A user on the X platform yesterday recounted their painful experience of having their Binance account funds stolen. The hacker managed to steal almost all of their funds on Binance without obtaining their Binance account password and two-factor authentication (2FA) instructions. The user accused Binance of the speed of its response and the actions it took regarding this incident…
(Background:
Browser Mining: Analysis of Chrome Extension Theft
)
Table of Contents:
What was the reason for the theft?
Aggr Malicious Extension has long existed
Nakamao vents frustration: A sacrificial victim of Binance
Binance: Unable to provide compensation
Community debates differ
Yesterday evening, a Twitter user named @CryptoNakamao shared their painful experience of having their Binance account funds stolen on the X platform. They stated that, without the hacker obtaining their Binance account password and 2FA authentication code, the hacker was able to steal almost all of their $1 million funds on Binance through “wash trading”.
Note: “Wash trading” is a trading technique used by market makers or institutional investors. The specific operation involves opening accounts on multiple exchanges and manipulating prices through quote trading between different exchanges to control prices.
What was the reason for the theft?
According to the user’s account, with the assistance of a security company’s investigation, it was discovered that the hacker manipulated their account by hijacking their web page cookies. At the same time, the hacker purchased tokens such as QTUM and DASH in the highly liquid USDT trading pair and placed limit sell orders at prices higher than the market price in low liquidity trading pairs such as BTC and USDC. Finally, they used the user’s account to open leveraged trades and made large purchases, completing the wash trading.
The user further pointed out that the reason the hacker was able to hijack their Binance account by hijacking their web page cookies was due to their use of a Chrome extension called “Aggr”, which was recommended by overseas Key Opinion Leaders (KOLs) and certain Telegram (TG) channels.
Aggr is a version of a long-standing open-source market data website’s Chrome extension. The specific malicious operation principle the hacker used was that once the extension was installed, the hacker could collect the user’s cookies and forward them to their server.
The hacker would then use the collected cookies to hijack active user sessions (posing as the user themselves), allowing them to control the user’s account without the need for a password or 2FA. However, the user’s data was stored in 1Password, so the hacker could not bypass their 2FA and directly withdraw their assets. They could only complete the theft through wash trading using the cookies.
Aggr Malicious Extension has long existed
It is worth noting that, according to blockchain security company SlowMist Technology’s investigation, this malicious Aggr extension has long existed. As early as March 1st of this year, Twitter user @doomxbt reported that their Binance account had abnormal activity and their funds were suspected to be stolen.
Initially, this incident did not attract much attention. However, on May 28, 2024, Twitter user @Tree_of_Alpha analyzed and found that the victim @doomxbt had likely installed a malicious Aggr extension with good reviews from the Chrome store, which could steal all the cookies from websites visited by users. Furthermore, two months ago, someone paid influential individuals to promote it.
Subsequently, Nakamao revealed their own hacking experience, which escalated the attention on this incident. After SlowMist’s analysis, it was highly probable that the hacker was a Russian or Eastern European hacking group and had been planning the attack for three years. After successfully deploying the malicious extension, the hacker began promoting it on Twitter, waiting for unsuspecting victims.
Further reading:
Browser Mining: Analysis of Chrome Extension Theft
Nakamao vents frustration: A sacrificial victim of Binance
While recounting their hacking experience, Nakamao also expressed dissatisfaction with Binance’s response speed and actions in this incident. They claimed that Binance had known about the existence of this malicious extension weeks ago but did not promptly alert users in order to track the hacker without alarming them. They also allowed the extension to be promoted on the X platform.
At the same time, Nakamao stated that Binance’s response was too slow after reporting the situation to Binance staff, resulting in the hacker’s funds not being frozen in time and the loss being irrecoverable.
Binance: Unable to provide compensation
In response to the user’s accusations, Binance officials subsequently made the following reply:
Meanwhile, Binance co-founder He Yi also stated:
Community debates differ
Regarding this incident, community members have different opinions. Some believe that Binance should compensate the user, citing the user’s claim that Binance had early knowledge of the malicious extension but did not promptly notify users and freeze the hacker’s funds. However, others argue that, as Binance claims, the user’s Binance account was manipulated because they voluntarily downloaded the malicious extension.
However, regardless of the arguments from both sides, Dapp.com reminds users, as the SlowMist team said:
Related Reports
SlowMist: Revealing the Scam Method of “Token Decimals Precision”
SlowMist: Blockchain’s Anti-Money Laundering, Stablecoin, SEC Regulation 2023 Situation Report
SlowMist: Analyzing Google’s Fake Ad “Crypto Phishing” Behind-the-Scenes Techniques