Security

How a hacker may have used a trading bot to steal millions of dollars on Binance

Cracklord

3 min read
How a hacker may have used a trading bot to steal millions of dollars on Binance

Update: Binance has released a statement about this attack. It turns out to be similar to the situation I described in this post. API keys were phished maliciously and stored for a period. When the hackers had enough keys they attempted to pump $VIA and had already bought into $VIA before pumping it with all of the phished API keys. Ironically, the plan failed and the hackers actually lost money.

Reddit threads have been appearing claiming that their funds on Binance were all sold and traded without their knowledge. Binance has confirmed that this was done using API keys and only affects users who have setup API key access to their account. What's going on?

Keep in mind that this is an early report but this is also an interesting thought experiment in what's possible if this doesn't turn out to be what happened this time. There is a new way to exploit cryptocurrency exchanges and their users that we've never seen before.

Many people use trading bots, some of which are open source, some are closed source and some are hosted on websites that you need to login to and pay for to use. These bots have been around for a long time and people have always been using these bots to try and get an edge in the trading game. To be able to use these bots you need to give access to your exchange account to the bot, usually via an API key which allows the bot to do some actions on your account, like buy and sell assets.

However it appears as though someone with some ingenuity has figured out a way to exploit this to their advantage via an elaborate pump and dump scheme. Take a look at this video of the chart for $VIA on Binance when this attack was taking place.

What happened here was quite smart. It looks like someone has made a trading bot which does all of the usual trading for a user and appears to the users using it as a legitimate bot, because for the most part, it probably is. However it has one change made to it, it has a timebomb in it. At a certain time it will execute an order to use all of the funds on the user's account to buy $VIA. The bot creator has already loaded up on $VIA by this point and have sell orders in Binance ready to execute once the targets are hit. The timebomb drops and every single person using this bot suddenly executes an order to buy $VIA with all of their funds, resulting in an explosion of 10,000% gains on the coin for mere milliseconds. All of the bot creator's sell orders are fulfilled and they gain an absurd amount of profit in milliseconds. That's one likely possibility.

Another possibility which is very likely is similar, except instead of using a timebomb on an otherwise legitimate trading bot, someone spent a long time "farming" people's API keys on Binance, maybe through a Chrome extension or perhaps they managed to hack one of the aforementioned trading bot websites that contains a lot of users' API keys. Of which they then essentially executed the same code using all of the accounts at once.

Keep in mind that these are still just theories about what happened at this point but it is looking quite likely to be close to the truth. We'll find out more as time goes on and Binance releases some reports on their investigation. This story is still developing. Regardless, this is a new attack that hasn't been seen before, as far as we know.

Binance is taking steps to assure all users that their funds are safe and that they are going to deal with this situation and figure out what happened. It remains to be seen how Binance will deal with this.

My recommendation is never to use trading bots that you haven't read the source code of and compiled yourself or have written and compiled yourself. Without knowing these variables you can have no idea what was implemented in the trading bot. It's possible that asides from astonishing explosions of pumps and dumps like this, there may already be much, much more subtle bots out there that are slowly draining people's funds via much more elaborate mechanisms. I could think of numerous ways this could be done, such as intentionally draining money from only a portion of the bot users and using the small intentional losses from that portion of users to make some other users profit, making the bot appear to be good to some users. All while the owner of the bot is in that pool of users making profit from the losers, if not getting an added bonus on top, all coded into the bot without your knowledge.

Stay away from trading bots and be careful who or what you share your API keys with.