Binance co-CEO Yi He said her WeChat account was hijacked on Dec. 10 after a cell number tied to the profile was reclaimed and could not be recovered at first.
The account was later restored after Binance worked with WeChat’s security team, according to a spokesperson cited the same day.
Posts that appeared after the takeover promoted a token called “Mubarakah,” and on-chain data shared by Lookonchain pointed to a pump-and-dump that netted about $55,000 before the content was removed.
Why Yi He’s WeChat hack matters beyond Binance
The episode arrived days after Yi He’s elevation to co-CEO was announced at Binance Blockchain Week, placing an executive’s identity at the center of a web platform incident rather than a crypto infrastructure breach.
Web accounts tied to phone numbers remain exposed to recovery flows that attackers can capture without touching wallets, custody systems, or exchange backends, a pattern that has shaped several market-moving incidents over the past two years.
According to the SEC’s postmortem on its January 2024 X compromise, a phone number on the agency’s account lacked two-factor protection, and a fake ETF-approval post briefly moved Bitcoin by roughly $1,000 before corrections followed. The SEC and FBI later detailed arrests linked to that hack.
According to the SEC document, that case has become a reference point for how a single spoofed message can reshape price action and trigger liquidations without any on-chain exploit.
SlowMist’s founder resurfaced guidance last week describing how WeChat account captures can proceed with leaked credentials and “frequent contacts” verification. That method can advance recovery by messaging two contacts to satisfy identity checks, creating a low-friction path for attackers.
According to City News Service in Shanghai, Chinese carriers typically reissue canceled numbers after around 90 days, a secondary issuance practice that intersects with legacy SMS recovery and leaves dormant accounts exposed when numbers are recycled.
If an old number remains tied to an abandoned profile, a new holder can receive SMS prompts or meet recovery checks that either bypass or weaken password reliance, which aligns with Yi He’s account that the number linked to her profile “was seized for use.”
WeChat’s role in crypto circles raises conversion risk when executive or key opinion leader accounts are hijacked. Many OTC USDT trades and retail community discussions run through the app, and a familiar handle can convey enough implied trust to draw flows into thin-liquidity contracts.
That dynamic differs from a random spam link on X, where user overlap and transaction intent may be lower.
Binance’s own ecosystem has encountered social-account risk this year, with BNB Chain’s official X account compromised on Oct. 1, ten phishing links posted, and about $8,000 in user losses later reimbursed.
The immediate market impact around Yi He’s WeChat case appeared contained. As of Dec. 10 in London trading hours, BNB was roughly flat on the day near $890, with intraday highs and lows ranging between $927.32 and $884.67.
| Ticker | Price (USD) | Δ vs prior close | Intraday high | Intraday low |
|---|---|---|---|---|
| BNB | 890.17 | -9.02 (-0.01%) | 927.32 | 884.67 |
The economic payoff cited in this incident, approximately $55,000, fits a lower band for single-push memecoin shills. Coordinated hijacks across multiple X accounts have cleared around $500,000 in a month by repeatedly directing retail into new tokens.
A simple reach-to-revenue illustration helps frame incentives
As a model, if a hijacked executive account reaches 1 to 5 million contacts, if 0.05% to 0.20% click through, and if 10% of those clickers deploy $100 each into a shallow pool, gross inflows would span about $5,000–$100,000 per post, consistent with the $55,000 estimate.
While this is a model, not a statement of fact, it aligns with observed outcomes when an identity carries audience trust and the token’s liquidity is thin.
Rising loss totals across 2024 provide the macro backdrop. Chainalysis and TRM Labs estimate roughly $2.2 billion in stolen crypto this year, with a midyear pivot toward attacks on centralized services, even as the share of illicit activity on-chain remains under 1%.
Sanctioned entities are leaning more on stablecoins, according to Chainalysis and TRM Labs, which keeps policy attention on operational and identity risks that can be exploited without cracking cryptography. The policy response is shifting, too.
South Korea moved on Nov. 27 toward “bank-level” no-fault liability for exchanges after the Upbit incident, creating a possible blueprint for how regulators may assign responsibility for platform-adjacent losses that involve social engineering or third-party platform weaknesses.
The security mechanics in Yi He’s case highlight where controls can fail
SIM recycling plus social recovery allows takeovers when a platform accepts SMS or contact-based proofs over hardware-bound factors. “Frequent contacts” verification accelerates capture by co-opting social ties, especially when contacts are accustomed to authorizing routine actions.
If an executive account is dormant, device fingerprints and session recency may be stale, making it easier for a recycled number to pass recovery gates.
According to Binance security alerts published earlier this year, attackers have repeatedly tested WeChat-centric flows that combine leaked credentials, contact verification, and number reuse.
For boards and compliance teams, executive identities now function like market infrastructure. A single unvetted post can mobilize nine-figure volume, lead to user losses, and force public remediation. That governance perimeter sits outside exchange custody and traditional cybersecurity budgets.
It spans personal devices, legacy accounts, carrier policies, and third-party platform settings, which complicates control audits and disclosure protocols.
The SEC X incident, the BNB Chain account compromise, and ongoing celebrity memecoin hijacks reported by media like WIRED show that social-account security is a repeatable route to market impact.
Given the facts to date, forward paths fall into three bands
A contained reputational blip would involve no further impostor posts, a short platform note from Binance, no user losses beyond the attacker’s take, and limited BNB or broader Binance market impact.
A policy ripple with limited market stress would see APAC or European authorities issue guidance on executive social-account governance, possibly leaning on South Korea’s direction, with hardware-key mandates and no-fault compensation standards for verified social-engineered incidents.
An escalation to a market-moving spoof would target a listing or airdrop claim, coordinate across channels, and push nine-figure volume before takedown, echoing the SEC precedent and prior cross-account hijacks.
Signposts include new phishing domains or wallet clusters tied to known scam infrastructure, enterprise attestations of web account controls, and WeChat statements on recycled-number remediation.
Risk-reducing measures are well mapped. A kill-switch policy for executive accounts not used for business, phone, or SMS recovery, disabled; hardware keys enforced; and organization SSO for any channel that could be construed as corporate communication would cut exposure.
Platform-side, WeChat could require recent successful device-bound logins before allowing broadcast-scale posting from public-figure accounts linked to recycled numbers, and expand enterprise-grade verification for high-reach handles.
Those measures would not eliminate spoofing, but they would reduce the likelihood and shorten the window during which a hijack can monetize an audience.
Open items remain. It is not yet clear whether Binance users suffered direct losses from links posted on WeChat and whether any restitution will be offered for off-platform harm.
It is also unknown whether secondary channels amplified the “Mubarakah” posts or whether WeChat’s internal network effects contained the impact.
Confirmation of the token’s chain and contracts, and any coordination between centralized venues and DEX front ends to flag or block trading, would clarify the operational footprint.
Yi He’s account has been restored, according to Binance, and attention now shifts to whether carriers and WeChat adjust safeguards around recycled numbers and contact-based recovery.
