Cybercriminals Launch New Phishing SMS Scam on Binance Users

Phishing scammers have launched a new SMS campaign targeting Binance users, using deceptive tactics that mimic official communications.

Users report receiving messages warning of suspicious account activity—such as new two-factor authentication devices or unauthorised API pairings with apps like Ledger Live.

These messages follow a consistent pattern and often prompt recipients to call a phone number to resolve a fabricated issue.

What makes this campaign especially concerning is that the messages appear in the same text thread as legitimate Binance alerts, using the same sender ID.

This blurs the line between real and fake notifications, creating confusion and increasing the likelihood of user engagement.

Unlike traditional phishing attempts that rely on malicious links, these messages direct users to phone calls, effectively sidestepping anti-phishing filters.

Although there are no confirmed victims yet, users on X (formerly known as Twitter) have raised the alarm, reminding others that Binance never asks users to call a number.

One user claimed he did call the number.

Some speculate that the scammers may be leveraging previously leaked Binance user data found on dark web forums to craft these targeted attacks.

The use of urgent prompts—like “Not you?”—adds psychological pressure, further increasing the risk of user compliance.

Binance Denies Data Leak from Its Systems

Speculation is mounting over how scammers obtained user data for the recent phishing campaign.

Many suspect the information was sourced from the dark web, pointing to a targeted operation.

One user claimed that a threat actor recently offered a database containing details of Gemini and Binance users, allegedly linked to Binance’s 2019 KYC data leak.

Binance, however, refuted this, stating that it had reviewed the hacker’s data and found no connection to its systems.

Despite the denial, Binance.US has issued warnings about phishing websites designed to impersonate its platform.

In a recent post on X, the exchange cautioned users to verify QR codes and website links carefully, emphasizing that Binance will never request multi-factor authentication (MFA) codes outside of its official channels.

Binance CSO Raises Red Flag Over InfoStealer Malware Activity

Binance Chief Security Officer Jimmy Su has offered a compelling explanation for the recent wave of phishing scams, attributing the issue to malware on users’ devices rather than a breach of Binance’s systems.

He explained:

“We are aware of smishing scams on the rise where phishing scammers are impersonating us and other legitimate senders via SMS. These scams appear to be more authentic, tricking users into revealing sensitive information, clicking into phishing links, or making a transfer that result in loss of assets.”

In a recent post, Su pointed to InfoStealers—a type of malware that harvests sensitive data from web browsers, including login credentials, passwords, and clipboard contents.

He warned that users often unknowingly install such malware through phishing links on social media, unofficial software downloads, or malicious browser extensions.

To reduce risk, Su advised users to avoid saving passwords in browsers and to download software exclusively from trusted, official sources.

Su said:

“This is not an isolated case. Our security team continuously monitors dark web sources and malware campaigns to identify potential threats to our users.”

In response to the growing threat, Binance has expanded its Anti-Phishing Code feature to include SMS communications.

This user-defined code, originally introduced for emails, is now embedded in all official text messages sent by the exchange in licensed jurisdictions.

It helps users easily verify the authenticity of Binance communications and spot fraudulent messages.

He added:

“By incorporating a unique Anti-Phishing code into Binance SMS messages, we are making it significantly harder for scammers to deceive our users.”

Interestingly, both registered and unregistered users have reported receiving suspicious texts, suggesting that scammers may be working from broader databases that include phone numbers beyond Binance’s user base.

This highlights the increasing sophistication of phishing operations and the urgent need for greater digital hygiene among users.