Thieves have stolen more than $40 million worth of bitcoin from Binance, one of the world’s largest cryptocurrency exchanges, as part of a “large scale” security incident affecting roughly 2 percent of its bitcoin holdings, the company announced Tuesday.
Hackers stole two-factor authentication keys, API data, and “potentially other info” through an attack that combined phishing and viruses, Binance said in a May 7 statement. The result was the withdrawal of 7,000 bitcoin, worth nearly $41 million at the time of the heist, from Binance’s “hot wallet” when the time was right. No user funds were affected by the breach.
“The hackers had the patience to wait, and execute well-orchestrated actions through multiple seemingly independent accounts at the most opportune time,” the company said. “The transaction is structured in a way that passed our existing security checks. It was unfortunate that we were not able to block this withdrawal before it was executed. Once executed, the withdrawal triggered various alarms in our system. We stopped all withdrawals immediately after that.”
The company says it stopped all withdrawals immediately after that transaction was approved. It estimated it will take one week to conduct a security review, in which time withdrawals and deposits will remain suspended, though trading will continue.
Binance, in its statement, said it will use its Secure Asset Fund for Users, stored in a separate wallet, to cover any losses.
“It does very hurt much but we are able to cover that,” Binance CEO Changpeng Zheo said in a video posted following the announcement. “We are not short on funds right now.”
The value of bitcoin remains roughly 70 percent below its record high in December 2017.
Cryptocurrency exchanges and prominent investors repeatedly have been targeted by scammers and digital thieves. Hackers stole nearly $400 million in a 2018 attack at the Coincheck exchange, and Hong Kong-based Bitfinex infamously lost $63.7 in a 2016 theft.
The United Nations in March linked North Korean hackers to the theft of at least $571 million from cryptocurrency exchanges, money Pyongyang could use to mitigate the impact of international sanctions.