Deposit addresses on the app are different from those on the computer web page? Two phishing incidents involving users of exchanges.

share
Deposit addresses on the app are different from those on the computer web page? Two phishing incidents involving users of exchanges.

Recently, there have been two mysterious cryptocurrency theft incidents where users transferred their assets through a cryptocurrency exchange app, only to have their funds sent to hacker addresses. The common factor in both cases is that the users did not download the app from the official website of the exchange, but instead obtained it through a search engine on their browser. Security firm SlowMist indicated that the fake app versions functioned normally, with the only difference being that malicious code was implanted to alter the deposit and withdrawal addresses.

Fake App Used for Six Months Without Detection

Binance user and Twitter user "CoinCircle Xiao Hu" mentioned the process of being stolen coins:

On 10/24, preparing to transfer 5ETH from MetaMask Chrome extension to the Huawei phone's Binance App, generated a QR code by the APP and scanned it with MetaMask. The operation was the same as before.

However, the coins did not arrive. A few hours later, he contacted customer service, but the customer service stated that the address did not belong to any Binance user.

The customer service pointed out that it may have installed a fake App and asked him to compare the deposit address on the Binance computer webpage with the App, and the results showed that the two addresses were different.

He emphasized that he had been using the Binance App on this phone for over six months, which was unbelievable.

SlowMist Team Intervention

The founder of SlowMist team, EvilCos, pointed out:

Many people wonder why many functions of the fake Binance App are normal... In fact, it is a mature technical skill to directly implant malicious code into a specific function in the target App, which is common in the black industry chain. In addition, whether it is iOS or Android, they are now more secure. If you have not been phished to install a fake App, you are less likely to encounter this type of threat. Some advanced techniques will not target ordinary people.

The victim, CoinCircle Xiao Hu, relayed the suggestions from the official Binance regarding this incident:

  1. It is recommended to visit the official website in Google incognito mode.

  2. When depositing, compare the deposit address displayed on the App with the deposit address on the webpage.

  3. When withdrawing, confirm whether the withdrawal address matches the email notification address.

  4. After confirming the address is correct, you can test with small deposits and withdrawals first.

The official Binance did not make a public statement on this, and there are no security concerns with Binance in this incident. The issue lies in users not downloading the App from the official channel, leading to the coin theft incident.

SlowMist found that the real and fake App versions and functions are the same, only the deposit address was implanted with malicious code. Another Twitter user also exposed another coin theft incident.

Users should only download the App from the official website of the exchange. The 5ETH of CoinCircle Xiao Hu has been transferred to several addresses, and the final address still holds 106.7 ETH.