Monday, March 19th

As previously announced, on March 7th, there was a large-scale attempt to manipulate and steal funds on Binance, which was ultimately unsuccessful. We would like to remind the community that our system was not compromised during this event and no unauthorized data was accessed. The attack was the result of an extended phishing operation, targeting users by creating fraudulent reproductions of our website in order to gather users’ login credentials.

Since launching the Binance Hacker Bounty, we’ve gathered a lot of information regarding this event. Among the information that we have collected, there are some details that we believe will be beneficial to provide publicly. We hope that, with the additional information, our community will be able to assist even further in our search for the perpetrator(s).

Given the scale of the operation, we believe this may be the work of a group rather than an individual, but we certainly aren’t ruling out the possibility.

Phishing Domains

We will start with a list of known fraudulent web domains involved in the phishing schemes that led up to the attack. It seems that these domains are promoted by utilizing numerous search engine advertising campaigns to draw unsuspecting users.

As you will notice, this attacker is not only targeting Binance, but other exchanges, both centralized and decentralized.

(Note: This list is not exhaustive and there are more to identify.)

http://telegra.ph/Binance-Hacker-Bounty-Known-Domains-03-16

It appears that most these domains utilize a bullet-proof European webhost, resolving to IP addresses of 80.92.65.215 and (primarily) 85.93.20.58.

Domain Registrant Information

There have been two common names amongst the registrants of these types of domains. Running a reverse lookup on the names in question returns a variety of other domains that appear to have malicious intent:

In fact, there was an article published in August, 2017, regarding one of the domains from our list known domains above (also tied to one of these registrants): https://www.hackread.com/fake-bittrex-cryptocurrency-exchange-site-stealing-user-funds/

In addition, a victim of the attack provided us with their signed consent to release the IP address associated with the API key creation on their account. The IP address (213.87.134.39) resolves to Lipetsk, Russia.

It is safe to assume that this is not an accurate location or IP address of the attacker and they may be utilizing a VPN or another service to obfuscate their identity. However, after cross-referencing this information against the registrants of the domains above, it is safe to assume that the attacker(s) may reside in Eastern Europe.

VIA Blockchain Transactions

We were able to identify several suspicious VIA transactions on the blockchain, taking place approximately one-to-two hours prior to the incident. After further investigation, a total of 31 transactions were found, all made within 200 blocks, containing a total of 4000 VIA each.

Below we have documented the block height and the transaction ID for each:

Continued Effort

To those of you that have contributed information to bounty@binance.com thus far, we would like to thank you. With every contribution, we come a little closer to identifying those responsible for the events that occurred on March 7th.

As always, the security of our users and their funds is, and always has been, our highest priority. We look forward to continuing to work with our community to bring the culprit(s) to justice.

Remember: