Users of cryptocurrency exchange Binance had their credentials phished and coins traded away in a “well organised” but ultimately failed attack.
Though suspicion initially fell to the exchange being hacked, this was quickly discarded and a new picture emerged of a coordinated effort over several months designed to scam users.
The details were confirmed in a post-incident report published by Binance.
“This was ... a large scale phishing and stealing attempt,” the exchange said.
“All funds are safe and no funds have been stolen.”
Unknown hackers set up a phishing site in early January to steal Binance users’ account credentials.
They registered near-identical Binance.com domains by taking advantage of diacritical marks - unicode characters placed under letters in certain alphabets to denote a certain pronunciation.
This is a known method for creating spoof websites used in phishing attacks and has been a problem for well over a decade.
Users mistakenly logged into the phishing site after coming from a search engine, rather than directly typing in Binance.com.
CEO ChangPeng Zhao said on Twitter that the fake site was presented to users only once.
"Phishing website that redirects to the real website after login. Additionally, after you log in once, it doesn't let you access the phishing site again - will auto-redirect you to Binance (even after logging out),” he said.
Binance said the hackers phished user account credentials “over a long period of time”, including primary username and password, and time-limited 2FA credentials.
Though some of the activity occurred as far back as early January, Binance said its investigations showed “a heavy concentration of phishing attacks ... using unicode domains, looking very much like Binance.com, with the only difference being two dots at the bottom of two characters” late last month.
“Many users fell for these traps and phishing attempts,” the exchange said.
“After acquiring these user accounts, the hacker then simply created a trading API key for each account but took no further actions, until yesterday.”
Users noted the API keys would have had to have been created by the hackers quickly.
Those behind the attack were patient and struck in a two-minute window yesterday.
They are reported to have accumulated holdings of a little-known coin called VIA, spread over 31 accounts.
The attackers then converted alt-coins in the stolen accounts to Bitcoin, and used that to pump up the price of VIA (while at the same time, selling down their own holdings).
“The hackers used the API keys, placed a large number of market buys on the VIA/BTC market, pushing the price high, while 31 pre-deposited accounts were there selling VIA at the top,” Binance said.
“This was an attempt to move the BTC from the phished accounts to the 31 accounts.
“Withdrawal requests were then attempted from these accounts immediately afterwards.”
However, the activity on what is a little-known coin had already triggered red flags in Binance’s automatic risk management system, which “immediately” disabled withdrawals.
That meant the attackers were unable to make off with their gains, and also had their initial VIA coin holdings frozen.
“Not only did the hacker not steal any coins out, their own coins have also been withheld,” Binance said.
Binance said it conducted a “thorough security check” on its systems before reopening withdrawals.
The exchange said it had “reversed all irregular trades”; traders whose coins were used directly by the attackers had their balances reinstated.
However, Binance said there were “still some users whose accounts were phished by these hackers and their Bitcoin were used to buy VIA or other coins".
“Unfortunately, those trades did not execute against any of the hackers’ accounts as counterpart,” it said.
“As such, we are not in a position to reverse those trades.”
Binance’s troubles contributed to a particularly volatile 24 hours for cryptocurrencies generally.
Trade was affected in part by a strongly worded warning by the SEC in the United States about the risks of unregulated cryptocurrency exchanges.
Then, Japanese authorities punished seven cryptocurrency exchanges, including forcing two to suspend operations.
Of the exchanges, five were not registered with Japanese financial authorities, which is a local requirement.
Japanese regulators have put cryptocurrency exchanges under intense scrutiny following the half-billion dollar hack of Tokyo-based Coincheck, as well as the ongoing fallout from the 2014 shutdown of Mt Gox.