Binance, one of the top five cryptocurrency exchanges in the world, announced a "large scale security breach" during which hackers stole over 7,000 Bitcoin, worth nearly $41 million at the time of writing.
The breach occurred today, May 7, and was disclosed on the company's blog and social media channels.
Binance said hackers used various techniques --such as "phishing, viruses and other attacks"-- to gain access to user accounts, including "API keys, 2FA codes, and potentially other info."
When the time came today, the hackers initiated a mass withdrawal from these accounts, generating a massive 7,074 BTC transaction from Binance's main "hot wallet" to several smaller accounts.
The massive withdrawal triggered all sorts of security alarms at the Japan-based cryptocurrency exchange, but the warnings came too late and weren't enough to stop the transaction from making it through.
Binance admins froze deposits and withdrawals immediately after and put the site in maintenance mode to investigate the gigantic pile of money that left their platform.
"The transaction is structured in a way that passed our existing security checks," Binance said. "The hackers had the patience to wait, and execute well-orchestrated actions through multiple seemingly independent accounts at the most opportune time."
The company plans to undergo a security audit in the coming week to root out hackers from any other accounts they might still be controlling on the platform.
No losses to users
Binance also announced it would be absorbing the damage, meaning users won't be losing any Bitcoin from personal accounts due to the hack.
The platform plans to use its Secure Asset Fund for Users (SAFU) fund to cover the losses suffered today. The SAFU fund was specially created for these types of situations.
"Starting from 2018/07/14, we will allocate 10% of all trading fees received into SAFU to offer protection to our users and their funds in extreme cases," the company said last summer when it created SAFU. "This fund will be stored in a separate cold wallet."
The last Binance security incident occurred in March 2018 when a phishing campaign impacted a large number of Binance users. At the time, Binance offered a $250,000 reward for any information that would have led to the arrest of those involved in the phishing campaign.