The potential risk behind compromised APIs and why the 2018 Binance attacks were a teachable moment.

The potential risk behind compromised APIs and why the 2018 Binance attacks were a teachable moment.

By True_Grin | FleetWoodBigMac | 15 Mar 2021

API keys and the risk involved

Have you ever used a portfolio tracker? There's a big chance that you also chose to connect said tracker to the exchanges you use in order to track trades etc. You may have also taken it a step further and allowed trades to be executed directly in app.

This is why your generated API keys are not as safe as they seem.

In May 2018, hackers used APIs they phished from multiple users to withdraw 7,074 BTC from Binance before the exchange was able to detect it and freeze all withdrawals. The next measure was to restrict all APIs to trading before later deleting and replacing all of them. In this case the hackers were able to obtain more than just API keys but also 2FA codes which allowed them to make withdrawals. 

In July 2018, hackers were able to pull off a similar heist but with less data, making it considerably more worrying. Since APIs are set to trade only by default, the harm they can be used to inflict is considerably less than with detailed user information. This attack utilised coins with low trade volume at the time like Syscoin and Viacoin to create an artificial pump, using compromised funds, which they anticipate with sell orders. This effectively allows a more lowkey transfer of funds which they can then withdraw using their own accounts.

Have you wiped out your APIs yet? 

No, well maybe this will make you consider doing so. A user by the name of 'speedyx02' posted an AD on RaidForums offering to sell 160 Binance APIs with a combined value of ~637,000 dollars. While the seller cannot withdraw the funds from the exchange itself, he is looking to unload the valuable data to someone who is able to commit an attack similar to the SYS/VIA exploit. Another user claimed to have already sold 300k USD worth of APIs with a million dollars worth remaining as of the 28th of February. 

If this has not prompted you to act then it should at least make you review your security for vulnerabilities and weigh the pros and cons of continued API use. Stay safe out there.

What do you make of 'speedyx02'? Is he legit or just a poser?

How do you rate this article?




Musings, alpha and the likes.


Interested in crypto, finance, travel and anything else that sparks my interest. Goes without saying my content is original and therefore might not be top tier quality.

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.