A Chinese trader lost $1 million to a hacking scam using a promotional Google Chrome plugin called Aggr. The promotional plugin steals cookies from users, which hackers use to bypass password and two-factor authentication verification and log into the victim's Binance account. 

A trader took to X to recount the ordeal of losing their life savings to an unexpected scam. The trader with X username CryptoNakamao said that on May 24, his Binance account started trading randomly, and he only realized after he opened the Binance app to check the Bitcoin (BTC) price.

By the time he sought assistance from Binance, the hacker had already withdrawn all the funds.

Hacker stole cookie data to cross-trade on Binance

The trader claimed that the hackers had gained access to his web browser cookie data, which they had stolen via a Chrome plugin called Aggr. The trader installed the plugin to access prominent trader data only to realize malicious software was created to steal users’ web browsing data and cookies.

The hacker then used the collected cookies to hijack active user sessions without a password or authentication and carried out multiple leveraged trades to spike the price of low liquidity pairs and profit from them.

Related: Ethereum due for new all-time high as countdown to Ether ETF nears end

The trader explained that even though the hacker couldn’t withdraw funds directly due to two-factor authentication (2FA), they used the cookies and active login sessions to make profits through cross-trading.

The trader claimed that the hacker bought several tokens in the Tether (USDT) trading pair with abundant liquidity and placed limit sell orders exceeding the market price in the Bitcoin, USD Coin (USDC) and other trading pairs with scarce liquidity.

Finally, the hacker opened leveraged positions, bought a large amount in excess, and completed the cross-trading. A cross trade is a practice where buy and sell orders for the same asset are offset without recording the trade on the exchange.

Trader blames Binance

The trader claims that Binance did not implement essential security measures despite unusually high trading activity. Furthermore, even after receiving timely complaints, the exchange failed to take action to stop it, they added.

In his investigation, the trader discovered that Binance had been aware of the fraudulent plugin for quite some time and was already conducting an internal investigation. Despite knowing the hacker’s address and the nature of the plugin scam, the trader claimed Binance failed to inform the traders or take any actions to prevent the fraud. The trader wrote:

“Binance did nothing even though it knew of the theft and frequent cross-trading. Hackers manipulated accounts for over an hour, causing extremely abnormal transactions in multiple currency pairs without any risk control; Binance failed to freeze the funds of the obvious hacker’s single account in the platform on time.”

Cointelegraph reached out to Binance for comments but did not receive a response by publication time.

Magazine: Ether ETFs expected in June, CZ leaves Binance France, and other news: Hodler’s Digest, May 26 – June 1