Hackers were able to steal more than 7000 Bitcoins from one of the world’s largest cryptocurrency exchanges by trade volume, Binance, as announced by the exchange on its website on May 7.
According to the announcement, the malicious actors used a variety of tactics, including phishing and viruses, to get access to users API keys, two-factor authentication codes and “potentially other info”. Using this information the hackers were able to withdraw roughly $41 million in Bitcoin from the exchange in a transaction published in the security notice.
According to Binance, the breach only impacted their hot wallet, which contains roughly 2% of the exchange’s bitcoin holdings. Deposits and withdrawals have already been suspended, and will remain so until the exchange finishes a security review of its systems, which CEO Changpeng Zhao estimates can take up to a week. Trading remains active, so traders can adjust their positions, Zhao explained:
We will continue to enable trading, so that you may adjust your positions if you wish. Please also understand that the hackers may still control certain user accounts and may use those to influence prices in the meantime. We will monitor the situation closely. But we believe with withdrawals disabled, there isn’t much incentive for hackers to influence markets.
The loss will be covered by the exchange’s Secure Asset Fund for Users (SAFU fund), which was created in July 2018 as a type of emergency insurance. The fund consists of 10% of all trading fees absorbed by Binance, and is stored in its own cold wallet. The security notice ends with Zhao saying: “In this difficult time, we strive to maintain transparency and would be appreciative of your support.“
Shortly after Binance announcement, Zhao hosted an Ask Me Anything (AMA) live session to address various questions, including the 7,000 Bitcoin hack. In the AMA Zhao let the community know that Binance is considering the possibility to request a rollback of the bitcoin network. A couple of hours after the AMA had ended, Zhao tweeted:
As he explained in his follow-up tweets, such a move could damage the credibility of BTC, and cause a split in both the community and the network. Zhao finished by saying that: “While it is a very expensive lesson for us, it is nevertheless a lesson. it was our responsibility to safeguard user funds.”