A Twitter account named @CryptoNakamao shared an incredible hack that resulted in a million dollars being stolen from his Binance account. Although he never revealed his account password or two-factor authentication (2FA) code, he bypassed security measures through a "punch trading" technique. Below is a detailed review of his experience.
Freezing makes no sense at all
"The first time the incident happened, I not only informed Binance customer service, but also sent a private message to the first sister on TG. The first sister was very dedicated and handed my UID to the security team as soon as possible. But what I didn't expect was , even with the urging of a sister, it took more than a day for Binance staff to notify Kucoin and Gate to freeze the funds transferred by the hacker. Needless to say, the hacker’s funds had already been transferred out (verified). It’s meaningless.” @CryptoNakamao said that he contacted Binance co-founder He Yi as soon as possible, but he still couldn’t catch up with the hacker to transfer the assets.
How do hackers carry out their attacks?
On May 24, while @CryptoNakamao was on his way home from work, hackers hijacked his web page cookies to gain control of his account, initiated a large number of transactions, and manipulated the market prices of several trading pairs: QTUM/BTC increased 21%, DASH/BTC increased by 27%, PYR/BTC increased by 31%, ENA/USDC increased by 22%, and NEO/USDC increased by 20%. The activity was not discovered until an hour and a half later when he casually checked his Binance account.
Confrontation with stolen funds
Later, a security company revealed that hackers used the highly liquid USDT trading pair to purchase tokens and set high-price limit orders in the less liquid BTC and USDC trading pairs. In the end, they used his account to open leveraged trading, made large purchases, and completed "counter-trading."
No security alert received
@CryptoNakamao said he did not receive any security alerts from Binance. Ironically, the next day, he received an email from Binance inviting him to become a market maker because of his high trading volume. Despite the massive activity, Binance did not issue any warnings or freeze accounts, and the hackers’ assets were not restricted.
After the notification, there was still no successful rescue.
Upon becoming aware of the breach, @CryptoNakamao immediately contacted Binance customer service, but the hackers still took control of his account and safely withdrew all funds from Binance. What further confused him was that the hackers used a single account to conduct these blatant "knock trades," weakening his trust in Binance's risk controls.
Root cause: Malicious Chrome extension
@CryptoNakamao and security firms traced the intrusion to a Chrome extension called AggrTrade, a seemingly harmless tool recommended by overseas KOLs and Telegram channels, but in fact it is a malicious program.
AggrTrade collects cookies and forwards them to the hacker's servers, which allows the hacker to hijack active user sessions and bypass the need for passwords or 2FA. In the case of @CryptoNakamao, his passwords were stored in 1Password and were inaccessible to hackers, who used these cookies to control his account activity for "knock trading."
Binance’s case is not the first of its kind
@CryptoNakamao says he’s been dealt another blow. Because Binance is aware of the existence of this extension software, it has also encouraged everyone to collect more information about hackers. Despite knowing the risks, Binance delayed taking action, resulting in more victims.
For example, in March, another Binance user's account was compromised, and Binance CEO Richard Teng responded by saying that it was investigating and would find the root cause. He believes that Binance has enough time to warn users.
Binance’s missed opportunity
Looking back on the incident, @CryptoNakamao listed several key mistakes by Binance:
Slow response: Despite being aware of the hack and malicious extension, Binance failed to act in a timely manner, allowing the promotion to continue, resulting in more funds being stolen.
Lack of risk control: The hacker manipulated the account for over an hour to engage in extreme trading activity without triggering any risk alerts or freezes.
Failure to freeze accounts in time: Binance failed to freeze the hacker’s accounts and funds in time, missing the opportunity to prevent asset transfers.
Ineffective communication: It took more than a day for Binance to coordinate with other platforms to freeze the hacker’s funds, by which time it was already too late.
warning to everyone
By sharing his story, @CryptoNakamao reminds the cryptocurrency community of the dangers of browser extensions and the importance of security vigilance. "I want to sound the alarm on security issues for everyone, and don't make the same mistakes I made. As cryptocurrency becomes more and more familiar, the asset security and personal safety of any participant deserves attention." He said.
He Yi’s response: Increase security awareness of extension software
He Yi, co-founder of Binance, said: "The user said: The downloaded plug-in was tricked, and the hacker could not withdraw the currency, so he used the method of knocking to drain all the money in the account. It is recommended that everyone protect their equipment. Improve bulletproof awareness for some plug-ins and links, and put safety first.”
This article Google extension software is causing trouble! The one million US dollars that disappeared from the Binance account will be difficult to recover even if you sit down. First appeared in Chain News ABMedia.