Binance Bounty — Progress Update - March 19th 2018

Binance Bounty — Progress Update

Monday, March 19th

As previously announced, on March 7th, there was a large-scale attempt to manipulate and steal funds on Binance, which was ultimately unsuccessful. We would like to remind the community that our system was not compromised during this event and no unauthorized data was accessed. The attack was the result of an extended phishing operation, targeting users by creating fraudulent reproductions of our website in order to gather users’ login credentials.

Since launching the Binance Hacker Bounty, we’ve gathered a lot of information regarding this event. Among the information that we have collected, there are some details that we believe will be beneficial to provide publicly. We hope that, with the additional information, our community will be able to assist even further in our search for the perpetrator(s).

Given the scale of the operation, we believe this may be the work of a group rather than an individual, but we certainly aren’t ruling out the possibility.

Phishing Domains

We will start with a list of known fraudulent web domains involved in the phishing schemes that led up to the attack. It seems that these domains are promoted by utilizing numerous search engine advertising campaigns to draw unsuspecting users.

As you will notice, this attacker is not only targeting Binance, but other exchanges, both centralized and decentralized.

(Note: This list is not exhaustive and there are more to identify.)

http://telegra.ph/Binance-Hacker-Bounty-Known-Domains-03-16

It appears that most these domains utilize a bullet-proof European webhost, resolving to IP addresses of 80.92.65.215 and (primarily) 85.93.20.58.

Domain Registrant Information

There have been two common names amongst the registrants of these types of domains. Running a reverse lookup on the names in question returns a variety of other domains that appear to have malicious intent:

  1. Domainbigdata.com — Sergey Valerievich Kireev
  2. Domainbigdata.com — Viktoria Belinskaia

In fact, there was an article published in August, 2017, regarding one of the domains from our list known domains above (also tied to one of these registrants): https://www.hackread.com/fake-bittrex-cryptocurrency-exchange-site-stealing-user-funds/

In addition, a victim of the attack provided us with their signed consent to release the IP address associated with the API key creation on their account. The IP address (213.87.134.39) resolves to Lipetsk, Russia.

It is safe to assume that this is not an accurate location or IP address of the attacker and they may be utilizing a VPN or another service to obfuscate their identity. However, after cross-referencing this information against the registrants of the domains above, it is safe to assume that the attacker(s) may reside in Eastern Europe.

VIA Blockchain Transactions

We were able to identify several suspicious VIA transactions on the blockchain, taking place approximately one-to-two hours prior to the incident. After further investigation, a total of 31 transactions were found, all made within 200 blocks, containing a total of 4000 VIA each.

Below we have documented the block height and the transaction ID for each:

Block NoTransaction ID (TxID)
4747692Click Here
4747782Click Here
4747747Click Here
4747747Click Here
4747593Click Here
4747594Click Here
4747594Click Here
4747596Click Here
4747612Click Here
4747612Click Here
4747612Click Here
4747653Click Here
4747664Click Here
4747669Click Here
4747684Click Here
4747593Click Here
4747692Click Here
4747692Click Here
4747595Click Here
4747686Click Here
4747694Click Here
4747700Click Here
4747686Click Here
4747704Click Here
4747708Click Here
4747686Click Here
4747708Click Here
4747747Click Here
4747692Click Here
4747747Click Here
4747747Click Here

Continued Effort

To those of you that have contributed information to [email protected] thus far, we would like to thank you. With every contribution, we come a little closer to identifying those responsible for the events that occurred on March 7th.

As always, the security of our users and their funds is, and always has been, our highest priority. We look forward to continuing to work with our community to bring the culprit(s) to justice.

Remember:

  1. For any specific information provided that leads to the legal arrest of the attackers, in any jurisdiction, will be paid on a first-come, first-serve basis, with the maximum reward being an equivalent of $250,000 USD in BNB (conversion rate determined at time of payment).
  2. If you believe you have useful information to provide, please submit a detailed report to [email protected], as well as your local law enforcement agency.
  3. If your local laws allow, you may remain anonymous.
  4. If there are multiple sources of different information that, combined, results in an arrest, the reward may be split accordingly. Binance reserves any and all rights to split the bounty, solely at our own discretion.

Sort:  

We highly appreciate your efforts @binanceexchange in securing our funds...Keep up the good work!

Excellent! A Comanche death is in order for the guilty..............

Thanks for the update, good to see you lads are taking the security seriously. Just another reason to switch to @binanceexchange. I'd love to see Binance accepting swift transfers of fiat currency as this is what's currently missing. Keep up the good work.
Resteemd!

Keep up the good work Binance. Your swift actions instilled confidence.

Go get them, make our community better!!

Thanks @binanceexchange for all the hard work!!!

With the help of my friend @socki and others, we have a campaign to include the SBD in binance

Great job!

Nice work Binance!