Brinztech Alert: Alleged Database of 125,000 Binance Users is on Sale

Dark Web News Analysis

A threat actor on a known cybercrime forum is advertising the sale of an alleged database containing 125,000 Binance user records. The seller claims the data was “just scraped” and is “100% valid & verified.”

Brinztech Analysis:

• The Data: The dataset reportedly includes Full Names, Emails, Phone Numbers, Binance UIDs, and KYC Status. The victims are specifically located in high-value regions: Germany, France, Italy, Spain, USA, and UAE.
• The Source (Scraping vs. Breach): The claim “just scraped” is significant. This strongly suggests the data was not stolen via a direct hack of Binance’s core servers (hot/cold wallets). Instead, it aligns with recent reports (November 10, 2025) of a “Binance Checker Tool” circulating on dark web forums. These tools abuse API endpoints or login forms to validate if a list of emails/phones (likely from other breaches) exists on Binance, effectively creating a verified list of crypto users.
• Context: This incident mirrors an earlier claim in January 2025 involving ~139,000 users. The re-emergence or new generation of such a list in late 2025 indicates persistent API vulnerabilities or “account enumeration” flaws are being exploited at scale.

Key Cybersecurity Insights

This alleged data sale presents a critical and immediate threat to crypto investors:

• Targeted “Whale” Phishing: The most severe risk is spear-phishing. With confirmed names, numbers, and KYC status, attackers can pose as Binance Compliance Officers (e.g., “Your KYC verification for Germany has failed”). This specific context makes scams highly convincing.
• SIM Swapping Risk: The exposure of phone numbers linked to high-value financial accounts is the primary vector for SIM swapping. Attackers target these specific numbers to intercept SMS 2FA codes and drain accounts.
• Regional Targeting: The focus on specific jurisdictions (like the UAE and EU) suggests the attackers may tailor their campaigns to local regulations (e.g., MiCA compliance in Europe) to create urgency.
• Binance UID Exposure: While public, the UID confirms the user’s existence on the platform. It allows attackers to cross-reference this data with other public blockchain ledgers to potentially estimate account balances (“doxing”).

Mitigation Strategies

In response to this claim, Binance users in the affected regions must take immediate action:

• Kill the SMS 2FA: Immediately disable SMS-based Multi-Factor Authentication. Switch to an Authenticator App (Google/Microsoft) or, ideally, a hardware key (YubiKey/Passkey). Phone numbers are compromised; they are no longer a secure factor.
• Anti-Phishing Vigilance: Be extremely skeptical of any communication claiming to be from Binance, especially regarding KYC updates or account blocks. Binance will never ask for passwords or 2FA codes via email/SMS.
• Email Aliasing: Consider changing the email address associated with your Binance account to a unique alias that is not used anywhere else. This breaks the link between your public identity and your crypto assets.
• Proactive Monitoring: Check if your email/phone has appeared in recent “combolist” leaks using services like Have I Been Pwned. The scrapers likely started with data from other breaches to find your Binance account.

Secure Your Business with Brinztech — Global Cybersecurity Solutions Brinztech protects organizations worldwide from evolving cyber threats. Whether you’re a startup or a global enterprise, our expert solutions keep your digital assets safe and your operations running smoothly.

Questions or Feedback? For expert advice, use our ‘Ask an Analyst’ feature. Brinztech does not warrant the validity of external claims. For general inquiries or to report this post, please email us: contact@brinztech.com