Main Takeaways
As Jimmy Su, Binance’s Chief Security Officer, explains in this article, recent reports of Binance user credentials appearing on the dark web stem from malware-infected devices, not a breach of Binance systems.
InfoStealer malware is an increasingly widespread threat that targets browser-stored credentials across all industries, including crypto.
Binance actively monitors for such incidents, notifies affected users, and supports them in securing their accounts – but user-side vigilance remains essential.
In recent days, claims have surfaced linking Binance to a potential data breach, based on the appearance of user credentials on dark web forums. We want to clarify that our internal investigations show no indication of any compromise in Binance’s systems.
The credentials in question appear to have originated from malware infections on individual user devices. Specifically, they were collected by a known actor who operates in dark web markets and uses a category of malware known as InfoStealers to harvest data from compromised browsers.
This is not an isolated case. Our security team continuously monitors dark web sources and malware campaigns to identify potential threats to our users. When we detect credentials linked to Binance accounts, we take swift action: initiating password resets, revoking active sessions, and guiding affected users through account recovery.
A Growing Cybersecurity Challenge
While crypto platforms are a popular target, the threat of InfoStealer malware is much broader. According to Kaspersky, more than 2 million bank card details were leaked last year as a result of these malware campaigns. And that number is only growing.
Binance’s internal data echoes this trend. In the past few months, we’ve identified a significant uptick in the number of users whose credentials or session data appear to have been compromised by InfoStealer infections. These infections don’t originate from Binance. Instead, they typically affect personal devices where credentials are saved in browsers or auto-filled into websites.
What Are InfoStealers?
InfoStealers are a category of malware designed to extract sensitive data from infected devices without the victim’s knowledge. This includes passwords, session cookies, crypto wallet details, and other valuable personal information.
These tools are widely available via the malware-as-a-service model. For a subscription fee, cybercriminals can access advanced malware platforms that offer dashboards, technical support, and automatic data exfiltration to command-and-control servers. Once stolen, data is sold on dark web forums, Telegram channels, or private marketplaces.
The damage from an InfoStealer infection can go far beyond a single compromised account. Leaked credentials can lead to identity theft, financial fraud, and unauthorized access to other services, especially when credentials are reused across platforms.
InfoStealer malware is often distributed via phishing campaigns, malicious ads, trojan software, or fake browser extensions. Once on a device, it scans for stored credentials and transmits them to the attacker.
Here are the most common distribution vectors:
Phishing emails with malicious attachments or links
Fake downloads or software from unofficial app stores
Game mods and cracked applications shared via Discord or Telegram
Malicious browser extensions or add-ons
Compromised websites that silently install malware (drive-by downloads)
Once active, InfoStealers can extract browser-stored passwords, autofill entries, clipboard data (including crypto wallet addresses), and even session tokens that allow attackers to impersonate users without knowing their login credentials.
Here are some signs that might suggest an InfoStealer infection on your device:
Unusual notifications or extensions appearing in your browser
Unauthorized login alerts or unusual account activity
Unexpected changes to security settings or passwords
Sudden slowdowns in system performance
Most Wanted: Prominent InfoStealers for Windows and MacOS Targets
Over the past 90 days, our observations have highlighted several prominent variants of InfoStealer malware targeting both Windows and macOS users. For Windows users, RedLine, LummaC2, Vidar, and AsyncRAT have been particularly prevalent.
RedLine Stealer is known for gathering login credentials and crypto-related information from browsers.
LummaC2 is a rapidly evolving threat, which has integrated techniques to bypass modern browser protections such as app-bound encryption, and is now capable of stealing cookies and crypto wallet details in real time.
Vidar Stealer focuses on exfiltrating data from browsers and local applications, with a notable ability to capture crypto wallet credentials.
AsyncRAT enables attackers to monitor victims remotely by logging keystrokes, capturing screenshots, and deploying additional payloads. Recently, cybercriminals have repurposed AsyncRAT for crypto-related attacks, harvesting credentials and system data from compromised Windows machines.
For macOS users, Atomic Stealer has emerged as a significant threat. This stealer is capable of extracting credentials, browser data, and cryptocurrency wallet information from infected devices. Distributed via stealer-as-a-service channels, Atomic Stealer exploits native AppleScript for data collection, posing a substantial risk to both individual users and organizations using macOS. Other notable variants targeting macOS include Poseidon and Banshee.
How Binance Responds
As part of our security protocols, we:
Monitor dark web marketplaces and forums for leaked user data
Alert affected users and initiate password resets
Revoke compromised sessions
Offer clear guidance on device security and malware removal
Our infrastructure remains secure, but credential theft from infected personal devices is an external risk we all face. This makes user education and cyber hygiene more important than ever.
How to Protect Yourself
First of all, use antivirus and anti-malware tools and run regular scans. Some reputable free tools include Malwarebytes, Bitdefender, Kaspersky, McAfee, Norton, Avast, and Windows Defender. For MacOS users, consider using the Objective-See suite of anti-malware tools, which includes LuLu, KnockKnock, ReiKey, BlockBlock, RansomWhere?, and OverSight.
Remember, lite scans typically don't work well since most malware self-deletes the first stage files from the initial infection. Always run a full disk scan to ensure thorough protection.
Here are some practical steps you can take to reduce your exposure to this and many other cybersecurity threats:
Enable two-factor authentication (2FA) using an authenticator app or hardware key.
Avoid saving passwords in your browser. Consider using a dedicated password manager.
Download software and apps only from official sources.
Keep your operating system, browser, and all applications up to date.
Periodically review authorized devices in your Binance account and remove unfamiliar entries.
Use withdrawal address whitelisting to limit where funds can be sent.
Avoid using public or unsecured WiFi networks when accessing sensitive accounts.
Use unique credentials for each account and update them regularly.
Follow security updates and best practices from Binance and other trusted sources.
Immediately change passwords, lock accounts, and report through official Binance support channels if malware infection is suspected.
You can explore our full 14-point security guide for additional tips on how to secure your account.
Staying Safe in an Evolving Threat Landscape
The growing prominence of the InfoStealer threat is a reminder of how advanced and widespread cyber attacks have become. While Binance continues to invest heavily in platform security and dark web monitoring, protecting your funds and personal data requires action on both sides.
By staying informed, adopting security habits, and maintaining clean devices, users can significantly reduce their exposure to threats like InfoStealer malware.
If you believe your account may have been affected, or if you notice any suspicious activity, please reach out to us through official support channels. Staying secure is a shared responsibility – and we're here to help.
Further Reading
14 Tips to Secure Your Binance Account: How to Protect Your Crypto
Binance Is SAFU: Here’s How We Secure Your Assets 24/7
Web3 Wallet Security: Halting Trojan Horses at the Gates of Your Crypto Fortress
