It’s clear that all eyes of the cryptocurrency community are turned to the leading exchange Binance following the recent security breach which resulted in a theft of $40 million worth of BTC. However, conspiracy theories have already struck in, suggesting that the event might not have been a hack at all.
Questionable Wording from Binance
As Cryptopotato reported, Binance, the world’s leading cryptocurrency exchange, reported it was hacked. This resulted in a loss of 7,000 BTC, worth roughly around $40 million at the time of this writing.
However, going through the official announcement, some were quick to find out that the hack didn’t actually challenge Binance’s security measures, but rather targeted the users on their own:
“Hackers were able to obtain a large number of user API keys, 2FA codes, and potentially other info. The hackers used a variety of techniques, including phishing, viruses and other attacks. We are still concluding all possible methods used. There may also be additional affected accounts that have not been identified yet. – Reads the announcement.”
The above evidence noted the usage of a fishy language on behalf of Binance, implying that the exchange itself hasn’t been hacked. Indeed, phishing attacks are a popular method used by hackers to obtain valuable information from innocent users which is then used to steal funds.
Going further, the official announcement also says that all the 7000 BTC that was stolen went out of the exchange in a single transaction. It also goes on to clarify that:
“The transaction is structured in a way that passed our existing security checks. It was unfortunate that we were not able to block this withdrawal before it was executed.”, as noted.
No further details were provided as to why the transaction wasn’t blocked and what was so unusual about its structure.
What About KYC And The Identity of The Hacker?
One of the things that Binance is very scrutinous about is their exact KYC procedures. They have a tiered system of withdrawal limits, divided into three levels. The first one allows withdrawal of up to 2 BTC, the second of up to 100 BTC, and the third one is supposedly customized for higher withdrawals and is granted after confirmation by Binance.
Regardless, in order to get a withdrawal limit of up to 100 BTC per 24 hours, the user needs to go through a rigorous KYC procedure which requires a range of personal documentation, as well as an actual photo of the person in real time.
In other words, unverified users can only withdraw up to 2 BTC, which is clearly not the case in the transaction showcased above.
Moreover, the funds which were sent to SegWit addresses are actually not spendable, which adds even more fuel to the fire:
“It is very strange to me that someone would have the intelligence, resources, savvy & access to hack major ‘whales’ on Binance’s platform via API, yet be so incompetent as to drown $40 million in addresses where the funds can’t be spent.”