Sunday, August 1, 2021

I lost 2.8 BTC because a hacker used my credentials on Binance and Binance's late CS response and security policies.

Due to the sensitivity of the argument, /u/snoopets7335 created an alt account to post about his loss of 2.8 BTC two weeks ago. He posted multiple times here, here and here, but his topic was deleted once for conflict of interest and twice for low karma. I'm trying to bridge over this obstacle and enable a discussion with him.

Original by /u/snoopets7335 follows.


I had 2.8BTC lost because of a hacker using my credential in Binance and Binance's late CS response and security policies.

I already have my case ID ( Case ID #74829694 ) but here is what I want to share.

The event happened on the 18th July. All the time below, if not screenshots or specially mentioned, are in UTC+9 (Japan time).

My computer was compromised because of a trojan and he stole my E-Mail credential and the 2FA authenticating software secret which is located inside the browser (this is a bad habit of mine I know, I recommend you not to do it, and I won't do it anymore), on 17th July near the mid-night.

I have my SMS notice saying I have unauthorized E-Mail login, and then, the Binance login. In the notification from Binance, it recommended me to "Disable my account" and "Contact them" immediately so that it can disable withdrawal from the account for 24 hours.

At that time, I noticed that all the tokens and stakings in my MetaMask and Pancakeswap(worth about 0.3BTC) are gone already. However, luckily, at the time I disabled my Binance account, the balance of my Binance account is still healthy (at about 2.9-3BTC in total).

I contacted customer support immediately and saying that my account was compromised and I have disabled my account. They said that it is escalated to the security team. However, later in the morning (4:55am) , I had another SMS received :

https://preview.redd.it/82fuyc72qre71.jpg?width=1170&format=pjpg&auto=webp&s=dee495ba52ef98d63cfaf41566602072a32ab073

They still have NOT have a specialist assigned to me at that time, even if I keep saying I need to have my account "Disable Trading and Withdrawal".

But I contacted them again, even if they has their as-always "response time >6 hrs"

At that time, I cannot control my account.

When I have my account account, it is already about 12:30am on 18th July, because I finally got in contact with their guys.

During these hours, they have about thousands of transactions in my account through API and traded out(where trading partners gain in trades) nearly all the asset from my account. (I exported the trade history as CSV)

https://drive.google.com/file/d/1uBNtAPv31cUclZVFsm7SbdCBzCW_XVQ7/view?usp=sharing

Of course Binance immediately told me, they could not do anything to my lost. "Please read this page to secure your PC and contact the police", they said. I contacted the police on the same day but in the reality, the police of many countries are unwilling to simply send out official documents to a web form that you provided. At the best case, your case got assigned to a specialized team which is not under the same police station you visited. For the case of Japan, they said that it usually takes 6 months to 1 year as their experience.

I was super upset and had countless times of sences and senses of suicide in my mind. I couldn't even write down what happened to my friends until today. Because my account was actually keep losing money and the largest sale was at 8:45am. Which is already so many hours after my response to the CS. In this kind of normal response time, any one can trade-out nearly all your asset. I think 3BTC is not a small amount in this community either.

Of course I should take care of my security, but I would like to say. Binance is indeed insecure if you compare it to any other financial institutes.

Here are the Reasons:

  1. If your Email is compromised, then the hacker can login and reset all your security items, WITHOUT contacting the Customer Support. , even if your account was disabled within 24 hours,
  2. Even if your account was disabled, trading is NOT disabled. This just disallow them to withdraw but they can still make profit through other controlled accounts. So, their suggestion of "Disabling your account" is actually giving you a false sense of secure, but in reality, this may make you lose your chance to reset your security timely because you are unable to relogin your account. You will be into a race with the hacker.
  3. I have 90% assets of my account lost. Because, Binance Customer Support did not really care about if their CS system is really timely enough to support what they claimed "If you don't recognize this activity, please contact us immediately.". Even if you do in in the first 1 or 2 minute, they can still get back to you after 8 or even 12 hours.

I feel extremely painful (it is nearly all my savings in Japan) while typing this out again even it had been 2 weeks ago. I may have missed out many. but feel free to ask or if you can raise attention to the public, I would be more grateful. Indeed, not only the hacker, I strongly believe that Binance is also responsible in this accident. They don't provide an SLA for their CS response but actually their security routine and remedy rely on their CS. (I hope readers could understand)

Sorry I need to stop and need to ask for some comforts from my friends. I may check out responses/replies (if any) tomorrow if I am mentally strong enough to face this incident again.


No comments:

Post a Comment