Binance, the world’s largest crypto exchange by volume, and the world’s largest tether exchange, has been hacked.

The hackers drained the exchange’s hot wallets, taking 7,000 bitcoin, worth approximately $41 million, in a single transaction. The hack only amounted to 2% of the exchange’s total holdings. Everything else was in its offline cold wallets.

“All of our other wallets are secure and unharmed,” Binance CEO Changpeng Zhao (aka “CZ”) wrote in a blog post on Wednesday morning, May 8, Asia time. 

The stolen funds are visible in this transaction. Hours before the announcement, the exchange said it was undergoing maintenance.

CZ explained the hackers were able to obtain a large number of user API keys, two-factor authentication (2FA) codes, and “potentially other info.” 

To pull off the heist, hackers used a variety of techniques, including phishing, viruses and other attacks. “We are still concluding all possible methods used,” CZ said. “There may also be additional affected accounts that have not been identified yet.” 

In the meantime, Binance has suspended all customer deposits and withdrawals, but trades will continue. “Please also understand that the hackers may still control certain user accounts and may use those to influence prices,” CZ noted.

He explained that the the hackers had the patience to wait, and execute well-orchestrated actions through “multiple seemingly independent accounts at the most opportune time.”

The exchange will use its Secure Asset Fund for Users (SAFU) to cover the losses. In mid-2018, after an earlier hack, Binance began to allocate 10% of all trading fees received into the fund, as a way to insure against extreme losses. 

After being up for 29 hours, an exhausted CZ did a 37-minute Periscope stream to answer questions about the hack. “It’s one of those days,” he said. “Yeah, it’s been rough.”

What happened?

At this point, few details of the incident are public—and speculation is rampant. 

It appears the hackers were able to drain the exchange’s hot wallets without a manual authorization. Typically, large outbound transfers (often over 100 BTC) need to be manually vetted. For instance, crypto exchange Liquid, based in Tokyo, keeps 100% of its funds in cold storage and manually processes all withdrawals. It is a slower process for getting funds off an exchange, but more secure.

Cornell University professor and blockchain researcher Emin Gün Sirer thinks the Binance hackers knew the per-account limits, and used multiple compromised accounts to withdraw the entire hot wallet. “This shows how difficult it is to build secure services with our current coin infrastructure,” he told me. 

Gün was amazed at Binance’s decision to keep trading even though it doesn’t know the full extent of the hack or how many accounts were affected.

As he explained, “They know some 2FA has been compromised, but they don’t know which customer accounts are compromised—yet they enable trading.” In other words, someone could carry out risky trades in the next week, and if the trades lose money, they could say that their 2FA was compromised and the trades were unauthorized. 

“Continuing to trade in an unknown scenario opens them up to unlimited legal risk,” he tweeted. “This is ballsy beyond belief.”

Freezing withdrawals

Binance is freezing withdrawals for a week—that means 188,000 Bitcoin are stuck on the platform—a move that could create an artificially restricted supply.

You can’t withdraw bitcoin off the exchange, but Binance itself—and insiders—can. This could allow a privileged few to take advantage of price differentials on other exchanges.  

“If you want to sell a lot of bitcoins onto the market, and capture as much liquidity as possible, you want to be the only one selling,” Twitter user Bitfinex’ed told me. “You don’t want other people selling to the same orders you want to sell to. Binance freezing withdrawals means those people are stuck there and can’t sell for real money.”

Previous hack

This isn’t the first time Binance has been hacked. It experienced another sophisticated hack in July 2018, where oddly enough, 7,000 BTC—the same amount of bitcoin as this recent hack—was also withdrawn and resulted in an “emergency maintenance.”

The earlier attack went something like this:

Syscoin (SYS)—a minor altcoin with a low volume and small order book — was hit by a hack caused by a bug in its wallet. The attackers then sent the ill-gotten SYS coins to Binance, where they created a torrent of buy orders via the Binance API. This pushed the price of SYS as high as 96 BTC, at one point. The hackers then withdrew the bitcoin, prompting Binance to cease trading and to reset all of its APIs.

The incident is what prompted Binance to create its SAFU insurance fund, which at the time, contained only Binance’s own BNB on-exchange token. Those who suffered a loss as a result of the hack, were compensated in BNB. It is not clear, however, if that will be the case this time. CZ says he has enough bitcoin to cover the loss. 

It is entirely possible the same hackers who pulled off this earlier hack were also the ones behind the recent hack. If so, who were they?

North Korea 

Another source I spoke to—who did not want his identity revealed—said the recent hack has all the hallmarks of a sophisticated, multi-pronged attack that might be more the work of nation-state elements rather than your typical “lone hacker.”

He speculated that it was possible this was the work of APT 38, a covert cybercrime cell that specializes in financial institutions, and more recently, cryptocurrencies, to prop up North Korea’s economy. 

The group, according to cybersecurity firm FireEye, doesn’t operate by a quick smash-and-grab strategy typical of day-to-day cybercriminals, but with the patience and precision of a nation-state threat actor that has the time and tools to sit and wait for the perfect moment to launch an attack.

“APT 38 operators put significant effort into understanding their environments and ensuring successful deployment of tools against targeted systems,” FireEye experts wrote in a report. “The group has demonstrated a desire to maintain access to a victim environment for as long as necessary to understand the network layout, necessary permissions, and system technologies to achieve its goals.”

The Binance investigation is ongoing. I’ll update this post as more information surfaces

# # #