Illustration by the talented John Wu

Those of you who follow me know that I’m the founder of HodlBot. We built an easy way to diversify your cryptocurrency portfolio across the top 20 coins by market cap. Right now, our platform works on top of Binance’s API.

So when I read that Binance had been potentially hacked for $45 million last week, I was left feeling uneasy.

Since then, the storm has blown over; Binance announced that funds are safe and they would be covering any losses.

But I still feel unsatisfied. News coverage of the incident was extremely poor, there was little information released, and rumours are spreading like wildfire.

As someone who wants Binance to succeed, I feel conflicted about writing this article. Nevertheless, I have an obligation to my users, and to the community, to investigate this issue thoroughly.

I’m going to do my best to present a well-rounded perspective on the incident and clear up rumours.

What we know

Before we dig into the details, let’s put together a brief timeline of the incident using information released by official sources.

July 3rd at 8:44 PM UTC

The price of SYS shoots up to from 0.0004 BTC to 96 BTC.

July 3rd at ~9:00 PM UTC

Binance shuts down the exchange for unscheduled maintenance.

July 3rd ~ 11:00 PM UTC

Binance resets all API keys as a security precaution.

July 4th ~ 12:00 AM UTC

Binance re-enables API key creation.

July 4th ~ 4:00 AM UTC

Binance completes system maintenance.

July 4th ~ 6:00 AM UTC

Binance releases an official incident recap stating that the incident had been attributed to irregular API trading activity.

What Does Binance Mean by Irregular API Trading Activity?

To understand why API attacks often coincide with coins being pumped to ridiculous heights, we first need to understand how Binance’s API works.

For the layman, Binance’s API allows computers to programatically interact with the exchange as if they were the user themselves. To enable API access, a user first generates a set of API keys. These keys are credentials that provide permission to interact with the account.

On Binance there are 3 distinct levels of API permissions:

Read — ability to get data about holdings, trade history, and the market.

— ability to get data about holdings, trade history, and the market. Trade — ability to execute trades

— ability to execute trades Withdrawal — ability to withdraw funds

By default, read & trade permissions are enabled. However, withdrawal access is not. Because withdrawal access carries a much higher risk, Binance forces users to set up IP whitelisting and 2-factor authentication beforehand.

Consequently, when attackers steal usernames & passwords or API keys, they tend not to have withdrawal permission. Under this limitation, hackers have to find a way to move funds to accounts that have withdrawal access.

Here’s how they do it:

Before the attack, the culprits will accumulate a large quantity of a coin that has low volume and a small order book.

Attackers will use stolen accounts to send a torrent of buy orders via the API at a ridiculously pumped price (often 10,000x the normal price).

The attackers make a huge profit by selling the coins they previously bought.

Attackers try to withdraw their spoils from Binance. Once it’s off the exchange and onto the blockchain, it becomes almost impossible for anyone to reverse the trades.

What the Data Tells Us

Rather than fumbling around in the dark, we can use Binance’s API to pull historical data on SYS/BTC trades and see exactly what happened.

Price Activity & Volume

1 Day Candles for SYS/BTC from May 24 to July 2

There was nothing peculiar about the price of SYS until July 3rd when prices suspiciously shot up to 96 BTC.

1 Day Candles for SYS/BTC from May 24 to July 10

During the same time period, there was a massive uptick in trading volume and the number of total trades.

Trading volume and the total number of trades spiked for SYS/BTC on July 3

Historical Orders

Things get interesting when we start pulling data from /api/v1/aggTrades

This endpoint GETs a history of completed trades. Trades that fill at the time, from the same order, with the same price will have the quantity aggregated.

Notice how everyone’s talking about the 11 SYS sold at 96 BTC (~$7 million) when they should be talking about the 13,152 SYS sold at 1.1 BTC (~USD $97 million) instead.

By plotting all aggregate trader orders on a bubble chart, we can get a better sense of scale. Every circle is an aggregate trade order. The size of each circle represents the total trading volume in USD.