View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
October 7, 2022

Binance loses cryptocurrency worth $570m in cyberattack on coin bridge

Weaknesses in coin bridges are a popular attack vector for cybercriminals. Binance is the latest victim.

By Claudia Glover

Global cryptocurrency exchange Binance has suffered a cyberattack which saw $570m of its own token, BNB, stolen by hackers. The criminals exploited a vulnerability on the BNB blockchain’s cross-chain coin bridge. Such attacks on coin bridges, which allow transfers between different digital currencies, are becoming increasingly common, and rigorous code auditing is required to ensure weaknesses are spotted.

Binance cyber attack worth $570m
Global coin exchange Binance has seen tokens worth $570m stolen. (Photo by askarim/Shutterstock)

The attack saw two million BNB, with a value of $570m, withdrawn from the Binance bridge.

Though it was initially reported that digital currency worth $100m had been taken, the latest update from the BNB chain says a total of two million BNB was withdrawn, which is the equivalent of around $570m. It says the attacker was able to use an exploit affecting the native cross-chain bridge between BNB Beacon Chain and BNB Smart Chain, known as the BSC Token Hub.

The BNB blockchain was initially taken offline when details of the attack emerged, but is now back up and running.

Coin-chain bridge attacks are common

A cross-chain bridge connects different blockchains to allow the transfer of assets and information. They feature a central storage point of funds that are behind the ‘bridged’ assets on the receiving blockchain, which makes them a target for hackers.

Earlier this year an attack on gaming platform Axie Infinity’s Ronin Bridge cost the company $624m in crypto tokens. The attacker reportedly located a back door into the bridge that allowed them to withdraw 173,600 Ethereum, as well as 25.5m USD tokens. In August, cross-chain platform Nomad suffered a brutal hack due to a vulnerability in its own bridge, which saw digital currency worth $190m disappear from the platform in a matter of hours.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

“The main problem with bridges is, when you get access to the bridge, you get access to the whole liquidity,” explains Slava Demchuk, CEO and co-founder of cryptocurrency compliance platform AMLBot.

What can be done to secure cross-coin bridges?

The best way to secure cross-currency coin bridges is to ensure they are properly audited, explains Kim Grauer, director of research at blockchain analysis company Chainalysis. “Hackers are always looking for the newest and most vulnerable services to attack,” she says.

Auditing could help both those who are building protocols and the investors putting money into decentralised finance, or DeFi, projects, says Grauer. “Over time, the strongest, safest smart contracts can serve as templates for developers to build from,” she argues.

Research from Chainalysis says social engineering tactics are commonly used to find entry points into blockchain companies. It is thought this is what happened in the case of Axie Infinity, where a fake job offer to one of the game’s developers was used by North Korean hackers to gain access to internal systems and its coin bridge.

Read more: Can crypto save the planet?

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.