Hackers breached a single hot wallet at Binance this week and made off with $40.7 million USD in Bitcoins.
This is according to the “Binance Security Breach Update” posted May 7th on the Binance website:
“We have discovered a large scale security breach today, May 7, 2019 at 17:15:24 (UTC). Hackers were able to obtain a large number of user API keys, 2FA codes, and potentially other info. The hackers used a variety of techniques, including phishing, viruses and other attacks. We are still concluding all possible methods used. There may also be additional affected accounts that have not been identified yet.”
A “hot wallet” is a cache of cryptocurrency that can be accessed over the Internet. Binance asserts that the stolen funds account for only 2% of the exchange’s total BTC holdings, and that other wallets were not impacted.
Reporter Larry Cermak speculated that the hack was accomplished because Binance failed to adopt Segwit, a Bitcoin protocol update that was voluntarily implemented across a large swath of the network in August 2017.
I very highly suspect that this hack has something to do with Binance not implementing Segwit yet. Binance said that the security system was bypassed by structuring the transaction in a way that it didn’t trigger any safeguards.
— Larry Cermak (@lawmaster) May 8, 2019
Binance called the hack “well-orchestrated”:
“The hackers had the patience to wait, and execute well-orchestrated actions through multiple seemingly independent accounts at the most opportune time. The transaction is structured in a way that passed our existing security checks. It was unfortunate that we were not able to block this withdrawal before it was executed. Once executed, the withdrawal triggered various alarms in our system. We stopped all withdrawals immediately after that.”
Binance says it plans to use funds from its “SAFU” or “Secure Asset Fund for Users,” which the exchange says it created in July 2018 by allocating 10% of all trading fees to the fund.
Binance says SAFU funds are stored in a “cold wallet,” a wallet not connected to the Internet.
Binance founder Changpeng “CZ” Zhao, whose tweets often include misspellings, was parodied in a YouTube video created after he tweeted “Funds are SAFU” in the early months of 2018.
In the animated video, a trader unable to log in to his Binance account is soothed by an accented voice repeating the mantra “funds are SAFU.”
Things go from bad to worse, with the mantra repeating all the while: a missile hits Binance offices, planet Earth explodes, the universe explodes, human evolution begins again and cave men worship a Binance monolith.
Binance says it is conducting “a thorough security review…(to) include all parts of our systems and data, which is large (sic).”
Withdrawals and deposits at Binance have been suspended in the meantime.