A long-term phishing campaign and a timed attack appear to be at the heart of unauthorized cryptocurrency trading.
Binance has rejected rumors of a security breach after users reported that their funds were being sold off without consent.
The chaos erupted on Wednesday when a sudden surge of strange market activity caught the eye of Binance itself and many users.
In their droves, panicked traders reported that their alt coins were being sold and converted into Bitcoin (BTC) and other cryptocurrencies.
One of the first users to report fraudulent activity said:
"Binance just sold all my alts at market rate and I have got just the Bitcoin now. Is it because of account getting hacked or Binance bot issue? Have raised a ticket for this."
Some users that reported suspicious trades had two-factor authentication (2FA) enabled and also said that unauthorized API keys had appeared spontaneously during the time trading went haywire.
While investors exchanged theories relating to the Binance platform being compromised, it seems that phishing may also be a root cause of the problem.
In a statement on Wednesday, Binance said it was investigating the complaints and there was "no evidence" of the Binance platform being compromised.
Upon further scrutiny, the China-based company concluded that the only confirmed victims had registered API keys, which are used with trading bots, for automatic sales purposes, or otherwise.
In order to stem the flow of unauthorized transactions, Binance temporarily suspended trading and has now begun reversing suspicious trading in order to restore some customer funds.
Binance's CEO Changpeng Zhao later posted on Twitter:
"All funds are safe," the executive added. "There were irregularities in trading activity, automatic alarms triggered. Some accounts may have been compromised by phishing from before. We are still investigating. All funds are safe."
The news that accounts will be restored to their status before the event will be a relief to users, and in an update on Thursday, Binance said the trading activity was due to a "large-scale phishing and stealing attempt."
The cyberattacks behind the scheme operated a fraudulent website, binance.com, which contained two dots at the bottom of two characters -- a small tweak that few would have recognized as fake in relation to the true binance.com domain.
If victims logged into the domain, these credentials were stored, and then a trading API key was created for each account. This API lay dormant until a two-minute period of frantic trading cleared out compromised user accounts.
The price of Viacoin (VIA), a cryptocurrency with small liquidity, was driven up by using these accounts.
In some cases, the coin was purchased after the conversion to BTC of user alt coins, while 31 accounts controlled by the fraudsters sold VIA in order to make a tidy profit.
"This was an attempt to move the BTC from the phished accounts to the 31 accounts," Binance said. "Withdrawal requests were then attempted from these accounts immediately afterward."
However, the cyberattacks did not count Binance's protection systems, which disabled these suspicious transactions. In addition, the company froze the VIA coins deposited by the hackers.
"Not only did the hacker not steal any coins, their own coins have also been withheld," Binance says. "They were patient enough to not take any immediate action, and waited for the most opportune moment to act."
Many of the trades have now been reversed; however, it is not all good news for those that fell for the phishing scam.
When BTC was used to buy VIA or other coins in compromised accounts, these trades "did not execute against any of the hackers' accounts as counterpart" -- and so, cannot be reversed.
However, many users are simply relieved that any of their funds have been restored, as Binance is under no obligation to recompense those who fall for phishing campaigns, and most companies would not.
"We again advise all traders to take special precaution to secure their account credentials," Binance added. "Protecting our traders is and has always been our highest priority."