"All funds are safe," the executive added. "There were irregularities in trading activity, automatic alarms triggered. Some accounts may have been compromised by phishing from before. We are still investigating. All funds are safe."
The news that accounts will be restored to their status before the event will be a relief to users, and in an update on Thursday, Binance said the trading activity was due to a "large-scale phishing and stealing attempt."
The cyberattackers behind the scheme operated a fraudulent website, binance.com, which contained two dots at the bottom of two characters -- a small tweak that few would have recognized as fake in relation to the true binance.com domain.
If victims logged into the domain, these credentials were stored, and then a trading API key was created for each account. This API lay dormant until a two-minute period of frantic trading cleared out compromised user accounts.
The price of Viacoin (VIA), a cryptocurrency with small liquidity, was driven up by using these accounts.
In some cases, the coin was purchased after the conversion to BTC of user alt coins, while 31 accounts controlled by the fraudsters sold VIA in order to make a tidy profit.
"This was an attempt to move the BTC from the phished accounts to the 31 accounts," Binance said. "Withdrawal requests were then attempted from these accounts immediately afterward."
However, the cyberattackers did not count Binance's protection systems, which disabled these suspicious transactions. In addition, the company froze the VIA coins deposited by the hackers.
"Not only did the hacker not steal any coins, their own coins have also been withheld," Binance says. "They were patient enough to not take any immediate action, and waited for the most opportune moment to act."