Chinese Crypto Trader Loses $1 Million From Binance After Chrome Plugin Exploit
The Aggr Chrome extension stole all the user's web browser data and cookies. This allowed the Binance session to be hijacked. The attacker then executed a series of leveraged trades on several low liquidity pairs, including QTUM/BTC, DASH/BTC and PYR/BTC
A Chinese crypto trader shared his experience after losing most of his savings from Binance due to a Chrome plugin exploit. The trader called out the exchange’s allegedly slow response that allowed his funds to be stolen.
Malicious Chrome Extension Swipes $1 Million In Crypto
In late February, crypto investor Doomxbt shared his “peculiar” experience getting his Binance account drained. The user watched his $70,000 holdings vanish in real time without the possibility of stopping it.
Per the post, the investor received several notifications from Binance about orders being filled out. The customer quickly checked his account and contacted support before his balance went to $0. While trying to get assistance, he helplessly observed how his funds rapidly disappeared.
At the time, the reason behind this incident seemed uncertain, as the Binance user had two-factor authentication (2FA) and could access his account without a problem. The crypto exchange’s CEO, Richard Teng, stated that Binance’s security task was investigating the issue and trying to identify its root cause.
Unfortunately, several other users continued to get their funds stolen after experiencing similar incidents in the following months. Among the victims, a Chinese trader recently lost $1 million. This user shared an X post hoping to alert the crypto community of the dangerous malware that caused his loss.
X user CryptoNakamao revealed that on May 24, his Binance account was “trading like crazy” without his knowledge. The investor realized the unauthorized activity when he opened his account to check Bitcoin’s (BTC) price.
Nakamao immediately contacted customer support, but, similarly to Doomxbt, the allegedly slow response allowed the exploiter to take the funds. As a result, the trader decided to investigate the reason behind his exploit.
The Binance user unveiled that the crypto heist was possible due to a malicious Google Chrome Extension. According to the victim’s investigation, the Aggr Chrome plugin stole all his web browsing and cookie data.
With this information, the hacker hijacked his active Binance session without needing the password or go through 2FA. After accessing the account, the hacker executed several leveraged trades to spike the price of multiple low liquidity pairs, including QTUM/BTC, DASH/BTC, and PYR/BTC, and profit from them.
Binance Responds To Accusations
Nakamao expressed his disappointment towards the crypto exchange, stating that he had higher expectations from customer support. Additionally, he claimed that the exchange knowingly allowed the hacker to continue with its operations while they conducted their investigation.
The trader explained he found the Chrome plugin through an influencer, which had been paid, alongside others, to promote the malicious extension. Per Nakamao’s post, Binance allegedly was aware of this and encouraged them to get more information from the hacker:
It turned out that Binance had known about the existence of this plugin for a long time, and even encouraged this KOL to get further information from the hacker, and it was while the plugin was being further promoted that I was stolen. Binance had tracked down the hacker’s address at least 3 or 4 weeks ago and obtained the name and link to the plugin from the KOL. But even so, Binance likely failed to notify the suspension of the product in time to continue tracking down the hacker and avoid spooking them, and I became a casualty of that.
The exchange responded to the allegations, denying knowing about the Aggr plugin until Nakamao’s incident. Moreover, they claimed not to have linked Doomxbt’s investigation to the Chrome extension.
Additionally, they negated being aware of the influencer’s promotion of the malicious plugin and promised to look further into it. It’s worth noting that crypto community members started informing users about this new type of exploit about a week ago.
Ultimately, Binance stated they could not compensate Nakamao as his account was manipulated through the malicious plugin:
We are very sympathetic to your situation, but according to the information we have learned so far, the reason for the loss of your assets is that your device was manipulated due to the installation of a malicious plugin. Unfortunately, we are not in a position to compensate you for this type of case, which has nothing to do with Binance.