TL;DR
- A 94 GB database with about 149M stolen logins included at least 420,000 Binance credentials, plus major consumer accounts like Gmail, Facebook, and Netflix.
- The exposure stems from infostealer malware on user devices, not an exchange breach; Binance monitors dark-web markets, resets passwords, revokes sessions, and urges MFA.
- Kaspersky flagged a game-mod infostealer targeting wallets and 100+ browsers; it can hijack accounts, steal crypto, and install miners across popular exchanges.
Januaryās cyber headlines just hit home for crypto users: a publicly accessible database held about 149 million stolen usernames and passwords, including crypto exchange logins. The uncomfortable reality is that end user devices are now the front line of crypto security. Researcher Jeremiah Fowler said the 94 gigabyte dataset appeared to be harvested from malware infected phones and computers and was described in a blog post published by ExpressVPN. The records included at least 420,000 Binance related credentials, plus logins for Gmail, Yahoo, Facebook, Instagram, Netflix, and TikTok, among others across multiple platforms.
Why this infostealer matters to crypto users
Fowlerās snapshot suggests the scale is not theoretical: the dump reportedly contained 48 million Gmail accounts, four million Yahoo accounts, 17 million Facebook accounts, 6.5 million Instagram accounts, 3.4 million Netflix accounts, and 780,000 TikTok accounts, alongside trading and wallet logins. When government domain credentials show up in the same pool, phishing risk moves from nuisance to national security concern. Fowler flagged .gov linked entries that could enable impersonation of agencies. For crypto teams, this is a credential stuffing scenario, not a single platform failure. It underscores why saved passwords are a liability.
Binance and outside security specialists moved quickly to frame the incident correctly. This is credential theft via infostealer malware, not a compromise of an exchangeās internal infrastructure. A Binance spokesperson said the logins were stolen after usersā devices were compromised, while Cyvers CEO Deddy Lavid described it as an end user leak, not a core system breach. Binance said it monitors dark web markets, notifies affected users, forces password resets, and revokes sessions, and it pushes antivirus, anti malware scans, and hardware-based MFA. The shift is toward prevention first controls and password hygiene.
Kasperskyās December 2025 research shows why the attack surface keeps widening. Infostealers are being packaged as game cheats and mods, then used to drain wallets and hijack browser extensions at scale. The variant, discovered in November, can steal crypto and install miners while masquerading as video game cracks, especially for Roblox. Built to work across Chromium and Gecko, it threatens more than 100 browsers, including Chrome, Firefox, Opera, Yandex, Edge, and Brave, and it targeted users of at least 80 exchanges and wallets, from Coinbase to Phantom. Fowlerās advice: keep systems updated routinely.
