Working With Binance to Return $10,000 of Stolen Crypto to a Victim

Previously, I was able to return $4k of stolen funds to a user. I recently made another recovery to the tune of over $10k.

Harry
Harry
Jul 23, 2020 · 3 min read

Centralized exchanges come with their drawbacks and may not fulfill all of the goals generally associated with crypto philosophies, but there are instances when custodial elements can become beneficial. For example, in the wake of the recent Twitter hack, it was revealed that Coinbase blocked user attempts to send over $280,000 in Bitcoin to the scam address.

In the case of my recent experience, Binance was able to provide an assist by passing along our information to the owner of the victimized address, giving them the option to reach out and resolve this.

The phishing technique used in this case was sophisticated in the sense that it mimicked two separate UIs to steal a user’s secret (private key, keystore file, mnemonic phrase). It can be convincing to unsuspecting users.

The bad actor(s) would deploy a malicious dapp interface (in this case it was a fake Uniswap UI) and prompt the user to connect their MetaMask account. The kit would then mimic the MetaMask popup and throw an error state to then prompt the user to enter their secret. Once the user did, it would send the user’s input to their database via a REST API and direct the user to the legitimate app.

This is the user flow for a malicious Uniswap UI — note that I do not have MetaMask installed on this browser instance

Intercepting the Funds

Fortunately, the database was open for both read and write, which allowed me to periodically fetch the entries for their specific collections/table and run the keys through my custom sweeper. As they were using a DaaS, the only authorization barrier they had was an apikey HTTP header.

Similar to our other story of fund recovery, I was able to retrieve the phished details from their open database and run them through my sweeper, which resulted in the reception of some of the stolen funds.

I then pivoted the infrastructure using PassiveTotal by RiskIQ and found some more malicious domains targeting cryptocurrency users:

node.uniswapv1v2.app (162.213.255.91)
uniswapv1v2.app (162.213.255.91)
uniswapexchange.online (162.213.255.91)
uniswop.shop (68.65.123.97)
xmr-wallet.com (162.213.255.91)
...

Returning the Funds

I was able to determine that a victim address was used in Binance withdrawals so I reached out to my contacts there. I asked them to pass my email address to the user to confirm that they were the victim and start the process of returning the funds.

The user reached out to me within the hour.

Visualization by Breadcrumbs.

After going through various steps to prove ownership of the compromised key and the new address, I sent the recovered funds to the victim’s new address and linked them to our safety guides.

https://etherscan.io/tx/0x591fcf1c7c4555eb2b6f37880d2a6d9f2ae27acc0d0cfc7d143fdbb14069010c

https://etherscan.io/tx/0xebb7990628366fb5e75c24dc50bc1804cc91cb323e3f1352e3e28bdf6a640db0

Don’t Become a Victim

If you’ve recently entered your mnemonic phrase into an interface and experienced the same user journey as described at the start of the article, please create a fresh seed on trusted software that you can verify. Then you will need to migrate all your funds to your new address.

You will need to audit all of your apps to ensure the ones you are running are legitimate. You will need to uninstall all the non-legitimate ones and do an audit on what could have been compromised.

Learn to protect yourself and your funds.

If you run a website, web extension, or something else, do not allow users to enter raw private keys, mnemonic phrases, or keystore files into your product. It is harmful to allow it and users need to learn from the very beginning of their journey that it’s not a safe method of accessing their funds.

If you’d like to help us continue tracking scams and helping victims, please consider contributing to the CryptoScamDB Gitcoin grant.

Talk To Us & Share Your Thoughts

MyCrypto

The Official MyCrypto Blog

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store