Binance denies blame in hacking scam

A Chinese merchant fell victim to a hacking scam, losing $1 million through a promotional Google Chrome plugin called Aggr.

This malicious plugin steals cookies from users, allowing hackers to bypass both passwords and two-factor authentication (2FA) to access the victim’s Binance account.

Binance account compromised by stolen cookies

The trader, who goes by the username CryptoNakamao on social media platform X, recounted the devastating event that took place on May 24. CryptoNakamao noticed random trading activity in his Binance account when he checked the price of Bitcoin through the Binance app. By the time he requested assistance, the hacker had already withdrawn all his funds.

According to the retailer, the hackers exploited browser cookie data, which they obtained through the Aggr Chrome plugin. Originally installed to access data from prominent merchants, the plugin was actually designed to steal users’ web browsing data and cookies. The stolen cookies allowed hackers to hijack the sessions of active users without the need for passwords or authentication, executing multiple leveraged trades to manipulate the prices of low-liquidity pairs for profit.

Despite the fact that the hacker was unable to withdraw funds directly due to 2FA, they used cookies and active login sessions to execute cross-transactions. The trader detailed how the hacker purchased multiple tokens in the highly liquid Tether trading pair and placed limit sell orders above the market price in Bitcoin, USD Coin and other low liquidity pairs.

By opening leveraged positions and buying excess amounts, the hacker successfully completed cross trading, which involves offsetting buy and sell orders for the same asset without registering the trade on the exchange.

CryptoNakamao blames Binance for inaction

CryptoNakamao accused Binance of failing to implement essential security measures despite unusually high trading activity. He alleged that even after timely complaints, the exchange did not take steps to stop the fraudulent activities. His investigation revealed that Binance was aware of the fraudulent plugin and was already conducting an internal investigation. Despite this, Binance did not inform traders or take preventive measures against fraud.

The trader expressed his frustration, stating, “Binance did nothing even though they knew about the theft and frequent cross-trading. Hackers manipulated the accounts for over an hour, causing highly abnormal trading in multiple currency pairs without any risk controls; Binance failed to freeze the funds of the apparent hacker’s single account on the platform in time.”

Binance denies security breach

Yi He, the co-founder of Binance, denied claims that the platform’s security breach resulted in the loss of $1 million from a single user account. On June 3, Yi He clarified, “This user’s account was hacked because his own computer was hacked; I’m a lost cause. After the hack, the hacker was unable to withdraw funds, so the hacker sold the victim’s coins, resulting in trading losses.”

CryptoNakamao responded, claiming that its entire account balance was lost through “counter-trading” without the hacker obtaining the Binance account password or 2FA instructions. He explained that the hacker manipulated his account by holding his web cookies hostage, buying corresponding tokens in the highly liquid USDT trading pair, and placing limit sell orders above the market price in BTC, USDC and other low liquidity pairs.

Yi He further warned users about the risks of logging into accounts with active cookie plugins to avoid the minor inconvenience of entering passwords for each login. She stated, “Binance cannot compensate users when their own login devices are compromised.”

He, a former Chinese TV host, is currently one of two women running the world’s largest cryptocurrency exchanges, along with Bitget CEO Gracy Chen. In April, she noted that her husband, Binance co-founder and former CEO Changpeng Zhao, had received “the most favorable outcome” in his conviction in the United States on money laundering charges.