Binance, one of the world’s largest cryptocurrency exchanges, said hackers withdrew 7,000 bitcoins worth about $40 million via a single transaction in a “large scale security breach,” the latest in a long line of thefts in the digital currency space.
The hackers used a “variety of techniques” including phishing and viruses to obtain a large amount of user data, Binance said in a post on its website. There may be additional accounts that have been affected but not yet identified, Binance said. The largest digital tokens including bitcoin slid about 3 percent after the disclosure, then recovered most of the drop.
The company will use its Secure Asset Fund for Users, an emergency insurance fund, to cover the incident in full and no user funds will be affected, it said.
The transaction was limited to Binance’s BTC hot wallet, which contains about 2 percent of the company’s bitcoin holdings, according to the post. Other wallets are secure and unharmed, the exchange said.
The 7,000 bitcoins are worth roughly $40 million, based on current bitcoin composite pricing calculated by Bloomberg. Bitcoin pared its decline to 0.5 percent as of 10:53 a.m. in London, after earlier dropping as much as 3.1 percent from Tuesday. The broader Bloomberg Galaxy Crypto Index also dipped.
“The hackers had the patience to wait, and execute well-orchestrated actions through multiple seemingly independent accounts at the most opportune time,” according to the post, written by Zhao Changpeng, Binance’s chief executive officer. “We must conduct a thorough security review. The security review will include all parts of our systems and data.”
Binance estimates the review will take a week, during which time all deposits and withdrawals will remain suspended, while trading will continue to be enabled to allow investors to adjust their positions. The hackers may still control some user accounts and may “use those to influence prices in the meantime,” the exchange said.
The hackers structured the transaction to bypass existing security checks, and Binance was unable to block the withdrawal before it was executed, according to the post. Once the transaction was executed, it triggered alarms on Binance’s system and all withdrawals were stopped immediately after that, the post said.
In a tweet linking to the post, Zhao said it was “not the best of days, but we will stay transparent.”