Cyber Incident Victim: Binance

On March 7, 2018, Binance users reported unauthorized trading activity where their cryptocurrency holdings were automatically sold and converted into Bitcoin and other digital assets without consent. Panicked traders observed altcoins being liquidated, with some accounts showing newly created API keys despite having two-factor authentication enabled. Binance initially stated no evidence indicated a direct breach of its platform infrastructure but later identified the root cause as compromised API keys linked to third-party trading bots. The exchange temporarily suspended all trading activity and initiated investigations into irregular transactions. Forensic analysis revealed attackers had executed a prolonged phishing campaign through a counterfeit domain mimicking Binance’s legitimate website (binance.com), harvesting login credentials from victims who unknowingly interacted with the fraudulent site.

The attackers exploited stolen credentials to generate dormant API keys on genuine Binance accounts, which they activated during a targeted two-minute trading window. Fraudsters concentrated on manipulating Viacoin (VIA), a low-liquidity cryptocurrency, by using stolen Bitcoin to purchase VIA and subsequently selling it for profit. Binance froze all VIA holdings to disrupt further malicious trades and reversed unauthorized transactions where possible. However, Bitcoin spent on VIA purchases could not be recovered because counterparties in these trades were legitimate accounts unrelated to the attackers. The exchange restored affected users’ original asset balances where feasible and reiterated security guidance urging customers to safeguard credentials. Users expressed relief at fund recovery but acknowledged Binance’s policy of non-compensation for phishing-related losses. The incident underscored operational risks posed by phishing campaigns targeting cryptocurrency platforms and their users.