On May 7, 2019, Binance CEO Changpeng Zhao (CZ) announced that hackers had stolen 7,000 BTC (worth approximately $40 million) from the exchange’s hot wallet in a single large transaction. The attackers had spent months accumulating API keys, 2FA codes, and potentially other account access information from a large number of Binance users through phishing campaigns and malware. They then executed the theft in a single coordinated transaction in the early morning hours, structured in a way that passed Binance’s automated security checks. The withdrawal triggered Binance’s risk management systems only after the transaction was already confirmed on the blockchain. Binance suspended deposits and withdrawals for approximately one week while it conducted a security audit. Binance covered the full $40M loss from its Secure Asset Fund for Users (SAFU) — an emergency insurance fund Binance had established in 2018 — meaning no customer lost any funds. CZ publicly contemplated a blockchain reorganization (reorg) of the Bitcoin blockchain to reverse the theft but decided against it after community backlash. The exchange resumed withdrawals on May 15, 2019. Binance subsequently enhanced its API security controls, including IP address binding and withdrawal address whitelisting requirements. The incident demonstrated the effectiveness of exchange self-insurance funds and the importance of API key security for exchange users.