On October 1, 2025, the official X account of BNB Chain was compromised by hackers who used it to post phishing links, leading to user losses of approximately $8,000. Binance founder Changpeng “CZ” Zhao confirmed the breach, swiftly alerting the community not to interact with the malicious posts.
The BNB Chain security team acted quickly, working with X to suspend the account and submit takedown requests for the phishing sites. All affected users were fully reimbursed from the Secure Asset Fund for Users (SAFU), an emergency insurance reserve funded by a portion of Binance’s trading fees. The team successfully regained control of the account, and the phishing posts were removed.
Risks and Next Steps
This incident highlights the persistent threat of social media breaches, which can erode trust in official communication channels. This makes it more difficult for projects to broadcast critical updates, such as network upgrades or treasury moves.
The attack vector—a single compromised password granting attackers a loudspeaker—shows how cheap and effective these methods can be for bad actors. Users, especially those trading with leverage, risk following fake instructions that could lead to sudden liquidations.
While fast payouts from funds like SAFU treat the symptom, they do not address the root cause. The event underscores the need for stricter internal security protocols, including robust two-factor authentication and regular staff training to identify and reject social engineering attempts.
Key Points of the incident:
-
The breach occurred on 1 October 2025.
-
Losses totaled roughly $8,000 across all chains.
-
All users were fully reimbursed from the SAFU reserve.
-
The attack vector was a phishing link posted from the verified account.
-
The account has been restored to the team’s control.
The next step involves an internal audit of security practices. For now, the key takeaway for the community and other projects is the critical need to verify all announcements through multiple separate channels and to strengthen authentication measures to prevent similar attacks.
