Hackers have exploited a Chrome plugin to steal millions from Binance accounts.
A Chinese trader lost $1 million in the scam involving the Aggr plugin, which steals cookies to bypass security measures.
The trader, known as CryptoNakamao, discovered the theft after noticing unusual trading activity in his Binance account.
The hackers used stolen cookies to hijack sessions and execute leveraged trades, manipulating low liquidity pairs for profit. Despite having 2FA enabled, the trader's funds were not safe due to the session hijacking.
Basically, it means that because of the features of cryptocurrency exchange authorisation, it is enough to get hold of the coockies to access funds even if you enabled 2FA.
Thus, it is essential not to install unverified browser plugins and extensions to a browser you use for crypto trading. Especially, if significant holdings are involved.
CryptoNakamao blames Binance for not implementing risk controls or freezing the hacker's account.
He claims Binance knew about the fraudulent plugin but failed to inform users or act promptly. This oversight led to significant losses and abnormal transactions across multiple currency pairs.
The incident raises concerns about the security measures in place to protect users from such sophisticated attacks. As investigations continue, affected users are left grappling with the financial impact.