A fresh cybersecurity alert has raised new concerns around Binance user security after VECERT reported on March 28, 2026 that a threat actor using the alias PexRat was offering a database of roughly 1.5 million Binance account login records for sale. The alleged dataset appears broad enough to support targeted fraud campaigns rather than simple opportunistic spam.
According to the report, the records allegedly include names, email addresses, phone numbers, KYC status, last-login IP addresses, device user agents and information on whether users had two-factor authentication enabled. That combination of identity, device and security data significantly increases the risk of account-takeover attempts through phishing, SIM-swap attacks and other forms of social engineering.
🚨 FINANCIAL INTELLIGENCE ALERT: Binance Database Leak (1.5M Users) 🌐💰
Our Analyzer platform has detected one of the most critical threats to the cryptocurrency sector so far this year. Threat actor PexRat has put up for sale a private database affecting approximately 1.5… pic.twitter.com/IjgHL3DwMR
— VECERT Analyzer (@VECERTRadar) March 28, 2026
Binance says the issue points to compromised user devices, not a platform breach
Binance pushed back quickly on the implication of an internal systems failure. Chief Security Officer Jimmy Su said the company found no indication that Binance’s core systems had been compromised, and instead linked the exposed credentials to InfoStealer-style malware operating on infected user devices. The exchange also said it had started notifying affected users, forcing password resets and revoking active sessions as part of its immediate containment response.
Fake news. 4.
The sample data only have email addresses and plaintext passwords. No PII data as claimed in the above post.
This is a scam and the sample data likely came from end-point malware such as Infostealer that does credential harvesting.
The other clue is the…
— CZ 🔶 BNB (@cz_binance) March 29, 2026
The broader reporting describes two possible collection patterns behind the leaked data. One line of analysis suggests the sale listing may be tied to scraping or credential-stuffing activity that exploited an alleged captcha-bypass in a login interface or API, while Binance’s own explanation points to malware harvesting credentials directly from end-user environments. Taken together, the reports suggest the event may reflect a layered threat environment rather than a single, easily defined source.
The leaked fields could make attacks more precise and more dangerous
The details reportedly included in the dataset would give attackers a much clearer playbook for deciding whom to target and how. Phone numbers and KYC status can help prioritize higher-value accounts, while last-login IP addresses and device user agents can be used to create more convincing fake security alerts or mimic familiar-device behavior. The inclusion of two-factor authentication flags is especially sensitive because it tells an attacker whether to focus on SMS interception, email compromise or other bypass methods.
This is not the first time Binance-linked credentials have appeared in a larger cybercrime context. In January 2026, around 420,000 Binance-related credentials were identified within a much larger dataset of roughly 149 million records tied to InfoStealer malware. That earlier disclosure, combined with the latest sale listing, reinforces a pattern in which user-side infections appear to be a recurring source of sensitive account exposure.
The immediate risk is targeted fraud, not just data leakage
What makes this event particularly serious is the operational value of the alleged records. Attackers with access to real names, login metadata and security-method information can run more credible phishing campaigns, target SMS-protected users for SIM swaps and test reused passwords across other services. They can also use KYC indicators to manipulate support teams or design more tailored identity-fraud attempts.
This kind of user-side credential exposure can still create platform-wide fraud pressure even without any breach of the exchange’s internal systems. Binance’s forced resets and session revocations are logical first steps, but the repeated appearance of Binance-linked records in malware-related leaks suggests that stronger endpoint hygiene, tighter session-anomaly controls and heavier nudges toward non-SMS two-factor authentication will remain necessary.