Several Binance users have reported falling victim to an SMS spoofing attack.

The phishing text appeared within Binance’s official message thread, making it nearly indistinguishable from legitimate communications.

User Reports Binance Phishing Incident

One user, Joe Zhou, shared his experience in a LinkedIn post, stating, “I want to report a recent scam related to the Bybit incident and Binance.”

Zhou described receiving an SMS from the same Binance number where he typically received verification codes. The message claimed that his account was being accessed from North Korea. Already dealing with the aftermath of the recent Bybit incident, he panicked and called the number provided.

The call was answered by someone who instructed him to set up a SafePal wallet, saying it was a Binance partner and referencing an article to support the claim. The individual repeatedly asked about the assets in his account and insisted that he transfer all of them for an investigation.

Following the instructions, Zhou set up the wallet and began withdrawing funds from Binance. However, he soon became suspicious and contacted an acquaintance from the exchange, who confirmed it was a scam.

The user then attempted to recover his funds by transferring them out of the wallet, but the scammer began competing with him to move the assets. Eventually, Zhou ran out of gas fees. As he attempted to swap ETH for fees, his balance was cleared.

The attack occurred just days after Bybit suffered an exploit that resulted in the loss of nearly $1.5 billion worth of ETH from its cold wallet. Blockchain analysts and the FBI have identified the North Korean hacking syndicate Lazarus Group as the likely perpetrator.

Sophisticated Spoofing Attack

SlowMist’s Chief Information Security Officer (CISO) analyzed the breach, stating that it involved a sophisticated method. He disclosed that his friend had also received identical phishing text and shared a screenshot that showed the precise forgery used.

According to him, one possibility was that fraudsters faked official text sources through spoofing, using technical methods to manipulate the sender’s number and embed text messages into official conversations.

Alternatively, they may have exploited SMS gateway vulnerabilities or conducted supply chain attacks by breaching the gateway, targeting operators or third-party providers, or collaborating with SMS providers to fake official replies, making detection difficult.

Phishing remains a major threat to crypto users. Blockchain security firm Scam Sniffer reported that such scams drained $10.25 million from 9,220 victims in January. Although this marked a 56% decline from December’s $23.58 million losses, the report noted that scammers are evolving and implementing more intricate methods.