Funds Are SAFU, but Reorg Is Not: What We Know About the Binance Hack So Far

Binance, one of the world’s largest cryptocurrency exchanges, experienced a “large scale” data breach on May 7. The hackers reportedly stole around 7,000 Bitcoin (BTC), worth more than $40 million as of press time.

As the platform explained via a public statement, the fraudsters had managed to steal users’ application programming interface (API) keys, two-factor authentication (2FA) codes and other information, which supposedly helped them to orchestrate the attack.

Binance has announced that it will use its reserves “to cover this incident in full,” hence “no user funds will be affected.”

The attack: 7,074 BTC stolen, details are still sketchy

Initially, Changpeng Zhao, CEO of Binance, announced “some unscheduled server maintenance” on his platform via Twitter, warning that deposits and withdrawals might be blocked “for a couple hours.”

“No need to FUD,” he wrote, following with his trademark line: “Funds are #safu.”

In about four hours, Binance released an official statement revealing that a “large scale” security breach took place on May 7 at 17:15:24 UTC.

According to the exchange, the details of the attack are still sketchy:

“Hackers were able to obtain a large number of user API keys, 2FA codes, and potentially other info. The hackers used a variety of techniques, including phishing, viruses and other attacks. We are still concluding all possible methods used. There may also be additional affected accounts that have not been identified yet.”

As a result, the fraudsters were able to withdraw 7,074 BTC, as can be seen on the blockchain explorer. The transaction had 44 outputs, 21 of which were native Segregated Witness (SegWit) addresses, and those addresses received 99.97% of the funds.

Binance has declared that it was “the only affected transaction,” and that only the BTC hot wallet (containing about 2% of Binance’s total BTC holdings) was compromised. “All of our other wallets are secure and unharmed,” the exchange wrote.

“They [the hackers] used both internal and external methods to trap a lot of fish and get a lot of user accounts,” Zhao said during an AMA session on Periscope, stressing that the attack was highly advanced. According to the Binance CEO, the hackers waited until they had managed to capture a large number of accounts, including “very high net worth accounts,” before carrying out the assault.

“Our security measures were not able to stop that withdrawal, which costed us 7000 BTC…”

Indeed, as implied by Redditor u/dekoze, the attackers could have used a number of hacked verified accounts to withdraw the funds. “They moved the stolen funds from various phished users by trading way out of range on illiquid pairs,” the user suggested. “Just look at LINK/PAX, 100k LINK was traded in a 1m candle and reached $9999 USD. That allows you to effectively move all the funds to a few accounts with withdrawal privileges of >100 BTC.”

Soon after the security breach was spotted, Binance suspended all withdrawals and deposits for “about one week” to conduct a thorough security check. “We believe with withdrawals disabled, there isn’t much incentive for hackers to influence markets,” the exchange wrote, adding that all trading within the platform will remain enabled.

According to the Binance CEO, a number of crypto exchanges, including KuCoin and Coinbase, are collaborating with Binance to block deposits from the hacked addresses. The stolen funds have been reportedly moved since the hackers obtained them. First, Anti-Money Laundering and Counter-Terrorist Financing firm Confirm released an analysis showing how 1,227 BTC were moved to two new addresses, one holding 707 coins, while the other one holding 520.

The #Binance hacker just moved the funds again!

Coinfirm analysis shows 1227 #BTC of the #BinanceHack funds moved to 2 new addresses held by the hacker(Red bubbles)

One holds 707 BTC the other 520 BTC

Below is also a Coinfirm #aml Risk Report of one https://t.co/CdRIXAT8dCpic.twitter.com/c2VZwtfub6

— Coinfirm (@Coinfirm_io) May 8, 2019

Then, cryptocurrency news outlet The Block reported that the funds from the aforementioned 44 addresses have allegedly been moved to seven addresses, six of which hold 1,060.6 BTC, while one holds 707.1 BTC.

Funds are SAFU: Binance says it will completely cover the loss using its reserves

Binance has stated that all losses will be covered by its emergency insurance fund. Dubbed “secure asset fund for users (SAFU),” it was announced last year as an initiative to “offer protection to users and their funds in extreme cases.” According to Binance, 10% of all trading fees have been being sent to a separate cold wallet starting from July 14, 2018. Zhao said during the Periscope stream:

“We’re completely okay on the funding side. It does hurt very much, but we’re able to cover that.”

Notably, Tron (TRX) founder and CEO Justin Sun has offered to deposit 40 million tether (USDT) to Binance in exchange for binance coin (BNB), BTC, TRX and bittorent coin (BTT).

The proposition has drawn criticism from some Twitter crypto community members, who suggested that the TRX founder was essentially offering a marketing ploy by proposing to buy the coins “he already has a vested interest in.” Zhao has declined Sun’s offer, explaining that Binance has enough funds to cover the loss.

According to reports from online transaction monitoring resource Whale Alert, 30,000,000 TRX (around $733,679) were transferred from an unknown wallet to Binance after the exchange had announced that all withdrawals and deposits were suspended.

When asked about this, a Binance spokesperson explained to Cointelegraph that “transactions to wallets can still occur but won’t be reflected on Binance until our security review is complete.”

Binance has considered a “reorg,” but was advised against it

Binance has considered “reorging” (i.e., reorganizing) the bitcoin blockchain, which could potentially allow them to recover the stolen funds, but rejected the idea after consulting with various parties.

Ultimately, the move would aim to incentivize miners to form a consensus to wield 51% of the network’s hashing power and subsequently reorganize the blockchain’s transactions associated with the security breach.

As proposed by Bitcoin Core contributor Jeremy Rubin, such an approach could have involved Binance essentially conferring retroactive ownership of the hacked bitcoin to the blockchain’s miners by revealing the exchange’s private keys for the affected coins, or even ostensibly ‘sign[ing] batches of txns with the old utxos paying miners with different locktimes to make it a permanent reward to unwind this hack.’”

Later, Zhao tweeted that, after speaking to a number of crypto actors — including Rubin and Bitmain co-founder Jihan Wu, among others — Binance decided against the plan.

As the exchange’s CEO explained, even though the move could allow Binance to take “revenge” on the hackers and move the stolen funds back, the credibility of BTC could be damaged as a result. “We may cause a split in both the bitcoin network and community,” Zhao added.

In the comment section, many crypto Twitter users criticized the plan, asking why Binance would consider centralizing the network in the first place. Bitcoin enthusiast and network engineer Melik Manukyan tweeted about the proposal to reorg, writing that Binance “didn’t decide not to” but realized it could not. “True that too, that’s what Jihan advised/educated me on too,” Zhao replied. “I trust his advice.”

Eventually, the pundits were joined by Galaxy Digital CEO Michael Novogratz, who also denounced the idea to reorg the network. “I am shocked that @cz_binance [Binance CEO Chengpeng Zhao] even went there,” he tweeted, arguing that bitcoin’s network is too mature at this point to be altered:

“Talk of forking or reorganizing the blockchain is close to heresy. When the ethereum community did it the project was like 5 months old. A baby. Bitcoin now has $100bn market cap and is a legitimate store of wealth.”

In response, Zhao argued that the plan was to construct a transaction “that would keep all other tx [transactions], and just distribute the hacker coins to miners,” without affecting the network at large.

“It turns out the re-org discussion is hotter than the incident itself,” the Binance CEO later wrote in a separate tweet. He also stressed that the idea was initiated by Rubin, not the exchange’s team.

Reorg is not an entirely new concept; similar suggestions were made back in 2016, when Bitfinex was hacked for 120,000 BTC.

The Binance hack marks the largest security breach of 2019 so far — even though Coinbene is reported to have lost $100 million, it has yet to officially confirm it.