A Chinese trader lost $1 million after falling victim to a hacking scam involving a promotional Google Chrome plugin called Aggr.
The plugin reportedly stole cookies from users, enabling hackers to bypass password and two-factor authentication (2FA) verification to access the victim’s Binance account.
The trader, who uses the handle CryptoNakamao on social media platform X, recounted the incident, which occurred on May 24. He noticed unusual trading activity in his Binance account after checking the Bitcoin price on the Binance app. By the time he sought assistance, the hacker had already withdrawn all the funds.
The trader claimed that the hackers accessed his web browser cookie data through the Aggr Chrome plugin. He installed the plugin to gain insights from prominent traders, not realizing it was designed to steal browsing data and cookies. The hackers used the stolen cookies to hijack active user sessions without needing passwords or authentication, enabling them to carry out multiple leveraged trades and profit by manipulating low liquidity trading pairs.
Even though the hacker could not directly withdraw funds due to 2FA, they used the cookies and active login sessions to execute trades. The hacker bought several tokens in the Tether (USDT) trading pair with high liquidity and placed limit sell orders at inflated prices in Bitcoin (BTC), USD Coin (USDC), and other low liquidity trading pairs. They then opened leveraged positions, bought large amounts, and completed cross-trading. Cross-trading involves offsetting buy and sell orders for the same asset without recording the trade on the exchange.
Trader’s accusations against Binance
The trader accused Binance of failing to implement necessary security measures despite the unusually high trading activity on his account. He also claimed that the exchange did not take timely action even after he reported the issue. According to the trader, Binance was aware of the fraudulent plugin and was conducting an internal investigation but did not inform users or take preventive measures.
“Binance did nothing even though it knew of the theft and frequent cross-trading. Hackers manipulated accounts for over an hour, causing extremely abnormal transactions in multiple currency pairs without any risk control; Binance failed to freeze the funds of the obvious hacker’s single account on the platform in time,” the trader wrote.
Yi He, co-founder of Binance, has refuted CryptoNakamao’s claims and clarified the situation on social media, stating, “Look closely; this user’s account was breached because their own computer was hacked; they are a lost cause. After the hack, the hacker could not withdraw funds, so the hacker sold the victim’s coins, which led to trading losses.”
“We sympathize with your experience, but according to the information we have learned so far, the reason for your asset loss is that your related devices were manipulated because of the installation of malicious plug-ins. Unfortunately, we have no way to compensate for such cases that have nothing to do with Binance,” the exchange stated.
Nakamao did not agree with Binance’s assessment, alleging that the exchange had been aware of the malicious plugin for some time and had even encouraged a key opinion leader (KOL) to gather more information from the hacker.
On her part, Yi He warned users about the dangers of logging into accounts with active cookie plugins to avoid the inconvenience of typing their passwords each time. “Binance is not able to compensate users when their own login devices are compromised,” she stated.
