys, they would not have been alerted to the request made by the hackers. Email confirmation was previously only required by Binance if an API key was requested to allow withdrawals from the site, not for the purposes the hackers requested. This extra security feature, we’re told, has since been changed by the site’s coding team.
It appears the hope of the hackers was to execute the plan so quickly that they could cash out before anyone worked out the whole picture. It very nearly worked, until it didn’t.
The plan failed because, according to the exchange’s support staff, Binance’s monitoring tools noticed the sudden flurry of trading on the VIA-BTC market, and automatically blocked withdrawals from the accounts that were selling VIA at the higher price – and quite soon after, all accounts were blocked from withdrawing to give the team breathing space to analyse what was happening.
There are still outliers on Reddit and other platforms disputing Binance’s phishing narrative, and alleging a hack upon the site itself. However, on the surface, it does appear that had Binance’s monitoring not worked so well the hackers would have cashed out and never been seen again. Well, until the next time they tried it.
As part of a laudible campaign to appear as transparent as possible about what was going one, CZ quickly took to Twitter to try to calm things down.
All funds are safe. There were irregularities in trading activity, automatic alarms triggered. Some accounts may have been compromised by phishing from before. We are still investigating. All funds are safe.
— CZ (not giving crypto away) (@cz_binance) March 7, 2018
The Right Response?
Crypto subreddits are still seeing somewhat bitter exchanges between mods and Binance customers insisting that they have not been the victim of phishing, and that something altogether fishier is going on behind the scenes at the exchange. The truth is there may well have been multiple attack vectors employed by these clever hackers and, while the cause of some specific user’s problems may not be phishing, it seems increasingly unlikely that Binance was at fault in this case.
Like all things, what you believe largely comes down to a matter of trust and experience, and the exchange has done itself a lot of favours with its speedy, transparent and plausible interpretation of events – all delivered in a manner that hints its staff were as fascinated and impressed by what was going on as we uninvested observers.
That doesn’t mean everyone walked away unharmed, though. As Binance itself pointed out:
“There are still some users whose accounts where phished by these hackers and their BTC were used to buy VIA or other coins. Unfortunately, those trades did not execute against any of the hackers’ accounts as counterpart. As such, we are not in a position to reverse those trades. We again advise all traders to take special precaution to secure their account credentials.”
This statement stands as a salutary reminder that security is a personal responsibility that there are limits to what can be done by a site or service to protect investors. Thus, it may be apposite to end this by saying, though there can be security issues inherent in running ill-considered Chrome Extensions, it may be worth taking a look at Cryptonite, a plug-in for Google’s browser specifically designed to prevent users giving up login details to spoof sites such as those used by the Binance scammers.
That, and ‘Keep ’em Peeled’.