Cryptocurrency exchange Binance, preferred by many due to its low trading fees, has offered a US$250,000 bounty for information about the hackers who attacked it last week. It’s an interesting move by Binance as it offers the possibility of hacking groups snitching on each other. Furthermore, Binance has also said it is putting over $10 million of its crypto reserves aside for future bounty payments.
The last year has seen an increase in mainly successful attacks on cryptocurrency exchanges worldwide. Interestingly, in its announcement of the bounty Binance said: “We have also invited other exchanges and crypto businesses to join our initiative. We welcome their participation at any time.”
How was Binance attacked?
There are a number of things that we know about the attack. The most important is that the exchange has confirmed that nobody using its platform has lost money. The attackers, however, are alleged to have lost money as part of their scam.
The attacks were all API driven. The attackers created a number of API keys. These keys are used to enable software to automatically interact with the exchange. To create the API keys the attackers needed access to user accounts. Binance believes that a number of users were subjected to a coordinated and sophisticated phishing attack. Rather than act on each successful credential compromise the attackers waited until they felt they had enough to make a serious profit.
The attack then morphed into a pump and dump approach. The attackers placed large numbers of orders for the low value viacoin. At a predetermined value they dumped all the viacoin by exchanging it for bitcoin. Under normal circumstances this would have left other viacoin buyers with highly overpriced viacoin resulting is big losses.
However, Binance has its own automatic risk management system. It appears that this jumped in when it saw the sudden rush on viacoin and blocked the transactions. This is where users got worried. Binance locked down all transactions while it resolved the attack.
Why does this matter?
By offering a bounty Binance has made it clear that it won’t accept being attacked.
In the press release it said: “The first person to supply substantial information and evidence that leads to the legal arrest of the hackers, in any jurisdiction, will receive the equivalent of $250,000 USD in BNB. The exchange rate will be determined at time of transfer.
“Please supply detailed information to [email protected] as well as to your local law enforcement agencies.
“If your local laws allow, you may remain anonymous.
“If multiple sources/segments of data are used to lead to the final legal arrests, the bounty may be split between sources. Binance reserves all rights to split the bounty amount, solely at our discretion.”
This is not, however, just about Binance. Asking other exchanges to join with its wider defence program is good news. It shows a maturity that we’ve yet to be seen in this market. If you look at traditional money markets then banks all share information and collaborate to defence themselves. Binance is trying to get the same level of cooperation among its peers. Whether it will be successful or not remains to be seen.