Author

Topic: Binance API Cracking - Low Liquidity Elevation of Privilege (LLEP) (Read 114 times)

hero member
Activity: 1204
Merit: 531
Metaverse 👾 Cyberweapons
We heard your clarification requests.
So, we added an explanation figure.
Further exploits in the updated thread!
hero member
Activity: 1204
Merit: 531
Metaverse 👾 Cyberweapons

"Quid pro quo"



What is the goal?
Empyria is a red-hat-style BTC ethical hacking team.
We find pleasure in using aggressive state-of-the-art cracking techniques.
To purify our toolkit, we systematically publish our legacy methods.
Over time, this purification will immunize cryptocurrency communities, and promote the underlying forum in search engines.

Basic terms:
The exploit is the code that contains your will.
The API (Application Programming Interface) is the door your exploit enters a financial application.

Cracking exchanges involve one or more of these exploits and send them to APIs.
Exploits have two major categories per API: CeFi and DeFi.

CeFi (Centralized Finances) Exploits
Centralized Finances are financial applications where the owners are definite companies or individuals.
We consider these apps centralized.
We can steal all money from the system if we compromise the owner (=center).
One of Bitcoin's main goals is to absorb this weakness.
Below you find our public CeFi exploits:
- Low Liquidity Elevation of Privilege (LLEP) - API Cracking on Binance
https://bitcointalksearch.org/topic/binance-api-cracking-low-liquidity-elevation-of-privilege-llep-5383676


DeFi (Decentralized Finances) Exploits
Bitcoin distributed the ownership of finances.
Anyone can become a BTC owner, and every BTC owner is equal.
There is no central owner we can hack.
So, we consider these applications decentralized.
DeFi exploits usually target "hubs and Joes."
Hubs are platforms (exchanges, games, wallets, marketplaces, chat rooms, and so on.) where DeFi users meet.
"Joes" are your average "DeFi" users who bought crypto and skipped their security classes.
Needless to say, "hubs" are often developed by "Joes."
Below you find our public DeFi exploits.
- Liquidity Pool Block Exploit
https://bitcointalksearch.org/topic/m.59011949
- Transfer Block Exploit
https://bitcointalksearch.org/topic/m.58947334


"Loyalty is value."



Low Liquidity Elevation of Privilege (LLEP) - API Cracking on Binance

LLEP can withdraw BTC from your Binance account. (Without your permission.)  
Any trader might directly suffer this exploit.
And any exchange, too, because of the indirect reputation loss.


I) Environmental factors show that major exchanges often list minor tokens.
And minor exchanges too often have a small volume. (Even on popular tokens.)
The lower the liquidity is, the more dangerous the exploit becomes.
So, the exploit endangers exchanges of all sizes and colors.
Binance is only one example.
You can not sit back if you own or trade on a small exchange.

II) Two main phases

1 Moving the value from your account to that of theirs.
2 They withdraw your coins from their exchange accounts to their off-exchange accounts, cutting you from all hopes of ever seeing your coins.

The first phase consists of two components:
1.1 A  social engineering component.
1.2 a pump-and-dump component.

In social engineering (1.1), you will give your exchange API to the hacker's trading bot.
You will feel secure because you uncheck all withdrawal permissions when you generate the API.
API trading is common & safe practice between trading bots.
The hacker has not even done anything malicious yet.

To execute the pump-and-dump technique (1.2), the hacker has to find a token that has a minimal to no low supply on the exchange. (Yet tradeable.)
They buy a large amount of this token at a fair market price.
They distribute these amounts to their accounts on the exchange.
These are the accounts of the hackers. No scam so far.

Writing the payload usually begins at this point (1.2.1 ).
The hacker groups the obtained APIs concerning access level, volume, exchange...etc.
The more, the better.
They can execute the exploit using a botnet of any size, though.
The hacker's accounts put overpriced sell orders at extremely high prices (1.2.2).
Then command all accounts to buy the low-liquidity token concurrently (1.2.3).
The result is an economic anomaly dildo that penetrates the order book, fills all lucky open orders, and transfers the base market value to the hacker's accounts.

For example:
X token market price is BTC 0.0001.
We buy 1000 X tokens. Now we hold BTC 0.1 value.
We deposit this value to the exchange.
We also put a sell order at BTC 10.
We also collected 1000 APIs from investors.
Each has BTC 0.1 in their account on average.
We command all APIs to buy X at the same moment.
Since X is such an unknown token and we have such a large botnet, odds are no one can fill the hole until the accounts buy into our BTC 10 order.
At that exchange, at that moment, for us, the price of X is BTC 10.
And we have a large amount of X.
And a large amount of "customers."
Who do as we say.



Phase 2 only involves the hacker withdrawing this value from their (the hacker's) legit accounts and thus usually go without any issues.

Our team first used this exploit in 2009 in the marketplace of an online computer game, and after so many years, it is still viable even in cryptocurrencies.

III) How to counter it?
You expect us to advise against trading bots. We do not.
Trading bots are essential for financial freedom.
Instead, choose such trading bots where
1 The API management is encrypted & local.
2 You can restrict the markets to high liquidity exchanges/pairs.

Do not fall for these "cloud-based API bots!"
If you uploaded your API to anywhere, you are already serving someone's botnet. Hopefully, ours.
Jump to: