CZ addresses concerns over investigation into ‘abnormal price movements’ on Binance

Changpeng Zhao (CZ), the CEO of Binance, has addressed concerns surrounding the investigation into “abnormal price movements” for some trading pairs on the exchange.

Based on our investigations so far, this appears to be just market behavior. One guy deposited funds and started buying. (Hackers don’t deposit). Other guys followed. Can’t see linkage between the accounts. 1/3 https://t.co/QlB1VnlHVs

— CZ 🔶 Binance (@cz_binance) December 11, 2022

CZ reported that the firm had temporarily locked withdrawals for “some of the profiting accounts” that had caused complaints on social media.

In a statement, CZ said:

“We are aware of the concept of too much intervention from the platform, “too centralized” attacks, etc. There is a balance to how much we should intervene. Sometimes, these happen in free market, and we need to let it play out.”

Binance’s official Twitter account announced that the suspicious activity that sparked concern on social media did not appear to be caused by hacked accounts or stolen API keys and that funds are “SAFU.”

This activity does not appear to be due to compromised accounts or stolen API keys; funds are SAFU.

We will update this thread should there be any new information.

— Binance (@binance) December 11, 2022

However, CoinMamba, a futures trader and crypto investor, revealed a different perspective on the situation when they declared on Dec. 8 that their Binance account was hacked through an API created two years ago, submitted exclusively to 3Commas, a crypto trading software provider.

The API was only submitted to 3Commas and nowhere else, which I haven’t used since creating an account there. If you have similarly submitted your API there, you should immediately delete them from your Binance account.

— CoinMamba (@coinmamba) December 8, 2022

CZ responded to CoinMamba, explaining that Binance had “seen multiple cases related to 3Commas,” and claims that users were phished.

I haven’t used 3Commas for almost 2 years and didn’t even remember I had an account there. This is definitely not a phishing case.
Also I didn’t have an IP whitelist for my API keys but for some reason they were kept active. They should’ve been disabled by you.

— CoinMamba (@coinmamba) December 9, 2022

Phishing attacks have been an ongoing theme, as seen in Oct. on exchanges like FTX and Binance, where users fell prey to phishing attacks targeting crypto services like 3Commas.

Though CoinMamba discarded the idea of this being a phishing case, 3Commas provided a full investigation blog post of the API key attacks on Dec. 10, describing the modern evolution of ‘phishing.’

“Over time, phishing has evolved to incorporate new attack vectors, such as paying to advertise imitation websites high in search engine rankings or to incorporate malware as part of the attack. Also, phishing has been known to target specific groups of people, high net-worth individuals or even companies (known as “Spear phishing” or “Whale phishing”)”

Despite the investigative post by 3Commas, concerns surrounding stolen API keys only grew as more Twitter users revealed losses and described 3Commas as “NOT Safe.”

On 12/6/22, A 3Commas API (Free Account) I setup over 2 Years ago and forgot about suddenly became active and began performing unauthorized trades on my Binance Account:
– $155K Losses (Contra-Traded)

3Commas failed to protect customer API data. 3Commas is NOT Safe: pic.twitter.com/KkhVwVM9YA

— Joel (@akng1985) December 7, 2022

Even on-chain Sleuth, ZachXBT, weighed in on the discussion:

And 3Commas is still claiming people were just “phished” lol pic.twitter.com/Ka7HI53oAL

— ZachXBT (@zachxbt) December 8, 2022

With surmounting evidence confirming stolen API keys at 3Commas, loss of funds by multiple users, and current API data vulnerability, it is doubtful that funds are “SAFU.”

Following a Twitter debate between CoinMamba and CZ to its conclusion, a deleted comment by CZ revealed retaliatory comments suggesting the “offboarding” of both 3Commas and CoinMamba’s Binance accounts.

Tweet deleted. But CT remembers.. pic.twitter.com/p5nkeDmhe1

— CoinMamba (@coinmamba) December 9, 2022

On Dec. 9, CoinMamba’s declared that their Binance account had been closed and received an explanatory response from Binance’s Customer Support Twitter account.

Your account was placed into withdrawal only mode. The decision was in response to threats you made to our CS, not related to our Twitter dialogue. We pulled together a team of over 20 case agents to try and help you. We are sorry it has come to this, but wish you all the best. pic.twitter.com/lTkKy2WnJS

— Binance Customer Support (@BinanceHelpDesk) December 9, 2022