Binance, the world’s largest by-volume cryptocurrency exchange, reported this Tuesday that hackers have stolen more than 7,000 Bitcoin from them.
Binance’s CEO, Changpeng Zhao, announced in a letter that a “large scale security breach” was discovered on May 7th, and that malicious actors had been able to access user API keys, two-factor authentication codes and “potentially other info”.
The hackers were able to withdraw approx. $41 million (£31.45m) in Bitcoin from the exchange, according to a transaction published in the security notice.
After the disclosure, Changpeng Zhao tweeted that the exchange would “provide a more detailed update shortly”.
According to the statement from Binance, the hacking breach only impacted Binance’s hot wallet, which contains around 2% of the exchange’s total Bitcoin holdings with Zhao stating that “all of our other wallets are secure and unharmed”.
Zhao continued: “The hackers had the patience to wait, and execute well-prepared actions through multiple seemingly independent accounts at the most opportune time. The transaction is structured in a way that passed our existing security checks. It was unfortunate that we were not able to block this withdrawal before it was executed.”
Founder and senior cryptography advisor at temtum, Richard Dennis MSc, commented: “While it appears the hack did not attack Binance core systems directly, the fact a phishing attack obtained data such as API code and 2fa keys, suggests this was an ongoing and skilled attack.
“Binance’s power is so significant within the industry that as a result a serious conversation took place in regard to re-organising the blockchain for only $40 million worth of BTC, while other attacks such as the mt gox attack, which lost $100’s of millions, never attempted this via the Bitcoin core developers, as far as we’re aware.
“This goes to show the power and influence of certain individuals and organisations within crypto, CZ and a handful of Bitcoin devs. If this roll-back, essentially the same as a 51% attack, was seriously discussed at any point between Binance and Bitcoin developers, then this is a very serious course of action that should now be investigated by all of us involved in the industry, to ensure integrity from those with authority.
“Users frown upon centralised networks and exchanges, but have recently applauded multiple platforms for the delisting of Bitcoin SV and now with the possibility of a reorg mentioned by CZ. I believe that if this was a larger attack, that Binance could not cover financially, a reorg would have been conducted without community or Bitcoin user approval.
“This shows how centralised Bitcoin, exchanges and all cryptocurrencies really are and how no cryptocurrency at the moment can currently stop these potential issues from arising. It’s the responsibility of all of us, to deliver highly secure solutions and deploy networks in the right way to achieve genuine decentralisation sooner rather than later – but not at the risk of the currencies long term suitability as financial products, as we’re seeing with Bitcoin.”
Ilia Kolochenko, founder and CEO of web security company ImmuniWeb, commented: “Technical details of the breach still remain obscure and it would be premature to make any conclusions at this point of time.
“Today, all cryptocurrency-related businesses should be well prepared to defend against constant and sophisticated cyberattacks. In reality, however, virtually all of them underestimate or ignore digital risks and allocate scant resources for cybersecurity. Most have to compete on a very aggressive and turbulent market and thus are reducing their costs by all available means. Software development suffers most tremendously as cheap outsourced code cannot be secure by definition.
“To bring certainty to the cryptocurrency markets clear regulatory standards are required, such as is PCI and PA DSS. Even if they are not a silver bullet, they greatly reduce both the number and average volume of credit cards theft.”