Just after midnight last night, digital asset exchange Binance announced that it had suffered a major security breach which led to $40 million of bitcoin being stolen from its hot wallet.
The first sign of trouble came around 8pm BST on Tuesday when CZ, the Binance CEO, sent out a tweet announcing “some unscheduled server maintenance”:
Have to perform some unscheduled server maintenance that will impact deposits and withdrawals for a couple hours. No need to FUD. Funds are #safu.
— CZ Binance (@cz_binance) May 7, 2019
Then four and a half hours later, Binance sent out this tweet to explain why deposits/withdrawals had been disabled:
— Binance (@binance) May 7, 2019
According to Binance, the hackers had used various techniques including “phishing, viruses and other attacks” to obtain “a large number of user API keys, 2FA codes, and potentially other info”. During the attack, Binance’s BTC hot wallet (which contained 2% of Binance’s bitcoin holdings) was affected, and the stolen 7,000 BTC (worth over $40 million) was withdrawn in a single Bitcoin transaction. It wasn’t detected because the whole attack happened within one confirmation – by the time the alarms had been triggered, the funds were gone.
In a Periscope session that was scheduled for 4am BST on Wednesday (May 8), CZ asked Binance users to reset their Two-Factor Authentication (2FA) credentials since Binance doesn’t know how many users affected. Additionally, he asked all API users to recreate their API keys.
The news has negatively affected the crypto markets today, although Binance has since said that it will reimburse affected users from is Secure Asset Fund for Users (SNAFU), a measure put in place in 2018 to ensure users do not suffer financial loss in situations such as these.