Binance Co-CEO Yi He Hacked via WeChat as Web2 Risks Intensify for Crypto Executives

In a jolt to the perception of security around crypto leadership, Binance’s newly appointed co-CEO Yi He disclosed that her WeChat account was hijacked after an old mobile number was seized, underscoring how Web2 messaging channels can be weaponized to impersonate top executives in the digital asset space. The incident illuminates a broader trend: high-profile crypto figures face rising risks as attackers exploit telecom and social platforms with increasing sophistication. As Binance navigates leadership transitions and market volatility, the episode serves as a stark reminder that cyber resilience must match the speed of innovation fueling the industry.

Lookonchain, a blockchain analytics firm, flagged that after the breach, attackers promoted a token called Mubarakah and pumped its price, with figures suggesting the scheme netted roughly $55,000. Confirmatory threads and posts from industry watchers point to a pattern: a compromised account can become a launching pad for social engineering, market manipulation, and reputational damage, often within hours of takeover. The timing matters, too—the disclosure followed Binance’s announcement that Yi He had joined as co-CEO, a milestone that also drew attention to security practices at the uppermost tiers of the ecosystem.

To provide context, the crypto sector has seen a string of WeChat-related compromises in recent years, including a notable breach involving Tron founder Justin Sun in November. The risk calculus for executives has grown more complex as attackers leverage trusted channels for rapid, covert incursions. SlowMist founder Yu Xuan has repeatedly warned that the barrier to entry for account takover can be surprisingly low, exploiting both credential exposure and the social graph of a target’s contacts. This article dissects what happened, why it matters, and how leaders and firms can bolster defenses against similar vectors.

The core problem is not just a single platform but the convergence of Web2 identity, telecom infrastructure, and social graphs that trusted insiders rely upon daily. WeChat remains a dominant communications channel in China and a hub for informal exchanges, OTC talk, and operational coordination for some crypto teams. When a phone number is reissued or ported to a new device, control over a user’s account recovery flows can slip into the hands of bad actors. In Yi He’s case, the attackers leveraged an old mobile number to reauthenticate, seize control, and use the platform’s authority to propagate an attack-friendly token—an approach that blurs the line between credential theft and social engineering.

From a strategic perspective, the incident signals that even executives with access to large toolkits—cold wallets, enterprise-grade security, and enterprise risk management—still face exposure if their primary communications channels are not guarded as assets. This is not a one-off glitch; it reflects a broader, systemic vulnerability in how leadership teams interact with Web2 services and how those services handle authentication, recovery, and identity binding.

According to Yi He’s post on X, the WeChat takeover occurred after the associated phone number had been seized and the account could not be recovered through standard channels. The key point she underscored was the fragility of mobile-based authentication when telecom processes allow number portability or reissuance after cancellation. The direct consequence is not only loss of access but a platform-wide avenue for impersonation and misrepresentation, which can ripple through a project’s token sentiment and liquidity dynamics.

Meanwhile, Lookonchain’s analysis connected the breach to a spike in a pequeña-cap token’s price, illustrating how quickly attacker-driven promotions can inflate a digital asset’s market activity. The $55,000 figure cited by the platform is a reminder that even smaller-scale token pumps can be meaningful when they occur on the heels of an account compromise. For financial and risk officers at crypto firms, this demonstrates the need to monitor not just wallet activity but the downstream social signals that can accompany an account takeover.

The episode with Yi He sits among a cluster of high-profile incidents that expose the fragility of Web2-linked identities in crypto. Earlier this year, Binance’s co-founder Changpeng Zhao (CZ) noted that he no longer uses WeChat, yet warned the community not to trust any memecoin contract addresses associated with outdated accounts. The warning reflects a broader industry practice: leaders publicly distancing themselves from active CTAs that could be misrepresented on compromised channels.

Another incident in the ecosystem involved BNB Chain’s official X account, which, on October 1, 2023, posted phishing links after a breach. Although Binance and BNB Chain subsequently reimbursed affected users, the event underscored how quickly a compromised official account can become a vector for fraud. The recurring theme is clear: even when organizations have strong security protocols, the human factor—how executives communicate, whom they trust, and which platforms they use—can introduce critical risk points.

Two intertwined factors explain why these incidents persist: the social graph and the telecom-based recovery loop. Social networks create a web of trust; if an attacker can access a few “friendly” contacts or a trusted group, they can exploit that network to gain access or to persuade others to share authentication signals. At the same time, SIM-based and phone-number-recovery schemes create a recovery path that is both convenient and exploitable, especially when telecom operators reissue numbers after a short window of cancellation.

From a technical standpoint, credential stuffing—the reuse of leaked usernames and passwords across multiple sites—remains a common entry point. Once an attacker has one credential, if the target uses the same password for WeChat or for an email account tied to the crypto operation, the door opens wide. Add to that the propensity for social engineering in messaging apps and the lure of quick-token promotions, and you have a potent mix that can lead to a full takeover before a standard alert system can respond.

Credential stuffing relies on data breaches from unrelated services. If a compromised credential is used to log into a messaging platform, attackers can trigger password resets, intercept one-time codes, or leverage trust in known contacts to bypass additional verification steps. SIM swap attacks, on the other hand, involve reassigning a mobile number to a device controlled by the attacker. In practice, this means the account’s ongoing verification through SMS codes can be intercepted, allowing the attacker to authenticate from a new device and stabilize control over the account.

In some scenarios, attackers exploit the inertia of a person’s social circle. By contacting frequent contacts or group members—often those who have a passive relationship with the target—an attacker can request password resets or verification codes under plausible pretenses. SlowMist’s analysis emphasizes that even brief interactions with a few “friendly” faces in a network can be sufficient to pivot into a compromised account, especially if the platform’s identity reassignment and recovery procedures are lax or poorly monitored.

The reality in many markets is that mobile operators may reissue a canceled or inactive number within a window that can be exploited by attackers. In China, carriers historically reallocate numbers within a short period after cancellation, creating an opening for credential stuffing, SIM-based recovery abuse, and targeted social engineering. This systemic gap is not a flaw in a single service but a structural vulnerability in the way identity and device recovery are managed in certain regions and ecosystems.

For executives who rely on messaging channels for fast coordination, the risk is not only losing access but enabling impersonation that can distort governance, trading decisions, and public communications. The incident with Yi He is a reminder that even trusted channels must be secured, monitored, and complemented by redundant authentication pathways that minimize the impact of a loss of control on any one channel.

What follows are concrete, practical steps that leaders and their teams can implement today to reduce exposure to similar takeovers. The goal is not to aim for perfection but to raise the bar for security hygiene across the most sensitive channels and workflows.

Immediate Actions for Leaders and Teams

• Prune and audit contact lists regularly. Limit the number of people who can initiate password resets, and review who has permission to request or confirm account changes. Remove dormant or unknown contacts from critical groups.
• Rotate passwords and review recovery options. Implement a policy of password rotation every 90 days for essential accounts and ensure recovery options rely on multiple independent channels rather than a single SMS-based path.
• Adopt hardware security keys and app-based 2FA. Move away from SMS-based 2FA for accounts with executive access or wallet operations; use WebAuthn-compatible keys or authenticator apps with backup codes stored securely offline.
• Institute dedicated cyber incident playbooks for social engineering. Create runbooks for suspected impersonation attempts, including rapid verification of requests through official channels and a clear escalation path.
• Establish device hygiene and login alerts. Enable comprehensive login alerts, location-based sign-in notifications, and geofence-based restrictions for sensitive accounts, with automatic lockouts on suspicious activity.
• Separate personal and professional channels. Maintain professional communication on enterprise-approved platforms; avoid casually using personal numbers or casual messaging apps for governance-related discourse.
• Use multi-factor, multi-channel verification for sensitive actions. Require independent verification via a secondary channel (e.g., a pre-registered email or in-person verification) before any critical operation is authorized.

Long-term Security Architecture: From Web2 to Web3 Readiness

• Redesign identity with decentralized or interoperable frameworks. Explore ID solutions that bind a person to a cryptographic identity across platforms, reducing reliance on single-control, Web2 channels for recovery.
• Strengthen governance with hierarchies and role-based approvals. Require multi-person approvals for large transfers, with escalation paths for suspected compromise and routine audits of admin privileges.
• Embed security-by-design in communications tooling. Choose platforms with built-in security features, robust audit logs, and enterprise-grade access controls tailored for crypto operations.
• Invest in continuous red-teaming and phishing simulations. Regularly test the organization’s resilience to social engineering and account takeover attempts, adjusting defenses based on findings.
• Coordinate with telecom operators on port-out protection. Seek enhanced authentication for SIM reassignments, such as PINs, biometric checks, or carrier-delivered notifications when critical numbers are ported.

The community’s reaction to Yi He’s disclosure has been to underscore reputational resilience and operational preparedness. SlowMist’s guidance—avoiding casual contact with unfamiliar accounts, rotating credentials, and reacting swiftly to login alerts—aligns with a growing consensus: protect the identity funnel as a top-tier asset. Binance, for its part, has shown a willingness to publish updates and engage in dialogue about security best practices, even as leadership transitions continue. The broader takeaway is that the ecosystem must treat executive communications channels with the same care as private keys or wallet endpoints.

From regulators’ perspective, the incidents add weight to calls for higher accountability in exchange security practices and clearer disclosure obligations when executive accounts are compromised. While there is no one-size-fits-all solution, the industry’s momentum is toward stronger multi-channel authentication, improved recovery workflows, and explicit governance around official communications published through social platforms.

For exchanges and OTC desks, the lessons are acute. Trading floors are only as strong as their messaging lanes, and the ability to authenticate and verify a request in real time becomes a competitive differentiator. The incident also raises questions about whether social platforms should implement more rigorous verification for accounts associated with major crypto projects, and whether exchanges should provide official channels that are immune to impersonation risk during periods of high volatility or leadership change.

Changpeng Zhao, Binance’s co-founder, has repeatedly stressed caution about using WeChat for high-stakes crypto activity and has publicly distanced himself from memecoin contracts linked to old addresses. His stance illustrates a broader industry pivot toward safer channels for authoritative communications while maintaining openness to community engagement on controlled platforms. The incident also reinforces the importance of public awareness: even the most tech-savvy executives must be cautious about where and how they interact publicly, particularly when their remarks can move markets in real time.

Industry commentators emphasize that leadership must model secure behaviors—from password hygiene to how they authorize critical actions. The risk of “settling for convenience” by reusing credentials or relying on SMS-based verification becomes unacceptable when the consequences include compromised governance and potential financial losses for users and stakeholders.

The WeChat hijack of Yi He is more than a singular incident; it is a diagnostic signal for the crypto sector. The event reveals how intertwined Web2 identity, telecommunications practices, and social networks have become with the operational risk of digital assets. As the industry scales, the risk surface expands, but so do the opportunities for smarter defenses. The path forward is not about eliminating risk entirely—an impossible task in a fast-moving tech landscape—but about applying rigorous controls, diversified authentication, and governance that can endure leadership transitions and the inevitable frictions of a digital economy.

For LegacyWire, reporting on these developments means translating technical risk into practical guidance for executives, investors, and enthusiasts who seek to understand not only what happened but how to prevent it from happening again. The aim is to empower readers with actionable steps, credible sources, and a forward-looking perspective on how the crypto industry can reinforce trust through robust security practices, transparent communication, and smarter technology choices.

1. What exactly happened to Yi He? Yi He reported that her WeChat account was hijacked after an old mobile number was seized, preventing recovery through typical channels and enabling attackers to take control and use the account for impersonation and promotional activity tied to a token pump.
2. Why is this a broader issue for crypto executives? Because many leaders rely on Web2 messaging and telecom-based recovery for day-to-day coordination, which can become vulnerable if numbers are ported or devices are compromised, enabling social engineering at scale.
3. What can executives do immediately to mitigate risk? Prune risky contacts, rotate passwords, enable hardware-backed 2FA, separate personal and professional channels, and implement multi-channel verification for critical actions, plus real-time login alerts and device controls.
4. What long-term changes are recommended? Adopt identity frameworks that transcend single platforms, enforce multi-person approvals for sensitive operations, harden recovery workflows, and push for telecom port-out protections and enterprise-grade security for official accounts.
5. Are there signs this is common beyond Binance? Yes—instances involving Justin Sun and other executives show a pattern of account takeovers across high-profile crypto figures, indicating systemic vulnerabilities tied to the Web2 layer and telecom infrastructure that require industry-wide attention.
6. Will exchanges reimburse users affected by account compromises? Incidents to date show mixed results: some platforms have reimbursed users for losses tied to compromised accounts, though coverage depends on the specifics of each case and the platform’s policy, making robust preventive measures even more critical.
7. What role does education play in preventing these attacks? A vital one. Continuous training on phishing awareness, social engineering defenses, and the importance of safeguarding communications channels helps reduce risk, complementing technical controls.