Binance co-CEO Yi He said her WeChat account was hijacked on December 10 after a mobile number linked to the profile was reclaimed and could not be recovered initially.
The account was later restored after Binance worked with WeChat’s security team, a spokesperson quoted the same day said.
Posts that emerged after the acquisition promoted a token called ‘Mubarakah’, and on-chain data shared by Lookonchain indicated a pump-and-dump that raised around $55,000 before the contents were removed.
Why Yi He’s WeChat Hack Is More Important Than Binance
The episode arrived days after Yi He’s appointment as co-CEO was announced during Binance Blockchain Week, with an executive’s identity at the center of a web platform incident rather than a crypto infrastructure breach.
Web accounts tied to phone numbers remain exposed to recovery flows that attackers can intercept without touching wallets, custodial systems, or exchange backends, a pattern that has shaped several market incidents over the past two years.
According to the SEC’s postmortem on the January 2024 compromise, The SEC and FBI later detailed rulings related to that hack.
According to the SEC document, this case has become a reference point for how a single spoofed message can reshape price action and trigger liquidations without any on-chain exploit.
The SlowMist founder reissued guidance last week describing how WeChat account captures can continue with leaked credentials and verification of “frequent contacts.” This method can aid recovery by messaging two contacts to pass identity checks, creating a low-friction path for attackers.
According to City News Service in Shanghai, Chinese carriers typically reissue canceled numbers after about 90 days, a secondary issuance practice that intersects with legacy SMS recovery and exposes dormant accounts when numbers are recycled.
If an old number remains associated with an abandoned profile, a new holder may receive SMS prompts or pass recovery checks that bypass or weaken the dependency on passwords, which ties in with Yi He’s account that the number associated with her profile has been “confiscated for use.”
WeChat’s role in cryptocurrencies increases conversion risk when accounts of executives or key opinion leaders are hijacked. Many OTC USDT transactions and discussions in the retail community run through the app, and a trusted handle can convey enough implicit trust to involve flows in contracts with limited liquidity.
That dynamic is different from a random spam link on X, where user overlap and transaction intent may be lower.
Binance’s own ecosystem has suffered from social account risks this year, with BNB Chain’s official
The immediate impact on the market surrounding Yi He’s WeChat case seemed limited. As of December 10, during London trading hours, BNB was roughly flat on the day near $890, with intraday highs and lows ranging between $927.32 and $884.67.
| Ticker | Price (USD) | Δ versus previous closure | Intraday high | Intraday low |
|---|---|---|---|---|
| BNB | 890.17 | -9.02 (-0.01%) | 927.32 | 884.67 |
The economic payout cited in this incident, approximately $55,000, fits into a lower range for single-push memecoinshills. Coordinated hijacks on multiple
A simple illustration of the range of sales helps identify incentives
If a hijacked executive account reaches 1 to 5 million contacts, if 0.05% to 0.20% click through, and if 10% of those clickers put $100 each into a shallow pool, the gross inflow would be about $5,000 – $100,000 per post, consistent with the $55,000 estimate.
While this is a model and not a factual statement, it is consistent with observed results when an identity inspires public trust and the token’s liquidity is scarce.
Rising loss totals in 2024 provide the macroeconomic backdrop. Chainalysis and TRM Labs estimate around $2.2 billion in stolen cryptocurrencies this year, with a mid-year shift toward attacks on centralized services, even as the share of illicit activity on the chain remains below 1%.
According to Chainalysis and TRM Labs, sanctioned entities are leaning more on stablecoins, keeping policy attention focused on operational and identity risks that can be exploited without cracking the cryptography. The policy response is also changing.
South Korea moved to no-fault “bank-level” liability for exchanges on Nov. 27 after the Upbit incident, creating a potential blueprint for how regulators can assign responsibility for platform-adjacent losses related to social engineering or third-party platform weaknesses.
The security mechanisms in Yi He’s case highlight where controls can fail
SIM recycling plus social recovery enables takeovers when a platform accepts text messages or contact-based proofs due to hardware-related factors. Verification of “frequent contacts” accelerates capture by co-opting social ties, especially when contacts are accustomed to approving routine actions.
If an executive account is inactive, the device fingerprints and session recency may be out of date, making it easier for a recycled number to pass through the recovery gates.
According to Binance security alerts published earlier this year, attackers have repeatedly tested WeChat-targeted flows that combine leaked credentials, contact verification, and number reuse.
For boards and compliance teams, executive identities now function as market infrastructure. A single unvetted post can mobilize nine-figure volume, lead to user churn, and force public remediation. That governance perimeter lies outside the custody of foreign exchange and traditional cybersecurity budgets.
It includes personal devices, legacy accounts, provider policies, and third-party platform settings, complicating control audits and disclosure protocols.
The SEC
Given the facts so far, the forward paths fall into three bands
A contained reputation issue would involve no further messages from impostors, a brief platform note from Binance, no user losses beyond the attacker, and limited BNB or broader market impact from Binance.
A policy wave with limited market stress would see APAC or European authorities issue guidance on the governance of executive branch social accounts, possibly leaning on South Korea’s leadership, with hardware key mandates and standards for no-fault compensation for verified, socially engineered incidents.
An escalation into a market-moving parody would target a listing or airdrop claim, coordinate across channels, and drive nine-figure volume before delisting, following SEC precedent and previous multi-account hijacks.
Signposts include new phishing domains or wallet clusters associated with known scam infrastructure, corporate attestations of web account audits, and WeChat statements on recycled number recovery.
Risk-reducing measures have been well identified. Disabled a kill-switch policy for executive accounts not used for business, phone, or SMS recovery; hardware keys enforced; and organizational SSO for any channel that could be construed as corporate communications would reduce exposure.
On the platform side, WeChat could require recent successful device-based logins before widely posting messages from public accounts linked to recycled numbers, and expand enterprise-level verification for handles with wide reach.
These measures would not eliminate spoofing, but they would reduce the likelihood and shorten the period in which a hijacking can generate revenue for an audience.
Outstanding items remain standing. It is not yet clear whether Binance users have suffered direct losses from links posted on WeChat and whether refunds will be offered for off-platform damages.
It is also unknown whether secondary channels amplified the “Mubarakah” messages or whether WeChat’s internal network effects limited the impact.
Confirmation of the token’s chain and contracts, and any coordination between centralized locations and DEX front ends to flag or block trading, would clarify its operational footprint.
Yi He’s account has been restored, according to Binance, and attention now shifts to whether carriers and WeChat are adjusting security measures around recycled numbers and contact-based recovery.