Deposit addresses on the app are different from those on the computer web page? Two phishing incidents involving users of exchanges.
Recently, there have been two mysterious cryptocurrency theft incidents where users transferred their assets through a cryptocurrency exchange app, only to have their funds sent to hacker addresses. The common factor in both cases is that the users did not download the app from the official website of the exchange, but instead obtained it through a search engine on their browser. Security firm SlowMist indicated that the fake app versions functioned normally, with the only difference being that malicious code was implanted to alter the deposit and withdrawal addresses.
Table of Contents
Fake App Used for Six Months Without Detection
Binance user and Twitter user "CoinCircle Xiao Hu" mentioned the process of being stolen coins:
On 10/24, preparing to transfer 5ETH from MetaMask Chrome extension to the Huawei phone's Binance App, generated a QR code by the APP and scanned it with MetaMask. The operation was the same as before.
However, the coins did not arrive. A few hours later, he contacted customer service, but the customer service stated that the address did not belong to any Binance user.
The customer service pointed out that it may have installed a fake App and asked him to compare the deposit address on the Binance computer webpage with the App, and the results showed that the two addresses were different.
He emphasized that he had been using the Binance App on this phone for over six months, which was unbelievable.
从丢币到现在已经过去三天了,但是这三天我却像煎熬的30年,三天时间里几乎没有睡觉,关在出租屋里靠之前剩下的几个面包和自来水维持生命,整个人就像陷进了无底的深渊,彷徨,无助,恐惧,万念俱灰……也多次想过结束自己的生命,但是想到年迈的父母,特别是身患尿毒症的母亲,又于心不忍丢下他们。
— 币圈小胡 (@hu94286743) October 27, 2022
SlowMist Team Intervention
The founder of SlowMist team, EvilCos, pointed out:
Many people wonder why many functions of the fake Binance App are normal... In fact, it is a mature technical skill to directly implant malicious code into a specific function in the target App, which is common in the black industry chain. In addition, whether it is iOS or Android, they are now more secure. If you have not been phished to install a fake App, you are less likely to encounter this type of threat. Some advanced techniques will not target ordinary people.
The victim, CoinCircle Xiao Hu, relayed the suggestions from the official Binance regarding this incident:
It is recommended to visit the official website in Google incognito mode.
When depositing, compare the deposit address displayed on the App with the deposit address on the webpage.
When withdrawing, confirm whether the withdrawal address matches the email notification address.
After confirming the address is correct, you can test with small deposits and withdrawals first.
感谢慢雾团队的帮助,调查结果显示我的APP被修改过了,原因可能是我不小心点击了虚假的币安APP升级按钮,导致原来的真app被修改,大家一定注意安装和升级app都要到正规渠道,避免悲剧再次发生。@evilcos @IM_23pds @SlowMist_Team pic.twitter.com/RVqpZovnSS
— 币圈小胡 (@hu94286743) October 28, 2022
The official Binance did not make a public statement on this, and there are no security concerns with Binance in this incident. The issue lies in users not downloading the App from the official channel, leading to the coin theft incident.
SlowMist found that the real and fake App versions and functions are the same, only the deposit address was implanted with malicious code. Another Twitter user also exposed another coin theft incident.
Users should only download the App from the official website of the exchange. The 5ETH of CoinCircle Xiao Hu has been transferred to several addresses, and the final address still holds 106.7 ETH.
Related
- Dark web hackers selling 10 million pieces of Binance user data, Binance refutes: Completely false
- Millions of users bear the consequences together? WazirX exchange hacked: Users left with only "cruel two choices"
- Google extension software causes trouble! $1 million missing from Binance account, impossible to recover even with Hu Yi in charge