Binance attracts institutional trading activity, but an increasing wave of data leak alarms on the private side threatens to complicate the company's ambitions.

The world's largest cryptocurrency exchange by market value has started 2026 with explosive speed in its over-the-counter trading department. In January and February alone, Binance's OTC platform accounted for 25% of the total volume for all of 2025.

Captcha-bypass reveals 1.5 million Binance users in scraping attack

This significant increase reflects a broader maturation of the market, as large investors and institutional players increasingly seek their own channels to execute large trades.

Binance CEO Richard Teng explained that these actors prioritize deep liquidity to avoid slippage and market turmoil. The exchange's OTC desk allows buyers and sellers to execute block trades directly, shielding their strategies from public order books.

Still, concerns are growing behind this institutional facade. Operational warning lights are flashing more and more frequently.

On March 28, the cybersecurity platform VECERT reported that a threat actor with the alias PexRat was offering a private database containing personal information about 1.5 million Binance users for sale.

According to the leak, the data includes full names, email addresses, phone numbers, and Know Your Customer verification status.

Even more concerningly, the attacker claims to have access to the victims' last login IP addresses, user agents for the devices, and two-factor authentication status. This includes whether users are using SMS, email, or dedicated authentication apps.

At the same time, a potential data leak scenario where both 2FA logs and KYC data are exposed presents a serious operational risk. This makes compromised users highly vulnerable to targeted SIM swap attacks and advanced phishing campaigns.

VECERT's analysis of authentication logs and selected examples showed that Binance's internal servers were not attacked directly. Instead, they point to a sophisticated operation involving credential stuffing and automated scraping.

"Evidence suggests that the attacker managed to bypass or exploit security mechanisms (such as Captcha) in the login interface or some of the platform's APIs, which allowed a steady stream of requests that were not blocked," explained VECERT.

The incident comes in the wake of a January report in which security researcher Jeremiah Fowler uncovered around 420,000 Binance-related login credentials that were leaked via similar info-stealer malware.

Ultimately, these incidents represent a significant stress test for Binance's cybersecurity practices, as the exchange cannot allow continued automated scraping of users' data.