Threat Actor Claims Sale of 1.5 Million Binance US Phone Records with KYC Data

Here is a fresh warning for crypto users. Another alleged Binance data leak just surfaced online.

This time, the focus is on Binance US. The threat actor claims to possess over a million user phone records for sale.

Details of the Dark Web Listing

On May 12, a cybersecurity account posted an alert on X. A threat actor on an underground forum is now advertising a dataset. They say it contains roughly 1.5 million Binance US-related phone records.

The sample data reportedly includes phone numbers. It also shows verification status indicators and KYC-related attributes. There are country and location fields too.

Account status metadata and potential account validation markers also appear. Terms like “verified,” “KYC,” “USA,” and account-state indicators show up in the sample. Right now, no one knows where this data actually came from. It might not originate from Binance US internal systems at all.

Maybe it’s from a third-party vendor. Or maybe scraped data. Could even be credential stuffing, or SIM/KYC brokerage ecosystems. Your guess is as good as mine right now.

Attackers Love Crypto Phone Records 

Even unverified or fake-looking crypto leaks have real value for hackers. Is this data legit? It’s an automatic ticket for SIM swapping campaigns. Phishing attacks. Even crypto account takeover attempts become much easier to pull off.

The data also helps with identity correlation. MFA interception attacks become more plausible. Social engineering against high-value crypto holders gets a major boost. Think about this, An attacker pairing phone numbers with KYC plus a little verified checkmark? That’s a deadly weapon in crypto.

Why? Because attackers frequently target SMS- based authentication. They also go after recovery workflows. Exchange support impersonation is another favorite trick.

From a threat intelligence standpoint, even partial datasets tied to crypto platforms get monetized fast. Attackers use them to identify likely exchange users. They build victim targeting lists. They conduct credential stuffing. Fake KYC emails become more convincing. So do fake support calls.

Binance Keeps Appearing in Leaks

Binance has appeared in dark web listings more than once lately. Last month, a different threat actor posted on a dark web forum. They claimed to have Binance 2026 leads for sale.

The persistence of Binance-related leaks stands in contrast to broader dark web trends. Recent data shows dark web illicit crypto trade is crumbling, but crypto platforms remain prime targets for data thieves.

That dataset allegedly contained 1.5 million records too. The sample fields included email, password, full name, phone, and country. Also, last login, KYC status, 2FA status, and account balance in USD. Experts call these kinds of listings “leads”. They often mean scraped or aggregated marketing datasets. The sources mix breaches, infostealer logs, and phishing data.

The presence of fields such as 2FA status and balance suggests potential enrichment. Or even fabricated data. No one has confirmed a direct Binance breach there either.

Then in March, cybersecurity platform VECERT reported something similar. A threat actor named PexRat offered a private database for sale. It contained personal info of 1.5 million Binance users. That leak allegedly included full names, emails, phone numbers, and KYC status. Even last login IP addresses, device user agents, and 2FA statuses showed up.

VECERT found that Binance’s internal servers were not directly breached. Instead, the attacker used credential stuffing and scraping. They likely bypassed or abused Captcha security mechanisms.

This followed a January report by researcher Jeremiah Fowler. He found roughly 420,000 Binance-linked credentials exposed by infostealer malware.

What’s Next?

These claims have not been confirmed yet. No official confirmation has come from Binance US or any authority. The origin and freshness of the alleged data are still unknown. Underground forums often recycle older leaks. Some datasets come from scraping or prior breaches.

Actors also falsely label unrelated data as “Binance” to boost value. So take a deep breath, but stay alert. If this leak turns out to be real. Act fast. Ditch SMS MFA. It’s too easy to break. Instead, go for a hardware key or authenticator app.

Review your account recovery settings right now. Monitor for SIM swap indicators like sudden phone service loss. Stay cautious of fake Binance support communications.

Verify every exchange-related email and SMS carefully. Crypto platform users should watch for urgent KYC update requests. Fake withdrawal alerts are common too. Be alert for spoofed customer support calls. Watch out for QR-code phishing attempts. MFA reset scams are on the rise as well.

Here’s the bottom line. Unverified doesn’t mean it’s harmless. In crypto, even scraps of data might make you lose money. So don’t wait for confirmation. Lock down your accounts now.