\* TLDR \*
If you have at any time created an API key in the past, please either delete if you are not using it, or review its permissions (write / withdrawal)
* Long version \*
hi all, read on so this doesn't happen to you.
A few hours ago, I woke up in the middle of the night as I usually do from bad sleep, and checked my binance account, as I usually do during a bull run.
To my surprise, I saw my SPOT balance to show roughly 10 000... it was 90k just before I went to bed.
At first, I think it is a bug. I logout and then login again. Same numbers. I still have a bit of ETH, and a bunch of shit coins. Now I start panicking. Did binance get hacked? Twitter doesn't seem to think so. Only after a few minutes do I go to past trades, and see to my horror a bunch of horrible trades between ETH and a bunch of shitcoins.
I quickly disable my account and start chatting to binance. After a few minutes I am transferred to a specialist, who tells me the following:
- -the trades were made via the API
- "it is not possible to reverse these orders as they were traded in market as usual between other market participants "
- "It is not possible to refund your account, for it is impossible to reverse fund from filled orders"
Turns out I had created an API key a few months back, which apparently had been compromised. How ?? No Idea.
As many out there, I thought that "modern" exchanges were pretty secure, and I always thought that there was a higher chance of me loosing my private keys than an exchange being hacked. Turns out I myself let a blatant open door do my account for months, and ultimately it got compromised.
Binance is giving me some very very slim elements of hope: " The team is checking about any beneficial counter-party behind the transactions. Because the transactions were placed in a way that allowed "buy high, sell low" via API. "
So if the hacker was able to benefit from these trades, I should get part of my money back? I don't really believe in that scenario, but thanks Binance for making me hope.
EDIT: Clarity about the API key
A lot of people have asked about the API keys. I created those a few months ago, since I was playing around with the Binance API. I NEVER used them or gave them to any bot platform or automatic trading mechanisms. The keys were only created for educational purposes. Never used them again after that, and 6 months later bye bye money. Yes the write permission was enabled, but not withdrawal (I was automating some trades myself, so needed the write permission). So for anyone who has API keys on their accounts, make sure you truly need them, or to disable write feature!
EDIT2 : How the money disappeared
Since withdrawal was not allowed, the hacker just did a bunch of trades with some super shitcoins. I am now sure how this would have benefitted him, but I am guessing me buying 2 eth worth of NEBL pumps the price for him? Anyways about 850 trades were done over a period of 3 hours, buying / selling the same coin for about 1,9 ETH each time. The trades always bought for a certain amount, and sold for a lower amount, ultimately lowering my total balance.
[link] [comments]
You can get bonuses upto $100 FREE BONUS when you:
π° Install these recommended apps:
π² SocialGood - 100% Crypto Back on Everyday Shopping
π² xPortal - The DeFi For The Next Billion
π² CryptoTab Browser - Lightweight, fast, and ready to mine!
π° Register on these recommended exchanges:
π‘ Binanceπ‘ Bitfinexπ‘ Bitmartπ‘ Bittrexπ‘ Bitget
π‘ CoinExπ‘ Crypto.comπ‘ Gate.ioπ‘ Huobiπ‘ Kucoin.
Comments