Binance Uncovers $6.1M in KiloEx Exploit
Main Takeaways
Binance traced, blocked, and helped recover $6.1M worth of crypto in hours after the recent KiloEx exploit.
Exploits cross chains, so do our defenses — we coordinated with industry partners and law enforcement to cut off the hacker’s exit routes.
In the end, ecosystem teamwork and law enforcement pressure helped recover 90 percent of the stolen assets.
Exploits don’t wait — and neither did we. When decentralized exchange platform KiloEx was hit by a sophisticated price manipulation attack, Binance’s security teams stepped in fast to join the ecosystem-wide collaborative effort to counter the attack.
Our shared goal was clear: trace the attacker, contain the damage, and support recovery efforts. Because when bad actors strike, what’s at stake isn’t just money — it’s the trust users place in the ecosystem, and that’s something we won’t let bad actors undermine. Read on to find out how we pieced together the exploit, moved fast to contain it, and helped turn the tables on the attacker.
Oracle Under Siege
A hacker exploited KiloEx’s price oracle – a critical mechanism bringing off-chain data on asset prices on-chain – using a wallet funded through Tornado Cash, a tool that obscures the origin of crypto funds. They abused access controls, manipulating the oracle and tricking the system into believing a token was worth far less than its actual market value.
Then, they opened leveraged positions based on these distorted prices. This let them withdraw artificially inflated profits, draining Kiloex of approximately $8.44M worth of crypto. Exploiting KiloEx’s cross-chain setup, the hacker repeated this across networks such as Base, BNB Chain, and Taiko before KiloEx could act.
Tracing the Trail, Blocking the Path
On April 15, 2025, at around 19:00 UTC, the KiloEx community flagged the exploit. Within 30 minutes, the Binance and BNB Chain security teams activated an emergency response. We first aligned with the KiloEx team and began analyzing the exploit in detail to confirm the tactic used and assess the scale of the losses.
It quickly became clear that the vulnerability stemmed from KiloEx’s price oracle system. To trace the attacker’s activity, we launched on-chain forensics and quickly identified wallet addresses involved in the exploit.
These addresses were added to Binance’s internal blacklist to prevent any stolen funds from passing through the exchange. At the same time, the BNB Chain security team contacted key cross-chain bridge providers to block the same addresses to prevent further movement of funds.
We also reached out to other bridges used by hackers to gather transaction data and other digital traces. Using a mix of open-source and internal tools, we mapped out the attacker’s activity and began building a profile based on on-chain patterns and behaviors. This early intelligence helped shape the recovery strategy that followed.
The Comeback
Once we had more information about the attacker, we advised the KiloEx team to begin targeted communication. Using carefully crafted on-chain messages, they reached out directly to the attacker, opening doors for negotiation.
At the same time, we advised KiloEx to file a report with law enforcement. Once the report was submitted, we worked closely with the authorities by sharing relevant technical data to support the investigation. The growing possibility of prosecution put additional pressure on the attacker during the negotiation process.
While this communication was ongoing, we maintained containment efforts by continuing to monitor and block suspicious addresses, cooperating with cross-chain bridges and centralized platforms. We also reviewed KiloEx’s public communications to ensure the messaging was accurate and aligned with security best practices.
Roughly 24 hours after the last on-chain message was sent, the attacker responded. They agreed to return 90% of the stolen funds in exchange for a 10% white-hat bounty and a halt to further investigations. This resolution was made possible through rapid collaboration, thorough on-chain analysis, and a coordinated ecosystem response.
Final Thoughts
This case is a reminder that while exploits can happen fast, so can and should the industry’s response. At Binance, we’re committed to protecting the ecosystem and standing by our partners and users. We’ll keep improving defenses, pushing for accountability, and working with others in the space to stop threats before they spread. The fight against malicious actors isn’t over, but with every case like this, we’re making it harder for them to succeed.