All Eyes on Binance Stolen Funds: Can the Thieves Cash Out $40MM USD?

On May 7, cryptocurrency exchange Binance discovered a large scale security breach enabling attackers to withdraw more than 7,000 BTC (approximately $40M USD) in one transaction. Since May 8, those funds have sat unmoved in 7 cryptocurrency wallets. Binance quickly communicated the attack publicly, which immediately raised awareness among the broader cryptocurrency industry and enabled Chainalysis to track the funds. This transparency ultimately makes it more difficult for the attackers to successfully cash out the stolen funds.

What we know about the stolen funds from ongoing monitoring

The stolen funds were initially sent to 19 addresses. We then identified an additional 7 addresses controlled by the attackers. Those 26 addresses are now labeled as stolen funds in our software.

In the same transaction as the stolen funds, there were legitimate Binance transfers. We confirmed with Binance which transfers were legitimate, and have not labeled those as stolen funds. We will also continue to add to the Binance stolen funds cluster if we identify additional addresses controlled by the same entity.

On May 8, one day after the breach was discovered, all of the stolen funds were moved from the cluster of 26 addresses to the following 7 addresses:

  1. bc1qw7g5uxxl750t0h2fh9xajwuxp4qt634yh3vg5q
  2. bc1q2rdpyt8ed9pm56u9t0zjf94zrdu6gufa47pf62
  3. bc1qnf2ja3ffqzc3hskanjse6p8zag52fm6jgmmg9u
  4. bc1q3a5hd36jrqeseqa27nm40srkgxy8lk0v0tpjtp
  5. 1MNwMURYw1LkPnnpda2DQkkUsXXeKL9pmR
  6. bc1qx3628eh9tdnm0uzculu8k6r2ywfkc5zns2hp0k
  7. 16SMGihY94H8UjRcxwsLnDtxRt7cRLkvoC

The stolen funds currently sit within these addresses and Chainalysis is continuing to monitor for any additional movement. With nearly the entire industry keeping an eye on these funds, it remains to be seen what route the hackers will take as they attempt to cash out the stolen funds.

Chainalysis visualization of the $40MM USD stolen from Binance

Chainalysis has notified customers if they have any exposure to the stolen funds, and will continue to do so.

What to do if your organization is hacked

Hackers have stolen cryptocurrency worth ~$150 million so far in 2019. Hackers are leveraging increasingly sophisticated social engineering methods, and cryptocurrency businesses continue to be vulnerable as hackers target Bitcoin and other cryptocurrencies.

If your organization discovers it has been hacked, we recommend the following best practices:

Don’t wait—time is of essence

  • Reach out to law enforcement
  • Report stolen funds to experts who can help
  • Leverage blockchain investigation software to immediately track the flow of funds in real-time as the funds move through the blockchain

Be transparent—the more the community is aware, the more they can help

  • Publish the addresses the attackers used to hold stolen funds so other exchanges can prevent the funds from being converted through their service
  • Share the information publicly if you can

Work with cryptocurrency experts

  • Hacks often involve the same actors, and experienced investigators have insights into their patterns
  • Be wary of information published by non-professional investigators on Twitter and other unverified sources. Chainalysis works directly with exchanges and leverages industry-leading technology to provide accurate blockchain analysis.

Our team is standing by to help cryptocurrency businesses with investigations into hacks, quickly identify and label relevant addresses, and keep our network of exchanges up to date with developments. For more information about how Chainalysis’s blockchain analysis can help prepare your organization manage hacks, contact us today.