Binance successfully attracts institutional trading players, but the growing number of security alerts on the consumer side threatens to complicate the company's objectives.
The world's largest cryptocurrency exchange by market capitalization has started the year 2026 with an explosive atmosphere in its OTC trading department. Only during January and February, trading on Binance's OTC platform accounted for 25% of its total volume for the entire year of 2025.
As a result of the captcha bypass, the details of 1.5 million Binance users were exposed in a scraping attack
This sharp increase reflects a broader maturation of the markets as large capital investors and institutional players increasingly seek private market channels for their massive trades.
Binance's CEO Richard Teng explained that these players value deep liquidity to minimize price discrepancies and avoid market disruptions. The exchange's OTC desk allows buyers and sellers to execute block trades directly, keeping their strategies hidden from public order books.
Behind the scenes, however, operational warning signs are increasing.
The cybersecurity platform VECERT reported on March 28 that a malicious actor named PexRat offered for sale a database containing the personal information of 1.5 million Binance users.
The leaked data allegedly includes full names, email addresses, phone numbers, and Know Your Customer identification status.
Even more concerning is that the actor claims to possess the latest login IP addresses of the victims, device user agents, and the status of two-factor authentication. This includes information on whether users are using SMS, email, or a separate authentication app.
At the same time, the potential exposure of 2FA logs and KYC data poses a significant operational risk. These compromised users are particularly vulnerable to targeted SIM swap-based attacks and advanced phishing campaigns.
Crucially, VECERT's analysis of authentication logs and sample data revealed that Binance's internal servers had not been directly breached. Instead, the firm experienced a complex attack based on credential stuffing and data scraping.
"Evidence suggests that the attacker was able to bypass or exploit security mechanisms (such as Captcha) in the login window or somewhere in the platform's API, enabling a continuous stream of unimpeded requests," VECERT stated.
This case follows a report released in January, in which cybersecurity researcher Jeremiah Fowler discovered approximately 420,000 identifiers linked to Binance that were leaked via a similar malware designed for data theft.
Ultimately, these events constitute a significant stress test for Binance's cybersecurity practices, as the exchange cannot allow the continued automatic collection of user data.