Title: My Unfortunate Encounter as a Victim of Hacking in the Crypto World
Author: Nakamao
Source: X,@CryptoNakamao
Until now, I am still in disbelief. It was almost my entire savings from the past few years that were stolen. The hackers managed to steal almost all of my funds from my Binance account without obtaining my account password or the two-factor authentication (2FA) instructions. In the aftermath of the incident and the investigation with a security company, I discovered something even more shocking. It became clear to me that I was a sacrificial lamb in the cryptocurrency world. The whole situation was too bizarre, and today I summon the courage to share my story, hoping that others won’t fall into the same trap. I never imagined that my assets would be wiped out in such a way, and I want to warn cryptocurrency investors not to become the next victim like me.
On May 24th, a normal Friday, as I was on my way home from work, my computer and phone were right beside me. Little did I know that my account was being manipulated in a frenzy of trades. It was only after an hour and a half when I habitually checked the BTC price on Binance that I discovered the transactions.
QTUM/BTC had increased by 21% due to buy orders from my account, DASH/BTC had increased by 27%, PYR/BTC had increased by 31%, ENA/USDC had increased by 22%, and NEO/USDC had increased by 20%.
I was completely unaware of these operations until I checked Binance.
The security company later informed me that the hackers manipulated my account by hijacking my web page cookies. They purchased corresponding tokens using the USDT trading pair with high liquidity and placed limit sell orders at a price higher than the market value on BTC, USDC, and other trading pairs with scarce liquidity. Finally, they used my account to engage in leveraged trading, making significant purchases to complete the wash trading.
Throughout the entire process, I did not receive any security alerts from Binance. Ironically, the next day, I received an invitation email from a spot market maker due to the high trading volume. Even in such circumstances, my account was not alerted or frozen when it was hacked, and the hacker’s assets were not limited in any way. This left me extremely puzzled.
Upon realizing that my account had been hacked, I immediately contacted customer service. However, during this process, the hackers were still operating my account. In theory, the hacker’s funds should still be within the platform, but the response I received from Binance was that the hacker had safely withdrawn all of their funds. What was even more difficult to understand was that this hacker only used one account for such obvious wash trading. This greatly surprised me in terms of Binance’s risk control measures.
At the first moment the incident occurred, I not only informed Binance customer service but also sent a private message to a prominent individual on Telegram. This person promptly forwarded my user ID to the security team. However, to my surprise, even with the urging of this individual, it took Binance more than a day to notify Kucoin and Gate to freeze the funds transferred by the hacker. Needless to say, the hacker had already withdrawn the funds (confirmed). The freezing was meaningless.
The response from Binance staff throughout the entire process was extremely slow, and they did not help recover any losses for users. I have been a loyal user of Binance, trading on the platform for years, and this truly disappointed me. Wasn’t Binance supposed to assist users in recovering stolen funds?
Seeing that the exchange’s interception had completely failed, I sought the help of a security company to see if the hacker could be traced. The first thing I needed to understand was how the hacker could operate my Binance account when both my computer and phone were with me and I did not receive any new device login or remote login notifications.
In the end, the security company and I narrowed down the source of the problem to an ordinary Chrome extension called Aggr. It was a Chrome extension version of a long-standing open-source market data website. I noticed that many overseas KOLs and Telegram channels recommended this extension, and the recommendations had been going on for several months. So, I downloaded the extension and tried to access some data.
As of now, there haven’t been many cases in the Chinese crypto community where malicious Chrome extensions have caused significant losses. From what I can see, I might be the first case. Please remember that Chrome extensions are just as damaging as downloading malicious applications. Do not download and use Chrome extensions without caution! To raise everyone’s awareness, I can provide an extreme scenario: even your commonly used Chrome extension can implant malicious code after an update.
The specific operation principle of this malicious extension is as follows: if you install and use the malicious extension, the hackers can collect your cookies and forward them to their server. With the collected cookies, hackers can hijack active user sessions (posing as the users themselves), eliminating the need for passwords or 2FA to control your account.
In my case, because my information was stored in 1password, the hackers couldn’t bypass the 2FA to withdraw my assets. However, they could use my cookies to engage in wash trading by hijacking my account.
So, I reached out to a prominent KOL to determine if he was an accomplice of the hackers. If not, he needed to immediately notify all of his users to deactivate this extension to prevent further losses. However, the shocking part came when I contacted him.
It turned out that Binance had long been aware of this extension’s existence and even encouraged this KOL to gather more information with the hackers. And it was during the further promotion of this extension that I was hacked. Binance had traced the address of the hacker at least three to four weeks ago and obtained the name and link of the extension from this KOL. However, even so, Binance likely chose not to inform users to suspend this product in order to continue tracking the hacker and avoid alerting them. As a result, I became a sacrificial lamb.
The incident of an overseas community member’s Binance account being hacked due to this extension had already circulated on March 1st. This incident even prompted Binance CEO Richard Teng to reply specifically, stating that “Binance’s security team is actively investigating to find the root cause of the problem.” Therefore, I cannot believe that the Binance team has not discovered the issue with this extension in nearly three months.
In other words, regardless of the circumstances, a week or several weeks before Alpha Tree disclosed the issue with the extension, the problem could have already been made public and gained attention.
Looking back at the whole situation, if the hackers had simply withdrawn the funds, I would have nothing to say. But their wash trading on Binance and Binance’s subsequent lack of action is something I cannot accept, let alone the fact that Binance has been investigating this hacker and the extension for a long time. Summarizing the timeline:
1. Binance did not take any action or precautions for several weeks after knowing about the issues with the hacker and the extension, allowing the promotion to continue and exacerbating the financial losses.
2. Despite being aware of the theft and wash trading activities, Binance did not take any action. The hacker freely manipulated the account for over an hour, causing extreme abnormal trading in multiple trading pairs without any risk control measures.
3. Binance did not freeze the obvious wash trading funds from a single account on the platform in a timely manner.
4. Missing the optimal timing, Binance contacted the relevant platforms more than a day later to freeze the funds.
I have great respect for the prominent individual and CZ, and in fact, the individual replied to me promptly and provided assistance. At this level, I should express my gratitude to the individual, and today I should be writing a letter of appreciation to the Binance staff for helping users recover stolen funds. However, the reality is that the Binance staff completely failed to meet my expectations.
I used to read articles from Binance about highlighting their security measures, and their annual summaries always emphasized security. This filled me with confidence in Binance. Storing a significant amount of funds in stablecoins on Binance was also because of trust. However, when faced with risks, Binance’s series of actions made me feel unfamiliar. All those magnificent words and the billions and hundreds of billions of data—now I can’t believe them anymore.
I am writing this story because, on one hand, I feel lost and helpless after being hacked. On the other hand, I want to sound the alarm on security issues and prevent others from falling into the same trap. As cryptocurrency becomes more well-known, the safety of assets and personal security for all participants deserves attention.