The world’s leading cryptocurrency exchange, Binance, was apparently hacked today – but the company has promised to make investors whole.
A statement issued by Binance noted that “Hackers were able to obtain a large number of user API keys, 2FA codes, and potentially other info. The hackers used a variety of techniques, including phishing, viruses and other attacks.”
The update explains that not all methods are yet known, but that the hackers were able to successfully withdraw 7,000 BTC from the Binance hot wallet, valued at around $40M at current prices. The update insists that all other wallets are secure and unharmed.
In a sophisticated attack that involved the coordination of multiple accounts and the unique structuring of transactions, hackers were able to evade the security checks set in place by the exchange. Once discovered, all further withdrawals were frozen. All deposits and withdrawals remain suspended at the time of reporting. Trading remains available for all users, however.
The report also notes that hackers may continue to control certain user accounts with the goal of influencing prices, but with withdrawals being frozen, Binance claims the incentive for such actions is diminished.
Binance sets aside funds in what has been dubbed a #SAFU account, so the loss will be entirely covered at no expense to users. A security review, estimated to take about a week, will be conducted to prevent further attacks of this nature on the exchange.
The theft was conducted in a single transaction, available for all to see on the Bitcoin blockchain.
Bitcoin prices dropped sharply as the market reacted to one of its biggest fears: a serious hack on a major centralized exchange. Within an hour of the announcement, the price of BTC had plunged from around $5,954 to just over $5,830.
Incidents such as this serve as a dramatic reminder that private keys are only private for as long as they are under the control of the individual holder.
Dave Jevans of CipherTrace, a cryptocurrency security firm, told Crypto Briefing that “There is a growing trend of hacking the hot wallets of cryptocurrency exchanges. This is certainly not the first 2FA hack against an exchange that we’ve seen this week.”
Jevans noted that “Using a two factor approach, social engineering and SIM card porting of phone numbers can give attackers access to sensitive systems inside exchanges.”
While social engineering has not been directly identified as a specific aspect of Binance’s investigation into the hack, the statement issued by the exchange appears to leave that possibility open.
Exchange boss Changpeng Zhou is expected to host a Twitter “Ask Me Anything” session later.
This is a breaking story and will be updated.