SECURITY

Google extension software causes trouble! $1 million missing from Binance account, impossible to recover even with Hu Yi in charge

share
Google extension software causes trouble! $1 million missing from Binance account, impossible to recover even with Hu Yi in charge

The Twitter account named @CryptoNakamao shared an unbelievable hacking incident where his Binance account was compromised, resulting in the theft of one million US dollars. Despite not disclosing his account password or two-factor authentication (2FA) code, the hackers bypassed the security measures through a technique known as "sim swapping." Below is a detailed recount of his experience.

Freezing Funds Was Completely Meaningless

"At the first moment when the incident occurred, I not only informed Binance customer service but also privately messaged a sister on Telegram. The sister was very dedicated and immediately passed on my UID to the security team. However, what surprised me was that even with the sister's urging, it took Binance staff more than a day to notify Kucoin and Gate to freeze the funds transferred by the hacker. Needless to say, the hacker's funds had already been transferred out and confirmed. Freezing was completely meaningless." @CryptoNakamao stated that he contacted Binance co-founder He Yi at the first time, but still couldn't catch up with the hacker transferring assets.

How Did the Hacker Carry Out the Attack?

On May 24th, @CryptoNakamao was on his way home from work when the hacker hijacked his web cookies to gain control of his account and initiated a large number of trades, manipulating the market prices of several trading pairs: QTUM/BTC rose by 21%, DASH/BTC rose by 27%, PYR/BTC rose by 31%, ENA/USDC rose by 22%, NEO/USDC rose by 20%. These activities were not discovered until he casually checked his Binance account an hour and a half later.

Siphoning Off Funds

A security company revealed afterwards that the hacker used high liquidity USDT trading pairs to purchase tokens and set high price limit orders in low liquidity BTC and USDC trading pairs. Eventually, they leveraged his account to engage in "wash trading."

No Security Alert Received

@CryptoNakamao stated that he did not receive any security alerts from Binance. Ironically, the next day, he received an invitation from Binance to become a market maker because of his high trading volume. Despite the significant activity, Binance did not issue any warnings or freeze the account, and the hacker's assets were not restricted.

Reporting but Unsuccessful in Salvaging

Upon realizing the breach, @CryptoNakamao immediately contacted Binance customer service, but the hacker still controlled his account and safely withdrew all funds from Binance. What puzzled him even more was that the hacker conducted these blatant "wash trades" with a single account, undermining his trust in Binance's risk controls.

Root Cause: Malicious Chrome Extension

@CryptoNakamao and the security company traced the intrusion back to a Chrome extension called AggrTrade. This seemingly harmless tool, recommended by overseas KOLs and Telegram channels, turned out to be malicious.

AggrTrade collects cookies and forwards them to the hacker's server, allowing the hacker to hijack active user sessions, bypassing the need for passwords or 2FA. In @CryptoNakamao's case, his password was stored in 1Password, which the hacker couldn't access. The hacker used these cookies to control his account activities and engage in "wash trading."

Similar Cases at Binance Are Not Unprecedented

@CryptoNakamao mentioned that he suffered another blow. Because Binance was aware of the existence of this extension and even encouraged everyone to collect more information about the hacker. Despite knowing the risks, Binance delayed taking action, leading to more victims.

For instance, in March, another Binance user's account was compromised, and Binance CEO Richard Teng responded by saying they were investigating and would identify the root cause. He believed that Binance had enough time to alert users.

Missed Opportunities by Binance

Reflecting on this incident, @CryptoNakamao listed several key mistakes by Binance:

  1. Slow Response: Despite knowing about the hacker and malicious extensions, Binance did not act promptly, allowing the exploitation to continue and more funds to be stolen.
  2. Lack of Risk Controls: The hacker manipulated the account for extreme trading activities within an hour without triggering any risk alerts or freezes.
  3. Failure to Freeze Accounts in Time: Binance failed to freeze the hacker's account and funds promptly, missing the opportunity to prevent asset transfers.
  4. Ineffective Communication: It took Binance more than a day to coordinate with other platforms to freeze the hacker's funds, by then it was too late.

A Warning to Everyone

By sharing his story, @CryptoNakamao reminded the cryptocurrency community of the dangers of browser extensions and the importance of security vigilance. "I want to sound the alarm on security issues for everyone. Don't follow in my footsteps. As cryptocurrency becomes more well-known, the security of assets and personal safety of all participants should be taken seriously," he stated.

He Yi's Response: Raise Awareness of Extension Security

Binance co-founder He Yi stated: "The user said: Downloaded the plug-in and got tricked, the hacker couldn't withdraw the coins, so he used wash trading to deplete the funds in the account. I advise everyone to enhance device security protection, be more vigilant about some plugins and links, safety first."

Binance Denies Prior Knowledge of the Malicious Software

Binance stated: "As of the current investigation results, Binance did not notice any information related to the AGGR plugin before this incident. Based on all internal records we could find, we indeed did not notice such plugin cases before this incident you mentioned in the post, the team was not aware of AGGR. Thank you for sharing information about the external 'KOL' in your post. We will continue to investigate, and if there are any new developments, we will share and synchronize with you at the first time."