BNB Chain’s official X account was compromised on October 1, with attackers posting phishing links that imitated WalletConnect prompts.
Binance founder Changpeng “CZ” Zhao confirmed the breach and urged users not to click or connect wallets.
SlowMist’s CISO “23pds” linked the phishing domains to the Inferno Drainer group.
Account takeover confirmed by CZ
Zhao said the BNB Chain account was hacked and used to push multiple malicious links.
He warned users to avoid any “Wallet Connect” prompts shared from the compromised handle.
His post noted that security teams had notified X and filed takedown requests for the phishing sites.
BNB Chain X Hack Alert. Source: CZ Binance on X Additionally, coverage across crypto media repeated the warning and highlighted the fraudulent “rewards” and “airdrop” narratives used in the posts. Reports added that, at the time, losses were not confirmed.
By mid-day, the obvious phishing posts were no longer visible on the BNB Chain timeline.
However, confirmation on whether any users connected wallets or lost funds was still pending.
Phishing links mimicked WalletConnect
The campaign relied on links that prompted users to connect wallets, a common tactic to authorize malicious transactions.
Attackers framed the prompts as part of airdrops or reward programs to increase click-through rates.
Reports described the posts as urging quick participation and early payouts, which are typical social-engineering hooks in crypto phishing. Users who clicked risked exposing signing permissions or seed phrases.
Zhao reiterated basic hygiene: treat even “official” links with caution and verify domains before interacting.
He used his personal account to amplify the alert while the compromised handle remained restricted.
SlowMist: domains tied to Inferno Drainer
SlowMist’s chief security officer “23pds” said the phishing domains used a letter-swap trick, replacing the character “i” with “l” to mimic legitimate addresses. He attributed the infrastructure to the Inferno Drainer group.
Inferno Drainer, active since at least 2022, offers phishing-as-a-service kits and turnkey wallet-draining sites to affiliates.
Security outlets and aggregators relayed SlowMist’s warning shortly after the hack surfaced.
A separate SlowMist note suggested the number of impacted users might be limited, based on an observed wallet address tied to the campaign. That assessment remained preliminary.
Response and next steps
According to Zhao, Binance security contacted X to suspend the compromised account and pursued takedowns for the phishing domains. Those actions aim to reduce secondary exposure as cached posts and cross-shares persist.
Newsrooms continued to monitor the account while BNB Chain’s team investigated internally.
A spokesperson cited by one outlet said more information would follow as the inquiry progressed.
Users who engaged with any links were advised by multiple outlets to revoke suspicious approvals and rotate credentials as needed, pending official guidance from the project’s security teams.
Community vigilance urged
Zhao stressed that verified handles can be compromised, so domain checks and manual verification remain essential. He repeated his standard “Stay SAFU” caution in the context of the incident.
Security researchers pointed out that attackers often reuse domain patterns, shorteners, and copy decks across campaigns, so community reports help platforms and registrars move faster.
Until BNB Chain issues a post-incident summary, the safest course is to treat any recent links from the account as untrusted and confirm updates via secondary official channels.
Editor at Kriptoworld
Tatevik Avetisyan is an editor at Kriptoworld who covers emerging crypto trends, blockchain innovation, and altcoin developments. She is passionate about breaking down complex stories for a global audience and making digital finance more accessible.
📅 Published: August 4, 2025 • 🔄 Last updated: August 4, 2025
