A user on the X platform recounted their painful experience of having their Binance account funds stolen yesterday. The hacker was able to steal almost all of their funds on Binance without obtaining their account password and two-factor authentication (2FA) instructions. The user accused Binance of the speed of their response and the actions they took regarding this incident…
(Background information:
Browser Mining: Analysis of Chrome Extension Theft
)
(The following content is an index of the article)
What was the reason for the theft?
Aggr Malicious Extension was already in existence
Nakamao vents frustrations: Becoming a sacrifice for Binance
Binance: Unable to provide compensation
Community debates differ
Yesterday evening, a Twitter user named @CryptoNakamao recounted the painful experience of having their Binance account funds completely stolen on the X platform. They stated that without the hacker obtaining their Binance account password and 2FA code, their almost $1 million funds were stolen through “wash trading” alone.
Note: Wash trading is a trading strategy used by market makers or institutional investors. The specific operation involves opening accounts on multiple exchanges simultaneously and manipulating prices by quoting between different exchanges.
What was the reason for the theft?
According to the user’s account, it was discovered through the assistance of a security company’s investigation that the hacker manipulated their account by hijacking their web page cookies. At the same time, they purchased tokens such as QTUM and DASH on the highly liquid USDT trading pair and placed limit sell orders above market price on low liquidity trading pairs such as BTC and USDC. Finally, they used the user’s account to open leveraged trades and made large purchases to complete the wash trading.
The user further pointed out that the ultimate reason the hacker was able to hijack their Binance account by hijacking their web page cookies was due to their use of a Chrome extension called “Aggr,” which was recommended by various overseas KOLs and certain Telegram channels.
Aggr is a version of a long-standing open-source market data website’s Chrome extension. The specific operating principle behind the hacker’s malicious actions was that once the extension is installed, the hacker is able to collect the user’s cookies and forward them to the hacker’s server.
The hacker then uses the collected cookies to hijack active user sessions (posing as the user) and gain control of their account without requiring a password or 2FA. However, the user’s data is stored in 1password, so the hacker cannot directly withdraw their assets by bypassing the 2FA. They can only complete the theft through wash trading using the cookies.
Aggr Malicious Extension was already in existence
It is worth noting that according to the blockchain security company SlowMist Technology’s investigation, this malicious Aggr extension has been in existence for a long time. As early as March 1st this year, Twitter user @doomxbt provided feedback that there were abnormal situations with their Binance account and their funds were suspected to have been stolen.
Initially, this incident did not attract much attention. However, on May 28, 2024, Twitter user @Tree_of_Alpha analyzed and discovered that the victim @doomxbt had likely installed a malicious Aggr extension from the Chrome store, which had many positive reviews. It can steal all the cookies from websites visited by users, and two months ago, someone paid influential individuals to promote it.
Subsequently, Nakamao revealed their own experience of being hacked, escalating the attention on this incident. After SlowMist’s analysis, it is highly probable that the hacker is a Russian or Eastern European hacker group, and they have been planning the attack for three years. Once the malicious extension was successfully deployed, the hacker started promoting it on Twitter, waiting for the fish to take the bait…
Further reading:
Browser Mining: Analysis of Chrome Extension Theft
Nakamao vents frustrations: Becoming a sacrifice for Binance
While recounting their experience of being hacked, Nakamao also expressed dissatisfaction with Binance’s response speed and actions taken in this incident. They claimed that Binance had known about the existence of this malicious extension weeks ago but did not promptly notify users in order to trace the hacker without alerting them. They also allowed the extension to be promoted on the X platform.
At the same time, they stated that after reporting the situation to Binance staff, Binance’s response speed was too slow, resulting in the hacker’s funds not being frozen in time, ultimately leading to the inability to recover the losses.
Binance: Unable to provide compensation
In response to the user’s accusations, Binance’s official reply was as follows:
Additionally, Binance co-founder He Yi stated:
Community debates differ
Regarding this incident, community members have differing opinions. Some believe that Binance should compensate the user, as Binance allegedly knew about the malicious extension but did not promptly notify users and failed to freeze the hacker’s funds in time. However, others argue that, as Binance claims, the user’s Binance account was manipulated due to their own decision to download the malicious extension.
Regardless of the arguments on both sides, Dora cautioned users, as the SlowMist team stated:
Related reports:
SlowMist uncovers reverse phishing scam that utilizes “Token Decimals Precision”
SlowMist: Blockchain “Anti-Money Laundering, Stablecoin, SEC Regulation” 2023 Situation Report
SlowMist analyzes technology behind Google’s fake ad “crypto phishing”