Binance, one of the world’s largest cryptocurrency exchanges, recently saw users complain their altcoin balances were being liquidated for bitcoin, and then used to buy a little-known cryptocurrency named Viacoin. According to the exchange, it was all part of a sophisticated theft attempt, that Binance managed to thwart.

Per the exchange’s investigation, a group of “well organized” hackers attempted to manipulate the market and steal user’s funds. Their plot saw them initially launch a ‘phishing’ scheme in early January, in which they purchased domain names resembling Binance.com. They created copies of the exchange’s interface, to trick users into entering their credentials.

A user’s history. Can you see the two dots under the domain name? Phishing website that redirects to the real website after login. Additionally, after you log in once, it doesn't let you access the phishing site again – will auto-redirect you to Binance (even after logging out) pic.twitter.com/WOKhKrp7tx — CZ (not giving crypto away) (@cz_binance) March 7, 2018

Once they acquired people’s login credentials, the hackers created API keys for each account they controlled. These keys are used to trade with bots, and as such only allow those who control them to trade, not withdraw.

After the keys were created, the hackers went silent waiting “for the most opportune moment to act.” Yesterday, the hackers decided it was time to make their move, and started using people’s API keys to place a “large number” of Viacoin buy orders. The move saw the cryptocurrency’s price surge by as much as 1,100 percent in about a minute.

On their own accounts, the hackers then sold Viacoin for bitcoin at high prices. Their orders were matched because of the orders placed on the accounts they phished. Per Binance, as soon as these trades were completed, withdrawal requests were “immediately” attempted.

However, the unusual trading activity triggered Binance’s “automatic risk management system.” The system, as Binance’s summary reads, halted withdrawals:

“However, as withdrawals were already automatically disabled by our risk management system, none of the withdrawals successfully went out. Additionally, the VIA coins deposited by the hackers were also frozen. Not only did the hacker not steal any coins out, their own coins have also been withheld.”

The cryptocurrency exchange successfully kept user’s funds safe, and in fact kept the funds the hackers initially used to make their orders. Binance has since revealed that it will reverse most transactions to undo the damage. Some transactions won’t be reversible, however, as the hackers’ accounts were not the counterparty, meaning they were just made to boost Viacoin’s price.

Interestingly, the company’s CEO, Changpeng Zhao, revealed that the coins withheld from hackers will be donated to Binance Charity.