Binance's Institutional Glow-Up Gets Shadowed by a 1.5M User Data Scraping

Binance is absolutely crushing it on the institutional front—but the retail side is currently giving the exchange a migraine worthy of a CTAs thread. The world's largest crypto exchange by market cap kicked off 2026 with explosive momentum in its over-the-counter trading division. In January and February alone, Binance's OTC platform recorded 25% of its total volume for all of 2025. That's not growth; that's a vertical line on the chart.

This sharp rise reflects broader market maturation, as large-cap investors and institutional players increasingly seek private execution channels for massive trades. CEO Richard Teng explained that these entities prioritize deep liquidity to avoid slippage and market disruption—because nothing says "I'm a serious fund" like trying to move $50 million without making the price jump. The exchange's OTC desk allows buyers and sellers to execute block trades directly, shielding their strategies from public order books. It's basically the crypto equivalent of doing your taxes in a soundproof room.

But beneath this institutional polish, red flags are stacking up faster than Layer 2 scaling solutions. On March 28, cybersecurity platform VECERT reported that a threat actor operating under the alias PexRat offered a private database containing the personal information of 1.5 million Binance users for sale. For context, that's more users than most countries have citizens.

The leaked data purportedly includes full names, email addresses, phone numbers, and Know Your Customer verification statuses. More alarmingly, the threat actor claims to possess victims' last-login IP addresses, device user agents, and two-factor authentication statuses. This reveals whether users rely on SMS, email, or dedicated authenticator apps. In short: everything except their seed phrase, and honestly, give it time.

The potential exposure of 2FA logs and KYC data presents a severe operational risk. Compromised users become highly vulnerable to targeted SIM-swap attacks and sophisticated phishing campaigns. Imagine getting a text from "Binance support" asking you to confirm your password while they're literally staring at your login history. It's not paranoia if they're actually coming for you.

VECERT's analysis revealed that Binance's internal servers were not directly breached. Instead, the firm outlined a sophisticated credential stuffing and scraping operation. The evidence suggests the attacker managed to bypass or abuse security mechanisms, such as Captcha, in the login interface or some platform API, allowing a constant flow of unblocked requests. Captcha: the only thing standing between your