😐 How could a hacker steal $1 million from a Binance account without hacking the account itself?

A recent scam story shared by a Chinese user revealed a new way to steal funds.

Victim Summary:

— On May 24, I was traveling home from work with my computer and phone with me.

— During this time, there were intensive operations on my account that I was unaware of. Pairs like QTUM/BTC rose by 21%, DASH/BTC by 27%, PYR/BTC by 31%, and NEO/USDC by 22%, all due to purchases made from my account.

— I didn't know about these transactions until I accidentally opened my Binance account to check the BTC price.

— Experts later explained that the hacker had compromised my website's cookies and manipulated asset prices using my account.

— The hacker, by monitoring the prices of assets in my account, made money and successfully withdrew it from Binance. When I contacted support, the funds had already been withdrawn.

– The culprit was a Chrome extension called Aggr.

— The attack works as follows: when you install and use the malicious plugin, the hacker can collect your cookies on their server and use them to intercept sessions of active users, impersonating you.

— No need to hack password or 2FA. Chrome web extensions can be just as dangerous as downloading malicious apps.

– Throughout the entire process, Binance staff responded slowly and did not help recover losses.