PexRat Dossier: How 1.5 Million Binance Users Ended Up for Sale on the Deep Web Without Servers Being Breached

The Discovery: VECERT Detects Crypto's Biggest Leak of the Year

On March 28, 2026, VECERT Analyzer — a cyber threat intelligence platform specialized in tracking criminal actors on the dark web, deep web and illegal forums — published an alert that shook the sector: a threat actor operating under the alias PexRat had put up for sale in a closed forum a database containing information from approximately 1.5 million Binance users, the world's largest cryptocurrency exchange.

The case deserves attention not just for its size, but for the sophistication of the method. What PexRat was selling was not a classic database exfiltrated via a compromised server — it was something more dangerous and harder to detect: the result of a credential stuffing operation combined with API scraping that ran for months, taking advantage of flaws in the login endpoint protection design.

What Was Exposed

According to VECERT's technical analysis, the offered database contains:

Registration Data

• Full names
• Registration email addresses
• Registered phone numbers
• KYC verification status (basic, intermediate, advanced)

Technical and Session Data

• Last login IP for each account
• Device user agents (browser, operating system)
• 2FA status and type (SMS, email or authenticator app)

This combination is especially dangerous. It's not just a list of emails — it's a complete operational profile per user. An attacker with this database knows exactly how to attack each victim: if they have weak 2FA (SMS → SIM swap), if they use specific devices (device-specific malware targeting), if they're geographically concentrated in vulnerable jurisdictions.

The Method: It Wasn't a Breach, It Was Abuse

VECERT was categorical in its analysis: Binance's internal servers were NOT breached. What happened was more embarrassing — from a security perspective, harder to accept:

"The evidence suggests that the attacker was able to circumvent or abuse security mechanisms (such as Captcha) in the login interface or in some platform API, allowing a constant flow of requests without blocking." — VECERT Analyzer

Credential Stuffing: The Mechanics

Credential stuffing is an attack where the criminal:

1. Obtains massive lists of email+password combinations from other breaches (LinkedIn 2021, Yahoo, Adobe, thousands of smaller sites)
2. Uses automated tools to test these combinations on another platform (in this case, Binance)
3. When a combination works, it means the user recycled the password — and now that account is compromised
4. Extracts profile data that the API returns during successful login

The Captcha Bypass

Here's the critical detail. The standard protection against credential stuffing is captcha or rate limiting. PexRat found ways to:

• Bypass captcha using automated solvers (services like 2Captcha, AntiCaptcha)
• Exploit less protected API endpoints than the main login flow
• Rotate proxy pools to avoid IP-based blocking
• Modulate timing and fingerprint to appear as organic traffic

The combination of techniques allowed a constant flow of unblocked requests — effectively turning Binance's public API into a controlled data source.

Who Is PexRat

The alias PexRat has appeared on criminal sales forums since approximately 2024. Cross-analysis by VECERT, TRM Labs and other firms suggest:

• Operation probably based in Eastern Europe or Russia, with some indicators of activity during Brazilian time zone hours
• Track record of selling databases from fintechs, smaller exchanges and betting platforms
• Strong presence on BreachForums and LeakBase, with established reputation among buyers
• Variable pricing based on scale — for the Binance database, reports indicate prices in the range of US$ 10,000 to US$ 50,000 for the complete database, with partial access offered at lower prices

The modus operandi suggests professional operation, not opportunistic. It's not a teenager in a basement — it's a commercial operator that treats data as a commodity, selling across multiple channels and extracting value for years on end.

The History That Cannot Be Ignored

PexRat's leak is not an isolated event. In January 2026, security researcher Jeremiah Fowler published a report about approximately 420,000 credentials linked to Binance exposed through infostealer malware — viruses that run on the victim's computer and extract passwords saved in browsers and wallets.

Combining the two episodes, we have a bigger picture:

• Tens of thousands of Binance users compromised via endpoint malware
• Millions of users exposed via API enumeration and credential stuffing
• The real attack surface is dynamic and persistent, not a one-time incident

What Binance Said (And What It Didn't)

The exchange's official response followed the typical pattern of large platforms:

• Acknowledgment of suspicious activity on authentication endpoints
• Statement that core systems were not compromised — a technically correct point, but misleading in perception
• Implementation of new layers of protection (additional invisible captcha, bot pattern detection, known proxy pool blocking)
• No individual communication to the 1.5 million affected users
• No compensation offer, since formally there was no "breach"

The stance is legally sustainable but morally fragile. The distinction between "your data leaked because we invaded our server" and "your data leaked because our API didn't have enough protection" may not make sense to a user who now receives targeted phishing daily.

How to Know If You Were Affected

There is no official way for Binance to confirm individually. But some indicators:

1. Abrupt increase in targeted phishing (emails and SMS mentioning your name, last 4 phone digits, or references to real deposits)
2. Unrecognized login attempts in your account history (check Security Settings > Account Activity)
3. SIM swap attempt with your carrier — attacker contact requesting number transfer
4. Appearance of your email in HaveIBeenPwned (haveibeenpwned.com) linked to a recent dump

Immediate Protection Guide

Critical Actions (Do Today)

1. Change your Binance password to a unique one of 20+ characters, generated by a password manager (1Password, Bitwarden)
2. Migrate 2FA from SMS to authenticator app (Google Authenticator, Authy) or ideal: physical FIDO2 key (YubiKey, Feitian)
3. Enable Anti-Phishing Code in Binance settings — legitimate emails will now include this unique code
4. Set Up Withdrawal Whitelist — only allow withdrawals to pre-approved addresses with 24-hour timelock
5. Check active API keys — revoke anything you don't actively use

Ongoing Hygiene

• Use dedicated email for exchanges — never the personal email that's on dozens of sites
• PIN protection for your SIM with your carrier, against SIM swap
• Unique passwords on each service — never reuse
• Password manager mandatory — keeping "easy to remember passwords" is letting PexRat win
• Consider self-custody for most of your holdings — keep on exchange only what you need for active trading

Industry Perspective

For Exchanges

The Binance case exposes a structural flaw: exchanges operate login APIs like public SaaS, but protect them like blogs. Standards that should be baseline:

• Device fingerprinting + behavioral analytics on each login attempt
• Adaptive rate limiting by account, IP, device, geolocation
• Invisible proof-of-work (hashcash-style) to raise attacker costs
• Continuous monitoring of BreachForums, LeakBase, Telegram channels
• Threat intel partnerships (VECERT, Intel471, Recorded Future)

For Regulators

Breach notification laws (GDPR in EU, SEC Cybersecurity Rules in US, LGPD in Brazil) formally apply to invasions. But not to mass credential stuffing. This is a gap that needs to close — affected users are affected users, regardless of technical vector.

Conclusion: The New Frontier of Exchange Security

The PexRat leak teaches three uncomfortable lessons:

1. "We were not breached" is a statement losing value. If your data got out, it got out — the technical vector matters little
2. Captcha and SMS 2FA are defenses of the past. In 2026, we need more sophisticated architectures
3. Threat intelligence is infrastructure. Platforms that ignore VECERT, Intel471, Elliptic and others operate with tunnel vision

For the average user, the lesson is even simpler: your digital hygiene is half your financial security in crypto. Unique password, strong 2FA, dedicated email, withdrawal whitelist, self-custody for the long term. None of this is sexy, but it's what separates those who sleep soundly from those who discover one morning that their name is in a package being sold on BreachForums for US$ 50,000.

PexRat will move to the next target. And if it depends only on their captcha, they will succeed.

Primary source: technical analysis published by VECERT Analyzer on March 28, 2026. Data cross-referenced with coverage from BeInCrypto, CoinDesk and other sources.

Disclaimer: This content is informative and for educational purposes. It does not constitute investment recommendation. Follow good security practices and, if you suspect compromise, immediately contact your exchange's support.