Binance the largest cryptocurrency exchange by volume has been the recent talk of crypto-town ever since it lost 7000 Bitcoins [BTC] in a mere security hack. The stolen Bitcoins cost the firm a whopping 40 million USD. The entire hack created less FUD and more pique in the market, with Changpeng Zhao [CZ] the CEO and biggest promoter of Binance claiming to be in a position to re-organize Bitcoin’s blockchain and their team covering up the security breach by spreading positive sentiments of how transparent the exchange has been [OFC, you have to be transparent. Aren’t you guys promoting yourselves to become DEX?] a lot happened the past week. Surprisingly, this did not crash Bitcoin prices [A sign of how mature the community has become].
While CZ kept the crypto community entertained with his back-to-back tweets. We researched into what might’ve actually happened for hackers to breach Binance’s security.
A few things to note before understanding the investigation is:-
- Binance is programmed in multiple languages, which are unknown to many. [Angular, React, Node.js, etc]
- Binance re-architectured their backend last year.
- According to an official blog released by Binance “These [security] technologies involve artificial intelligence [AI] solutions used in identity and facial recognition, as well as big data analytics solutions that monitor each and every movement made on the exchange in search of suspicious activity, and cyber forensic investigations that trace the roots for each attempted misdeed on the platform.”
- Binance in their blog spoke about how a user whose account was under an attack was going to lose 46 BTCs but Binance’s security system flagged the activity, froze the account and funds were #SAFU. [Funny, how the system flagged a withdrawal of 46 BTCs but was pretty incapable of protecting 7000 BTCs]
One of the most insecure, uncanny and extremely noticeable thing with Binance accounts is its easy accessibility to API and Security [Secret] keys. Which can be fetched through phishing, trading bots and software wallets.
Before moving forward, I’d like to elaborate on the above-bolded words.
API Keys: API key is the gateway to access one’s unique identification.
Security Key: Security key or Secret key is the authenticator, which allows a second party to access to your funds and trade accordingly.
Phishing: An attack wherein a malicious party pretends to be a trusted platform to gain the details of its users.
Trading bots: AI-based programs to whom you give access to your API & Secret keys for automatic trading.
Software wallets: Software wallets are mostly open-sourced projects that are software based. Anyone can make changes to software wallets due to its customizable nature.
As observed above, before the hack, each user was given their API key as well as Secret key which was easily accessible in the users’ profile section. One is the gateway to your unique identification while the other is the key to your locker. Together, these keys can be used to surpass the basic layers of security. There are several ways through which one can breach using these. How? Let’s understand!
Trading bots: The internet is overloaded with paid as well as free trading programs bots powered by Artificial Intelligence and Machine Learning. These bots use learning algorithms to execute trades at the right time. They buy and sell crypto assets for users to gain profit. They place trade orders at certain particular or rather perfect timings which gives them the leverage to earn in a fraction of seconds. When it comes to manual trading vs bot trading, bot trading outperforms manual trading in terms of efficiency and profit making margins. Users use it to mint revenue and this keeps on making trading activities much faster on exchanges which is why money-hungry exchanges let users implement it irrespective of the risks [Time to rethink your choices; centralized exchanges for financial caging or decentralized assets for financial sovereignty]. Without any proper knowledge, a lot of crypto users use these trading bots as they give them access to their API keys and secret key to manage and trade their accounts.
Phishing activities: Most users aren’t aware when a phishing attack takes place. Phishing attacks happen when users land on the wrong malicious website thinking it is the trusted platform they usually use. For example: Instead of Binance.com users enter their login details on dummy platforms imitating Binance such as Binance.in, Binance.io, Binance.co, etc. These platforms acquire the login credentials of these users and use it to withdraw their funds.
[The interesting twist]
Software Wallets: Software wallets are non-physical programs that you download into your computer. Software wallets have no physical form, they’re software programs that can be downloaded into computers. The software wallets are encrypted and need a secret key to access the crypto assets stored. Software wallets are safer than wallets on exchanges, although, one of the biggest concerns holders face is that these wallets are connected to the internet which makes them vulnerable and susceptible to malware and viruses which loiter with malicious intentions in the background.
Interestingly, when we check out the list of wallets that were hacked on Binance. Wallets with 100+ BTCs were stored on Electrum software wallets [Wallets starting with ‘bc1” are Electrum wallets].
To briefly explain the twist, Electrum is an open sourced software wallet. It is a lightweight Bitcoin client, based on a client-server protocol. It was released on November 5, 2011. Electrum has been in the game for the longest of time, which is why people trust it more than the usual software wallets out there. The server code of Electrum is open source which means that anyone can run a server. This acts as a drawback because public Electrum servers run by malicious parties can easily monitor electrum wallets of different users. To avoid this, users need to use their own servers for Electrum.
But honestly, how many traders actually understand that? The answer is, very few. The ones who don’t understand for obvious reasons became victims of the hack.
Ah, also, Binance has now updated their system. After the hack, they’ve shut the access to the secret keys as shown below. [Guess someone finally understood security is more important than printing money]
Okay, but how did the hack exactly take place?
Let’s start with how the hack actually took place or probably took place.
When Binance came out with its blog on the security breach they stated a couple of points which helped us to research further.
Binance said, “ Hackers were able to obtain a large number of user API keys, 2FA codes..”.
In addition to this, the blog stated that “ The hackers had the patience to wait, and execute well-orchestrated actions through multiple seemingly independent accounts at the most opportune time. The transaction is structured in a way that passed our existing security checks.”
As I mentioned earlier, API keys and Secret keys together are like the password and authenticator for users accounts. There are a couple of ways to gain access to these keys.
-Through breaching Binance’s server Not possible since their backend is coded in multiple languages it’s extremely difficult or rather impossible to tap into their server unless an internal guy is involved].
-When the user willingly gives out the keys [Not possible because people have brains].
-Using software wallets, trading bots and phishing to gain the keys of Binance users. [The only viable options available].
The hackers received API keys of Binance users through Phishing, Trading bots and software wallets. After acquiring the API keys the hackers patiently waited for users to come online on the exchange. Once the user logged into the exchange, the hacker could monitor the trades users indulged in.
This activity was carried by hackers for months. The attack was extremely well-planned. They were patient enough to monitor the trades of multiple user accounts and make a list of users that have a large number of Bitcoins.
They filtered out 44 wallets with good enough amount of Bitcoins. 21 wallets out of the 44 carried 100+ BTCs and were electrum software wallets.
Once the hackers shortlisted the users, they waited for the bull rally. As soon as Bitcoin hit the $6000 margin the hack took place because this is the exact time when these traders deposited their Bitcoins on Binance for trading.
Once the hackers were satisfied with the final Bitcoin count, they transferred Bitcoins from the exchange to their wallet and accessed Binance’s transaction control system through viruses.
The entire operation was perfectly organized at the perfect timing.
They executed the entire hack by monitoring user wallets who logged into exchanges actively. They had access to the transaction control of Binance and kept their wallets ready to take Bitcoins out at the right time.
The hack surpassed all the fancy security system settings the Binance team mentioned would safeguard funds from attacks.
The largest cryptocurrency exchange in the world couldn’t manage this breach. This is time for us traders and investors to reconsider our choices. It’s time for us to think, if we don’t have our keys, we don’t own our coins. And if we don’t manage our funds, is it really ours?
Disclaimer: Please note this investigation is based on the research of journalist and researchers of TechMerge. The writer’s thoughts/writings may or may not necessarily match with TechMerge.