A Chinese trader fell victim to a hacking scam that cost him $1 million. The scam involved a promotional Google Chrome plugin called Aggr, which steals cookies from users and allows hackers to bypass password and two-factor authentication (2FA) verification to gain access to the victim’s Binance account.
The trader, known as CryptoNakamao on X, shared the story of his devastating loss. On May 24, he noticed that his Binance account was making random trades without his knowledge. It was only when he checked the Bitcoin price on the Binance app that he realized something was wrong.
By the time he reached out to Binance for help, the hacker had already withdrawn all the funds from his account.
The hacker was able to gain access to the trader’s web browser cookie data by using the Aggr plugin. The trader had installed the plugin to access data on prominent traders, but little did he know that it was actually a malicious software designed to steal browsing data and cookies.
With the stolen cookies, the hacker hijacked active user sessions without needing a password or authentication. They then carried out leveraged trades to manipulate the price of low liquidity pairs and make a profit.
Although the hacker couldn’t directly withdraw funds due to 2FA, they used the cookies and active login sessions to engage in cross-trading and generate profits. They bought tokens in the Tether trading pair, which had abundant liquidity, and placed limit sell orders at prices higher than the market price in other trading pairs with scarce liquidity, such as Bitcoin and USD Coin.
Finally, the hacker opened leveraged positions, bought a large amount of assets, and completed the cross-trading. This practice of offsetting buy and sell orders without recording the trade on the exchange is known as a cross trade.
The trader blames Binance for failing to implement necessary security measures despite the unusual trading activity. They also claim that Binance was aware of the fraudulent plugin for some time and failed to inform users or take action to prevent the scam.
Binance, however, stated that they were not aware of the plugin until May 27 when a community influencer alerted them to it. They immediately implemented additional security measures upon learning about it.
In their investigation, Binance found no evidence of the plugin based on the data provided by the affected user in a previous incident. The user later admitted that their initial personal investigation may have included biased or unfounded accusations.
Overall, this incident highlights the risks associated with using third-party plugins and the importance of implementing strong security measures to protect against hacking scams.