Binance has announced that around $40 million of Bitcoin (BTC) has been stolen, along with API keys, 2FA codes, and potentially other info from users on their exchange.
Read more Opinion pieces here.
Binance has announced that it was "hacked" this morning. They have had close to $40.7 million USD, around 7000 Bitcoin (BTC), worth of unauthorised withdrawals happen on its exchange. However, I am not so convinced.
Why do I think this is not a hack? What does the media have incorrect?
Binance has said in a statement on the company website that:
"Hackers were able to obtain a large number of user API keys, 2FA codes, and potentially other info. The hackers used a variety of techniques, including phishing, viruses and other attacks. We are still concluding all possible methods used."
If it was the user's API keys that were compromised then it is nothing to do with their own infrastructure. It is the user's responsibility to protect their own IT equipment and ensure that they are safe from security threats. In this case, it is also more than likely these users were using a third party trading bot service, either a hosted one online or one that is downloaded to a PC.
Here are some facts supporting this theory:
- This is not a generic phishing/consumer hacking as the perpetrators could have spread withdrawals over a long time
- Third parties/trading bot makers are not tech savvy enough to protect their systems with customer API keys
- An insider job from someone at Binance seems unlikely as the hot wallet was only partially emptied
A trading bot service has been compromised and yet Binance has ended up bailing them out for the $40 million USD which has been stolen from its exchange.
A clever hacker would have mixed his own funds in with the "stolen" funds and call it a hack as a form of "friendly fraud" in order to get some additional money. If it is a third party who was using API keys then Binance cannot know if this is just a conspiracy and not a hack.
Binance could have more manual withdrawal checks in place in order to ensure that the funds were protected. $40 million USD might not be that much for Binance, but it is still a lot of money to be stolen from the world's largest cryptocurrency exchange.
The long term solution for the cryptocurrency industry is to have more checks and controls in place. In the ultimate form, this means more regulation. Under the regulation, third-party services with weak security touching client money would not have been allowed to operate in the first place. Perhaps with Binance not being as safe as everyone thought, this regulation will come.