Funds Are SAFU, but Reorg Is Not: What We Know About the Binance Hack So Far

Funds Are SAFU, but Reorg Is Not: What We Know About the Binance Hack So Far

Binance, one of the world's largest cryptocurrency exchanges, experienced a “large scale” data breach on May 7. The hackers reportedly stole around 7,000 Bitcoin (BTC), worth more than $40 million as of press time.


As the platform explained via a public statement, the fraudsters had managed to steal users’ application programming interface (API) keys, two-factor authentication (2FA) codes and other information, which supposedly helped them to orchestrate the attack.


Binance has announced that it will use its reserves “to cover this incident in full,” hence “no user funds will be affected.”


The attack: 7,074 BTC stolen, details are still sketchy

Initially, Changpeng Zhao, CEO of Binance, announced “some unscheduled server maintenance” on his platform via Twitter, warning that deposits and withdrawals might be blocked “for a couple hours.”


“No need to FUD,” he wrote, following with his trademark line: “Funds are #safu.”


In about four hours, Binance released an official statement revealing that a “large scale” security breach took place on May 7 at 17:15:24 UTC.

As a result, the fraudsters were able to withdraw 7,074 BTC, as can be seen on the blockchain explorer. The transaction had 44 outputs, 21 of which were native Segregated Witness (SegWit) addresses, and those addresses received 99.97% of the funds.


Binance has declared that it was “the only affected transaction,” and that only the BTC hot wallet (containing about 2% of Binance’s total BTC holdings) was compromised. “All of our other wallets are secure and unharmed,” the exchange wrote.


“They [the hackers] used both internal and external methods to trap a lot of fish and get a lot of user accounts,” Zhao said during an AMA session on Periscope, stressing that the attack was highly advanced. According to the Binance CEO, the hackers waited until they had managed to capture a large number of accounts, including “very high net worth accounts,” before carrying out the assault.

Indeed, as implied by Redditor u/dekoze, the attackers could have used a number of hacked verified accounts to withdraw the funds. “They moved the stolen funds from various phished users by trading way out of range on illiquid pairs,” the user suggested. “Just look at LINK/PAX, 100k LINK was traded in a 1m candle and reached $9999 USD. That allows you to effectively move all the funds to a few accounts with withdrawal privileges of >100 BTC.”


Soon after the security breach was spotted, Binance suspended all withdrawals and deposits for “about one week” to conduct a thorough security check. “We believe with withdrawals disabled, there isn’t much incentive for hackers to influence markets,” the exchange wrote, adding that all trading within the platform will remain enabled.


According to the Binance CEO, a number of crypto exchanges, including KuCoin and Coinbase, are collaborating with Binance to block deposits from the hacked addresses. The stolen funds have been reportedly moved since the hackers obtained them. First, Anti-Money Laundering and Counter-Terrorist Financing firm Confirm released an analysis showing how 1,227 BTC were moved to two new addresses, one holding 707 coins, while the other one holding 520