Author: Gyro Finance
Security incidents are not uncommon in traditional finance, and are even more common in the anonymous cryptocurrency world that is like a dark forest.
Data shows that in May alone, there were 37 typical security incidents in the crypto circle, with total losses caused by hacker attacks, phishing scams and rug pulls reaching US$154 million, an increase of approximately 52.5% from April.
Just on June 3, two security incidents occurred again. Slightly different from other incidents, both incidents were related to large exchanges and the process was quite bizarre. However, at the end of the story, some were happy and some were worried.
On June 3, a long article posted by a user named Nakamao on the X platform went viral. In the article, he mentioned that "he became a victim of the cryptocurrency circle, and $1 million in his Binance account was wiped out." In his narration, a series of hacker thefts began.
It is said that on May 24, Nakamao was still on his way to work and all his communication devices were with him. However, in this seemingly foolproof background, hackers used cross-trading to steal all the funds in his account without obtaining the Binance account password or the two-factor authentication (2FA) instruction.
In short, cross-trading is to conduct large-scale transactions in trading pairs with scarce liquidity, and to take over the selling of hacker accounts through large-scale purchases by the trading party. In the end, the other party obtains actual funds or stablecoins in a certain altcoin, and the buyer takes over the altcoins in the hands of the seller. This type of theft is not uncommon in exchanges. In 22 years, FTX suffered a cross-trading theft of up to 6 million US dollars due to the leakage of 3commas API KEY. At that time, SBF used its cash ability to redeem and settle the matter. After that, Binance also had large-scale cross-trading. But the viciousness of this model is that for exchanges with poor risk control, it is just a very common trading behavior, and there is no abnormal theft.
In this case, QTUM/BTC, DASH/BTC, PYR/BTC, ENA/USDC and NEO/USDC were selected and the users’ large funds were used to buy up more than 20%. The users did not notice any of the hackers’ operations until they checked their account information more than an hour later and found the anomaly.
According to the security company's response, hackers manipulated user accounts by hijacking web cookies, which simply means using terminal data saved on the web. For example, when we enter a certain interface on the Internet, we do not need to log in with an account password because historical access and default records have been left.
At this point, it may be just the negligence of the user, but the follow-up became even more bizarre. After the theft, Nakamao immediately contacted the client and Binance co-founder He Yi, and handed over the UID to the security team, hoping to freeze the hacker's funds in a short time. But it took Binance staff a full day to notify Kucoin and Gate. As expected, the hacker's funds had already disappeared, and the hacker only used one account, without diversifying the accounts, and withdrew all the funds from Binance safely. During the whole process, the user not only did not receive any security reminders, but even more ironically, due to the purchase of large transactions, Binance actually sent him an invitation email to become a spot market maker the next day.
In the subsequent review, an ordinary Chrome plug-in Aggr came into Nakamao's sight again. This plug-in is used to view market data websites. According to the description of the victim, he saw that many overseas KOLs had been promoting it for several months, so he downloaded it for his own needs.
Here is a brief introduction. In fact, plug-ins can perform multiple operations. Theoretically, it can not only log in to trading accounts through malicious extensions and access user account information for trading, but also withdraw funds and modify account settings. The core reason is that the plug-in itself has a wide range of permissions to access, operate network requests, access browser storage, operate the clipboard and other functions.
After discovering the problem with the plug-in, Nakamao immediately approached the KOL to inquire and warned the KOL to notify users to disable the plug-in, but unexpectedly, the boomerang hit Binance at this moment. According to Nakamao's initial statement, Binance had already known about the problem with the plug-in. A similar case occurred in March this year, and Binance also tracked down the hacker afterwards. Perhaps in order to avoid alerting the enemy, it did not notify the suspension of the product in time, and also let the KOL continue to keep in touch with the hacker. At this stage, Nakamao became the next victim.
Since it is possible to log in and conduct transactions using only Cookies, there must be certain problems with Binance's mechanism. However, the incident itself was actually caused by the user's own negligence, and holding them accountable has become a problem.
As expected, Binance’s response to the incident caused a stir in the market. In addition to the official account’s replay that the cause was a hacker attack, Binance did not notice the relevant information about the AGGR plug-in. In a WeChat group, He Yi also commented on the incident, “This is a case where the user’s computer was hacked, and even the gods can’t help. Binance can’t compensate the user for the hacked device.”
Nakamao obviously cannot accept Binance's operation, believing that Binance has failed to take risk control measures, and that the KOL has clearly confirmed that he mentioned the plug-in to the Binance team, and that Binance is also suspected of not reporting it. As public opinion continues to ferment, Binance also responded again that it will apply for a reward as feedback for users reporting malicious plug-ins.
I thought the matter had come to an end, but interestingly, on June 5, the incident took a turn. Nakamao once again apologized to Binance on the X platform, saying that there was a gap in information with Binance and that he had made subjective assumptions. Binance was actually not aware of the plug-in. Binance first learned about the aggr.trade website on May 12, not in March as mentioned earlier. In addition, the KOL was not an undercover agent of Binance. The KOL communicated with Binance on account issues, not plug-in issues.
Regardless of whether these remarks are true or false, the 180-degree turn in attitude, from disappointment to public apology, shows that Binance must pay compensation to it, but the specific amount of compensation is unknown.
On the other hand, coincidentally, on June 3, in addition to Binance, OKX was also affected. An OKX user said in the community that his account was stolen by AI face-changing and 2 million US dollars in the account was transferred away. The incident occurred in early May. According to the user's description, the reason for the theft of his account had nothing to do with personal leakage, but the hacker logged in to the email account and clicked "Forgot password", and simultaneously built a fake ID card and AI face-changing video, bypassing the firewall, and further changed the mobile phone number, email address and Google authenticator, and then stole all the assets in the account within 24 hours.
Although the video has not been seen, from the user's statement, it is likely that the AI synthesized video is very poor, but even so, it still broke through the OKX risk control system. Therefore, the user believes that OKX is also responsible and hopes that OKX can compensate his funds in full. But in fact, if we analyze it carefully, the perpetrator must be someone who is familiar with the user and understands the user's habits and account balance. It can be determined that the crime was committed by an acquaintance. The user himself also mentioned in the letter that he has a friend who is inseparable from him. Under normal circumstances, OKX will not compensate for this. At present, this user has reported to the police and plans to seek compensation through the police.
The crypto community has also discussed these two incidents extensively. Of course, from a security perspective, although many people emphasize that only self-custody wallets have absolute control over assets, it has to be admitted that exchanges are safer than personal control, and the core is to increase the number of communication parties. The exchange is at least a direct third party that can be connected and contacted. Regardless of the outcome, it will at least intervene in the investigation. If the communication is appropriate, it may also be possible to receive compensation like the above victims. However, if a self-custody wallet is stolen, there is almost no institution that can provide a safety net.
However, security improvements for current exchanges are also urgent. Large trading platforms control the assets of most users, and encrypted assets are difficult to recover, so security should be given more attention. In the use of traditional finance, you must re-enter your password almost every time you log out to prevent your account from being controlled, and additional verification methods are usually required when transferring money. Therefore, the community recommends that trading platforms should add a password lock function, add 2FA verification before trading, and re-enter verification after IP changes, or adopt multi-party security MPC verification to decentralize passwords and improve security by sacrificing user experience. However, some users believe that repeated verification is too trivial for high-frequency trading and is difficult to be feasible.
He Yi also responded to this, saying that "at present, big data alarms and manual double confirmations have been added to deal with sudden price fluctuations, and users will also be reminded; the verification frequency will be increased in plug-in operation and cookie authorization. In this scenario, the transaction password is not applicable, but Binance will increase security verification links according to user differences."
Back to the starting point, judging from the two incidents, users also need to pay great attention and enhance their own security awareness. On the premise of dispersing assets, try to use completely independent devices for operation. It is recommended to use decentralized authentication, not focus on convenience, avoid setting up password-free and live authentication, use plug-ins with caution, and use hardware wallets for storage of large assets.
After all, crypto assets are different from physical assets. Physical assets can at least be tracked, but due to regulatory restrictions, it is almost impossible to obtain subsequent compensation for the theft of crypto assets, and even filing a case is quite difficult.
This kind of case is not uncommon. A typical example appeared in a recent report by 1818 Golden Eye. The victim, Mr. Zhu, found a big shot on Zhihu named "Cheng Qiqi" who claimed to have earned tens of millions of yuan by speculating in cryptocurrencies, and hoped to follow him to make money by speculating in cryptocurrencies. After negotiation, the two signed a contract to achieve profit-sharing cooperation, clearly stating that 70% of the profit belongs to Cheng Qiqi, and 30% is retained by Mr. Zhu. If there is a loss, the two will each bear 50%. During the transaction, Mr. Zhu only followed orders, and the ownership of all accounts was in his own hands.
Such a high profit sharing and a seemingly trustworthy contract did not bring about a trustworthy result. After making a small profit at first, the victim increased his investment and, under Cheng Qiqi's guarantee of "full compensation in case of liquidation", used the borrowed principal of 600,000 yuan and 100 times leverage to short ETH. In the end, due to the rise of ETH, the victim lost all his money.
It is obviously difficult to file a case in this situation because all operations were done by individuals and there was no fraud or coercion. At the end of the matter, the police and reporters could only helplessly emphasize that according to my country's laws and regulations, virtual currency transactions are not protected, there are high risks, and people need to be vigilant.
In the end, Mr. Zhu, with a heartbroken yet innocent expression, staged a hilarious ending.
In any case, I would like to remind the spectators participating in the transaction again that in any financial field, even in the crypto circle, a sector that sacrifices some security to gain high profits and freedom, security is far more important than efficiency or profitability. This may be one of the reasons why the so-called decentralized crypto world is difficult to leave centralization.
After all, that's human nature. Everyone wants someone to back them up, and no matter how much money they make, they don't want to be a burden to others.
