Investigating the $40M Binance Hack

Readers who follow me know that I’m the founder of HodlBot. We built an easy way for investors to automatically diversify their cryptocurrency portfolios across indices, and custom user-created funds.

To use our platform, users must first connect their exchange account of choice to HodlBot. While users manage & track their portfolios on HodlBot, the actual trades are completed on the exchange through the API.

For almost a year, HodlBot only supported Binance. We chose Binance as the first exchange we ever integrated with because we had faith in Binance’s track-record, security protocols, and commitment to their users.

So it was quite the devastating blow to find out that Binance had been hacked for 7,000 BTC.

What we know

Binance has not said much about the hack. While they’ve shared details about damages, they have been very quiet about the finer details.

According to their most recent blog post, they are striving to maintain the highest degree of transparency, but are concerned that sharing too many security details will tip off hackers and ultimately weaken their own security.

Nevertheless, I do believe it’s important for the community to understand what happened, so I will be doing a deep dive in this article.

Timeline of Events

Here’s what we know about the timeline of events.

May 7 at ~5:15 PM UTC

7,074 BTC is withdrawn from Binance’s hot wallet.

May 7 at ~7:00 PM UTC

Binance shuts down deposit and withdrawals for unscheduled maintenance. CZ assures users that funds are SAFU and that trading will not be disrupted.

May 7 at ~11:36 PM UTC

Binance announces a security breach and confirms that hackers were able to withdraw ~7,000 BTC from Binance’s hot wallet.

May 8 at 12:42 PM UTC

Binance restricts all existing API keys to trade-only and announces that all existing API keys will be deleted at 1:30 PM UTC.

May 8 at 1:30 PM UTC

Binance deletes all existing API keys.

How was the Attack Similar to Last Time?

Both the most recent attack and the attempts in the past have involved Binance’s API and phishing.

Hackers phish users by disguising themselves as trustworthy entities and tricking users into divulging sensitive information.

A fake Binance log-in screen used to phish unsuspecting users

Often the stolen information are users API keys, which give the attacker the ability to programmatically interact with the exchange as if they were the user themselves.

On Binance there are 3 distinct levels of API permissions:

• Read — ability to get data about holdings, trade history, and the market.
• Trade — ability to execute trades
• Withdrawal — ability to withdraw funds

When a user creates a set of API keys, by default, read & trade permissions are enabled and withdrawal access is disabled. Because withdrawal carries a much higher risk, Binance requires users to first set up 2-factor authentication and IP whitelisting.

During the SYS & VIA attacks, attackers mostly got their hands on API keys with trade-only access. Because attackers can’t withdraw from accounts that have trade-only access, they had to first relocate the funds.

Here’s how they did it:

• Before the attack, the culprits target an exchange pair that is easy to manipulate. Typically these pairs have low trading volume and a thin order book. Hackers buy up a bunch of these coins ahead of time.
• Right before the pump, the attackers place limit orders to sell their coins at ridiculous prices (often 10,000x the normal price).
• Attackers use stolen accounts to send a torrent of buy orders via the API, ripping through the entire order book and purchasing their own coins on the other side of the market at 10,000x the normal price. When this is complete, they will have effectively transferred wealth from accounts that have trade-only access, to accounts that have withdrawal access.
• Attackers try to withdraw their spoils from Binance. Once it’s off the exchange and onto the blockchain, it becomes almost impossible for anyone to reverse the trades.

The evidence for this strategy at play can be found in Binance’s trading history. During the 2018 API hacks, attackers pumped SYS & VIA prices in an attempt to move funds as aforementioned.

As shown in the following 1D candles and volume charts, prices & volumes spiked across SYS/BTC and VIA/BTC pairs on July 3, 2018 and March 6, 2018 respectively. More details about the previous hacks here.

What’s Different This Time?

This time, the attack was different. As per Binance’s official statement, hackers were able to obtain a large number of user API keys, 2FA codes, and other sensitive information.

With 2FA codes, attackers are completely able to enable withdrawal access and disable IP whitelisting. This makes the attack much easier to pull off, as hackers no longer need to arouse suspicion by inadvertently pumping coin prices while transferring funds away from trade-only accounts.

In order to confirm this line of reasoning, I pulled the last month of hourly-tick trade data from Binance’s API.

If API keys were used to manipulate trades, our sweep will show any abnormal spikes in trading volume and price.

Comparing 30D Max vs. 1D Max (Hourly Trade Data)

I calculated the 30-day max for hourly trading volume and trading price across every single exchangeable pair on Binance prior to the hack. I also calculated the 1-day hourly max for trading volume and price on the day of the hack.

The goal is to compare the two and see if hourly prices or trading volumes spiked during the day of the hack.

Trading Volume Comparison

The following table is sorted by the percentage difference between the 1D hourly max, and the 30D hourly max.

We saw a 3x increase in LINK/PAX hourly trading volume during the day of the hack, but the figure is not high enough to warrant suspicion, especially given the fact that LINK/PAX prices didn’t shoot up as well.

Price Comparison

During the day of the hack, we only saw a 34% increase in price percentage in the most extreme case.

This further backs up the claim that attackers did not manipulate prices this time around.

While it’s possible that attackers sprinkled trades around to not get noticed, I don’t think this is likely. To move anywhere in the neighbour of 7,000 BTC in trading volume without disturbing the price & trading volume would require many accounts, and or, a lot of time.

If this were the case, the trading activity over a prolonged amount of time is likely to arouse suspicion from the original account owners, who see their funds slowly deplete. Any user complaints to Binance would spell disaster for the hackers.

Getting Away with Highway Robbery

Bitcoin’s value and reliability are greatly due to the fact that the ledger is immutable. But also this means that once a successful withdrawal is made, it becomes basically impossible to retrieve the stolen funds.

Binance confirmed that the hackers were able to withdraw ~7000 BTC in this one transaction. I used Google BigQuery to query the transactions related to the hack and plotted the movement of the stolen funds in the graphs below.

The circles represent wallet addresses. The lines represent the flow of funds. The circles and line widths are proportional to the amount of Bitcoin being sent between addresses.

Transaction Depth=1Output values with BTC < 1 filtered out.Transaction Depth=2Output values with BTC < 1 filtered out.Transaction Depth=3Output values with BTC < 1 filtered out.Transaction Depth=4Output values with BTC < 1 filtered out.

Current State of the Stolen Funds

As far as I can tell, there are no transactions beyond depth=4. The stolen Bitcoin is being shuffled and being parked in stationary addresses.

Here is a much bigger visualization with individual wallet addresses labelled.

Output values with BTC < 1 filtered out.

The Difficulty with Tracking Stolen Funds

At some point, it will be highly infeasible to track where these Bitcoins are due to the fact that the number of transactions involving these stolen coins will scale exponentially.

Currently, there are 3 common ways of tracking tainted coins.

Poison — 3 stolen bitcoins and 7 good bitcoins go into a transaction, 10 stolen bitcoin come out.

Haircut — 3 stolen bitcoins, and 7 good bitcoins go into a transaction, 10 come out marked as 30% stolen.

FIFO — 3 stolen bitcoins, and 7 good bitcoins go into a transaction. The first 3 that come out are marked as stolen.

In my opinion, none of these methods work well in the long-run. Labelling tainted coins and blacklisting fundamentally weakens the fungibility of and the censorship-resistant nature of Bitcoin. I side with those who think we should abandon all hope of ever trying to repossess or blacklist these stolen coins.

Clearing Up Conspiracy Theories

Exchange hacks are a breeding ground for conspiracy theories. While we won’t have time to address them all in the article, we can tackle some of the most poignant ones.

Binance messed up and burned 7,000 by sending BTC to Segwit addresses that cannot send funds anywhere

This is fundamentally not true. You can’t see Segwit transactions onBlockchain.com but you can easily see them here.

It was an inside job to promote their DEX

Terrible business move. Binance loses a huge amount of brand equity for what? In the midst of all of this, they haven’t even promoted their DEX.

There was more than 7,000 BTC that was stolen

All we have is Binance’s official numbers. There is no evidence of this currently. Pundits are carefully watching Binance hot wallets.

Security Breach Without API Keys Being Compromised

This one is more likely. Rumour has it 700 accounts with withdrawal access were compromised. No one has come forward saying that their account was hacked. Since passwords and 2FA were compromised, you’d imagine Binance would ask users to reset their personal information. At the same time, If API keys were not compromised, why would Binance reset API keys?

Attackers are still in control of many accounts that Binance does not know about

It’s possible. Binance reset API keys, but hackers could still have access to a bunch of accounts via stolen personal information.

What Does This Mean for the Future of Centralized Exchanges?

The Push for DEXs

Obviously hacks like these serve a reminder that centralized exchanges are fallible and act as a push for DEX.

At the same time, DEX trading volume was at an all-time low at the beginning of 2019.

Diar report

At the end of the day, it looks like people are still favouring convenience, speed, liquidity over security.

There is simply no better choice than centralized exchanges if you want to:

1. Retain full control over your assets
2. Obtain favourable trading prices and access to liquid markets
3. Pay low transaction fees.

Diversifying Your Assets Across Multiple Exchanges

Given that centralized exchanges are still crucial, one way to mitigate your risk is by diversifying your assets across exchanges. We offer an easy way to do that at HodlBot.

What Does This Mean for the Future of Binance?

Binance can make the $40 million back in 47 days

In the grand scheme of things $40 million isn’t a devastating amount, especially for one of the largest and most profitable exchanges in the world.

The $40 million Binance hack ranks as the 6th highest in terms of $USD value lost.

Trading bots are Inevitable

API keys and phishing were a common theme across the last 3 hack attempts at Binance. Warning users to not give any third-party service providers access to your personal API key is simply unrealistic. This kind of unilateral statement punishes both negligent trading applications as well as security conscious ones like ours.

Instead of condemning 3rd party trading applications and turning a blind eye to them, which does absolutely nothing, Binance should look to support them by launching their own OAuth client. In doing so, Binance can actually improve trading security and mitigate the risk of future API mishaps by having closer control and supervision. Read more about this proposal here.

About the Author

I quit my job recently to start HodlBot.

We automatically diversify and rebalance your cryptocurrency portfolio into the top 20 coins by market cap. Think of it as a long-term crypto-index that you can DIY on your own exchange account.

If you don’t want to index, you can also create a custom portfolio and let HodlBot rebalance it for you.

To get started all you need is a

1. Cryptocurrency Exchange Account
2. $200 in any cryptocurrency

If you want to know how HodlBot indexes the market and completes rebalancing, check out the blog I wrote here.

Investigating the $40M Binance Hack was originally published in Hacker Noon on Medium, where people are continuing the conversation by highlighting and responding to this story.