The reason for the theft of Binance was found. 7074 Bitcoins were lost in this way

At 8:28 am on May 8, the well-known cryptocurrency exchange Binance admitted that it had been hacked again. As of the time of writing, 7074.18 bitcoins have been stolen.
The following is the security information update announcement released by Binance’s official Weibo account.

In this regard, Binance founder Zhao Changpeng disclosed the details of the hacker's theft for the first time in an AMA. He said that the hacker had previously discovered the security loopholes in the system, but had been very patient until a large transaction occurred in the system.

Live broadcast address:
https://www.pscp.tv/w/b6I-lTFQWEVkQlBQQlBsS2V8MW1yR212anBicUJKea09rHwXRK_mMqOZXufBTFd6iCrb7SjGYhQ4_QOvoDet
In addition, Zhao Changpeng also disclosed that Binance discovered a "large-scale security vulnerability" in the early morning of May 7, which allowed hackers to access user application program interface keys (API keys), two-factor authentication codes, and other information. According to a transaction published in the security notice, hackers took away approximately $41 million worth of Bitcoin from the Binance exchange.
Security company: It may be caused by the leakage of user API key and Secret key information
Regarding this attack, blockchain_camp immediately contacted the Beosin Chengdu Lianan Technology Security Team and conducted an in-depth analysis of the incident. Friends, first understand the transaction details:

This incident occurred at block 575013, with a total loss of up to 7074 BTC, involving the following 44 withdrawal addresses:

Detailed withdrawal address

As of now, approximately 7074.18 BTC have been stolen from the Binance hot wallet (1NDyJtNTjmwk5xPNhjgAMu4HDHigtobu1s).
The current balance of Binance's hot wallet is 3,612.69114593 BTC, which means that the private key of Binance's hot wallet is safe. After analysis by the team, a withdrawal operation was initiated at the same time through the API interface at 01:17:18 on May 8.
After applying for the Binance exchange API, an API key and Secret key will be generated, as shown below:

The API interface has limited user open IP restrictions and open withdrawal functions. Open withdrawal means directly using the API key and Secret key to withdraw money, without collecting verification codes, SMS, or Google verification codes. As shown below:

The official API call code demo is as follows:

From https://github.com/binance-exchange/python-binance

Chengdu Lian'an believes that the attack was caused by the leakage of users' API key and Secret key information.
If the user does not restrict the IP and configures the withdrawal function to be open, any attacker can launch an attack after obtaining the API key and Secret key information.
User information leakage may occur through:

1. Ordinary users generally do not use API keys. Advanced users usually use them to implement automated transactions in their code. The leakage of the API Secret key may be caused by the leakage of user source code.
2. The user was attacked by phishing, and the API key and Secret key they entered were intercepted by the hacker.
3. The computer where the user's API key and Secret key are stored is attacked and stolen.
4. Due to system reasons of Binance exchange, the user API key and Secret key were leaked. Among them, only 71 users opened the withdrawal function and their coins were stolen.

The main 20 addresses of the 7074 BTC stolen by hackers are as follows:

In addition, Blockchain Base Camp also interviewed Wu Jiazhi, Vice President of R&D of PeckShield. Mr. Wu believes that the Binance theft incident can be roughly analyzed at three levels: exchanges, account custody systems, and individual users.

1. The probability is low at the exchange level. For example, the previous Longnet incident was caused by customer service staff installing malware and infiltrating into the intranet.
2. Account hosting, which means that retail investors invest in this type of software and provide the application program interface to the middleman. Once the middleman is infiltrated, a large number of interface secrets may be obtained at one time, causing such problems. This type of software may be replaced with an installation package when downloaded, or the middleman's server may be hacked.
3. The third category is personal user devices, such as mobile phones and computers, which are installed with Trojans, etc., and obtain API secrets and 2FA authentication from personal user devices.

In addition, Mr. Wu also said that he saw Binance package 7074 BTC in one transaction, and the 20 main target addresses were all new addresses. This situation can actually trigger the risk control mechanism, such as the amount of withdrawals per unit time and the amount that the new address can receive.
Let's see the reactions of the big guys
After the incident, Tron founder Justin Sun immediately posted a message saying, "Don't panic, everything is fine! I am willing to take out 7,000 BTC worth of US dollars and enter Binance." Of course, the premise is that Zhao Changpeng agrees to let him do so.

In fact, Zhao Changpeng said that he did not need it. “I really appreciate it, but it is not needed now. Binance will make up for the losses through the SAFU fund, and it is enough. We are just injured, not bankrupt.”
And some people aren't so nice.

FCoin founder Zhang Jian does not think so. Regarding the theft of 7,000 bitcoins from Binance, he hopes that people will not use this theft to attack others. This is harmful to others and not beneficial to oneself. It takes time for a platform to accumulate credibility and other aspects.
However, Binance’s statement that the “stolen BTC” will be fully borne by Binance is also very domineering!
I believe that the theft of more than 7,000 BTC from Binance will inevitably lead to regulatory involvement, users' attention to privacy protection, and the improvement of exchange risk control mechanisms. ( Blockchain Base Camp)