A cryptocurrency investor experienced a security breach, resulting in the loss of approximately $1 million from their Binance account. The incident unfolded without the hacker needing the account password or two-factor authentication (2FA), employing a sophisticated “counter-trading” technique that manipulated market trades.
Upon investigating the breach with a security firm, the victim discovered that an undercover agent within the cryptocurrency community was responsible for the theft. The agent used a seemingly benign Chrome extension recommended by trusted figures to hijack the victim’s trading session and execute unauthorized transactions.
How the Attack Was Executed
The hacker manipulated the victim’s account by hijacking web cookies to gain control. They then aggressively bought and sold cryptocurrencies in low-liquidity trading pairs, creating artificial market movements. The victim’s account showed large purchases in QTUM/BTC, DASH/BTC, PYR/BTC, ENA/USDC, and NEO/USDC, significantly altering their prices.
Despite immediate reports to Binance, the platform’s response was criticized for its slowness and inefficiency. The stolen funds were quickly moved off the exchange before any preventive action could be taken, raising significant concerns about the exchange’s risk management and security protocols.
Further investigation highlighted the role of the “Aggr” Chrome plugin, which had been covertly collecting user data and enabling session hijacking. Although the platform was aware of the plugin from a previous security alert, its potential threat was not communicated to the users promptly. When questioned on the matter, Binance replied:
The impacted user had assumed a separate incident from 1st March was due to the fraudulent “aggr.trade“ plugin based on a X post dated 28th May. Our investigation of that incident did not find any such plugin based on the data and material provided to us at that time. Prior to the X post a community influencer had alerted us to the plugin on 27th May and we immediately implemented additional security measures.
Binance Spokes Person
The firm claimed that they were in contact with the impacted user to provide assistance and support and took the opportunity to remind all users to stay vigilant. We also encourage the community to report potential vulnerabilities through our Bug Bounty Program, which leverages and rewards crowdsourcing to help raise awareness of potential threats earlier.
