On May 7, the global cryptocurrency exchange Binance issued a statement that it had discovered “a large scale security breach” in which “hackers used a variety of techniques, including phishing, viruses and other attacks,” to withdraw 7000 Bitcoin in a single transaction. That withdrawal, according to The Times, was equivalent to more than $40 million.
Binance’s Chief Executive, Changpeng Zhao, emphasized in the statement that the attack “impacted our BTC hot wallet only (which contained about 2% of our total BTC holdings). All of our other wallets are secure and unharmed.” He also described the general outlines of the attack:
The hackers had the patience to wait, and execute well-orchestrated actions through multiple seemingly independent accounts at the most opportune time. The transaction is structured in a way that passed our existing security checks. It was unfortunate that we were not able to block this withdrawal before it was executed. Once executed, the withdrawal triggered various alarms in our system. We stopped all withdrawals immediately after that.
Zhao committed to using Binance’s Secure Asset Fund for Users (SAFU), an emergency insurance fund stored in a separate cold wallet, “to cover this incident in full. No user funds will be affected.” While Zhao informed customers that Binance was temporarily suspending deposits and withdrawals pending a thorough security review, he promised that Binance would continue to enable trading, but added a caveat that “the hackers may still control certain user accounts and may use those to influence prices in the meantime.” On May 15, Binance issued a supplemental statement that it had completed its system upgrade and would resume all trading activity.
Note: Although one Binance admirer tweeted that at Binance “they take security serious” [sic], this latest incident involving massive cyberthefts from cryptocurrency exchanges does nothing to enhance the financial sector’s confidence in the crypto sector’s commitment to cybersecurity. Unlike other recent large losses by cryptocurrency companies, Binance – reportedly one of the world’s largest cryptocurrency exchanges — at least has its SAFU to provide customers with protection from individual losses. Other cryptocurrency exchanges need to establish similar insurance funds for customers’ deposits, and to make the size and operations of such funds highly transparent, if they are to broaden their still relatively narrow base of public confidence.