Binance Hack Loses More than $41 Million in Bitcoin

Read Time: 4 min.

In spite of significant theft from a ‘hot wallet’, crypto exchange Binance has pushed a lot of the right buttons to maintain reputation - at least so far.

The well-respected cryptocurrency exchange Binance has suffered what appears to be a sophisticated hack that resulted in the attackers stealing more than $41 million.

According to a statement from Binance, the “Hackers were able to obtain a large number of user API keys, 2FA codes, and potentially other info”, which resulted in the attackers gaining enough of a foothold in Binance’s network to access the company’s ‘hot wallet’ and withdraw 7000 BTC in a single transaction - worth more than $41 million at the time of writing.

“The hackers had the patience to wait, and execute well-orchestrated actions through multiple seemingly independent accounts at the most opportune time. The transaction is structured in a way that passed our existing security checks. It was unfortunate that we were not able to block this withdrawal before it was executed. Once executed, the withdrawal triggered various alarms in our system. We stopped all withdrawals immediately after that”, continued Binance in a statement.

Whatever the security checks consist of, the transaction itself has plenty of variation, with no less than 44 individual transactions bundled together, and for a vast range of values from 0.0015 ($8.85) right up to a somewhat more significant 670.9965 BTC ($3,959,904) - clearly a combination of differing amounts and multiple transactions to make the theft appear similar to standard exchange transactions. In addition, the attackers are now shuffling the stolen bitcoin in order to cover their tracks – the tactic being to gradually break down large values into legions of smaller ones, exponentially complicating the task of tracking them through the blockchain.

According to @Coinfirm_io analysis the @Binance hacker has recently moved over 1214 #BTC (~$7.16M) to new addresses



But almost 5786 BTC (~$34.14M) still sit on the #Binance hackers original addresses

More exclusive insights coming! https://t.co/CdRIXAT8dC pic.twitter.com/YUVrHeVOhn — Coinfirm (@Coinfirm_io) May 8, 2019

In more positive news, Binance pledged to use emergency reserves to cover the costs of the incident, but said that while trading on the platform is still enabled, deposits and withdrawals have been frozen for ‘about’ one week. Binance said that the “hackers used a variety of techniques, including phishing, viruses and other attacks”, and while the precise nature of the attacks is still being investigated, it seems clear that this heist was some time in the planning as well as the delivery, with multiple layers of phishing and malware attacks over an extended period of time.

The attack has come as somewhat of a surprise to the crypto industry, as Binance has been regarded as one of the more legitimate and secure exchanges. In fairness, the company’s reaction has not done anything to diminish this - the connected ‘hot wallet’ - as opposed to a cold storage offline wallet - is always a weak point for an online crypto exchange. The company pointed out that “about 2% of our total BTC holdings” were in the hot wallet, and claimed that: “All of our other wallets are secure and unharmed.”

Binance’s web domain gains an A+ when tested with High-Tech Bridge’s website security tester, and interestingly the tool shows that the domain has been submitted to this tool nearly 6,000 times in the last 12 months alone. As is often the case, there are subdomains that gain a less sparking score however, with both resource.binance.com and sensors.binance.com scoring an ‘F’ grade.

Ilia Kolochenko, CEO of High-Tech Bridge said: “Technical details of the breach still remain obscure and it would be premature to make any conclusions at this point of time.”

Today, all cryptocurrency-related businesses should be well prepared to defend against constant and sophisticated cyber-attacks. In reality, however, virtually all of them underestimate or ignore digital risks and allocate scant resources for cybersecurity. Most have to compete on a very aggressive and turbulent market and thus are reducing their costs by all available means. Software development suffers most tremendously as cheap outsourced code cannot be secure by definition.

“To bring certainty to the cryptocurrency markets clear regulatory standards are required, such as is PCI and PA DSS. Even if they are not a silver bullet, they greatly reduce both the number and average volume of credit cards theft.”

Of course, because the world of crypto is never straightforward, a comment from Changpeng Zhao, the outspoken chief executive of Binance, relating to the possibility of rolling back the Bitcoin blockchain in order to recover the funds has spurred nearly as much interest as the breach itself. Presumably CEO’s from other industries must be watching and taking notes on how to change the narrative when a serious breach occurs...

It turns out the re-org discussion is hotter than the incident itself. And becoming a little twisted.



1. we did not initiate the idea. It came from a suggestion from Jeremy (quoted tweet)

2. we did discuss it. Many people seems to deem even that itself is wrong. I don't think https://t.co/vLAurq6AKt — CZ Binance (@cz_binance) May 8, 2019

A final chilling note from the Binance announcement was that although the initial theft has now been spotted, deposits and withdrawals frozen to prevent further losses: “Please also understand that the hackers may still control certain user accounts and may use those to influence prices in the meantime.”

Or to paraphrase, there is value in compromised trading accounts far beyond the coins they contain. While crypto exchanges are obvious high-risk hacker targets, there are clear takeaways for enterprises in general: The value of enterprise assets is sometimes not immediately obvious, and once a business risk is identified make sure it is mitigated as thoroughly as possible. By having a #SAFU fund in place Binance have managed the latter, and at least recognised the former. As a final positive note, the breach has been publicly disclosed and managed promptly (at least so far), hopefully protecting reputation to some extent.

How well-prepared is your business for a breach?