Binance is successfully courting institutional trading activities, but a growing wave of data security alarms on its retail front threatens to complicate the firm’s ambitions.
The world’s largest cryptocurrency exchange by market capitalization has started 2026 with explosive momentum in its over-the-counter trading division. In January and February alone, Binance’s OTC platform recorded 25% of its total volume for all of 2025.
Captcha Bypass Exposes 1.5 Million Binance Users in Scraping Attack
This sharp rise reflects a broader market maturation, as large-cap investors and institutional players increasingly seek private execution channels for massive trades.
Binance CEO Richard Teng explained that these entities prioritize deep liquidity to avoid slippage and market disruption. The exchange’s OTC desk allows buyers and sellers to execute block trades directly, shielding their strategies from public order books.
However, beneath this institutional polish, operational red flags are mounting.
On March 28, cybersecurity platform VECERT reported that a threat actor operating under the alias PexRat offered a private database containing the personal information of 1.5 million Binance users for sale.
The leaked data purportedly includes full names, email addresses, phone numbers, and Know Your Customer verification statuses.
More alarmingly, the threat actor claims to possess victims’ last-login IP addresses, device user agents, and two-factor authentication statuses. This includes whether users rely on SMS, email, or dedicated authenticator apps.
Meanwhile, the potential exposure of 2FA logs and KYC data presents a severe operational risk. It leaves compromised users highly vulnerable to targeted SIM-swap attacks and sophisticated phishing campaigns.
Crucially, VECERT’s analysis of the authentication logs and sample data revealed that Binance’s internal servers were not directly breached. Instead, the firm outlined a sophisticated credential stuffing and scraping operation.
“The evidence suggests that the attacker managed to bypass or abuse security mechanisms (such as Captcha) in the login interface or some platform API, allowing a constant flow of unblocked requests,” VECERT explained.
This incident follows a January report by cybersecurity researcher Jeremiah Fowler, who uncovered roughly 420,000 Binance-linked credentials exposed via similar infostealer malware.
Ultimately, these events present a critical stress test for Binance’s cybersecurity practices, as the exchange cannot afford the continued automated scraping of its users’ data.
