Cyber Incident Victim: Fetch.ai

On or around March 7, 2018, Binance cryptocurrency exchange users reported unauthorized trades involving the automatic sale of their altcoins and conversion into Bitcoin (BTC) and other cryptocurrencies. Some affected accounts with two-factor authentication (2FA) enabled discovered unauthorized API keys had been generated without their knowledge, enabling automated trading activity. Initial user complaints described panic as funds were liquidated unexpectedly. Binance first responded by denying evidence of a platform breach but later attributed the incident to compromised API keys typically used for trading bots. The exchange temporarily suspended all trading activity and initiated reversals of transactions identified as fraudulent.

Investigation revealed attackers operated a phishing campaign through a counterfeit domain mimicking Binance’s legitimate website (binance.com). Victims who logged into this fraudulent site inadvertently exposed their account credentials, allowing attackers to create dormant API keys linked to their accounts. During a coordinated two-minute trading window, these keys executed trades that moved BTC from compromised accounts. Attackers specifically targeted Viacoin (VIA), a cryptocurrency with low market liquidity, using stolen BTC to purchase VIA and then selling it for profit. Binance froze the fraudulently acquired VIA coins to prevent further monetization, though BTC spent on VIA purchases could not be recovered because counterparty accounts were not controlled by the attackers. The exchange restored most affected users’ assets through transaction reversals but clarified it had no obligation to compensate losses stemming from phishing. Users expressed relief at fund recovery while acknowledging the incident underscored vulnerabilities in third-party API key management and the effectiveness of phishing tactics against cryptocurrency platforms.