Login
Sign Up
Woofun AI reports that a severe security dispute has erupted between Gate exchange and user 'The First Beauty (@jheioff)', involving the unauthorized withdrawal of approximately $1.7 million in assets. The incident, which came to light on July 8 via a post on X by the user, has triggered a complex investigation into potential vulnerabilities in biometric authentication systems. Written by Sanqing for Foresight News, the report highlights a stark contradiction between the user’s claim of zero involvement and the exchange’s backend logs showing successful verification steps. This conflict has not only raised questions about the integrity of Gate’s security protocols but also sparked widespread anxiety within the crypto community regarding the reliability of facial recognition technology against sophisticated attacks.
The core of the financial loss involves five distinct withdrawals executed on July 7, totaling 49.96 ETH, 746,475 HSK, and 1,565,982 USDT, which collectively amount to roughly $1.7 million. The user asserts that her account was fortified with multiple layers of security, including mobile verification, Google Authenticator, and email verification. Despite these safeguards, she states she never received any verification codes on her phone during the unauthorized access period.
Furthermore, she denies providing any biometric data, such as videos, ID photos, or screen recordings required for high-risk operations. This denial stands in direct opposition to the exchange’s records, which indicate that all necessary security checks were completed successfully, suggesting either a breach of the user’s devices or a failure in the platform’s verification logic.
Gate’s official timeline reveals a sequence of account modifications beginning on July 4, when a 'new device' initiated a request to reset password and security settings. According to the exchange, this request was approved only after passing liveness face verification—a process designed to detect real-time facial movements to distinguish live persons from static images or videos—alongside SMS and email verification codes. The following day, July 5, the account proceeded to unbind its associated phone number. This action was authenticated using a screenshot of a 2019 Alipay C2C transaction payment, a method intended to prove historical ownership of the account. These steps indicate a systematic dismantling of the account’s existing security framework by the unauthorized actor.
The escalation continued on July 6, when the login password and fund password were changed, and the Google verification was reset, effectively locking out the original owner from standard recovery methods. On July 7, the account was accessed via the web version of a 'legacy old device' identified as a Mac. From this session, the attacker submitted withdrawal requests to new addresses. Each withdrawal underwent a full verification process, including liveness face verification, Google verification codes, and fund password checks, before being approved. Subsequently, the new withdrawal addresses were added to the exemption whitelist, allowing for future transactions without repeated high-level verification. This sequence demonstrates a thorough compromise of the account’s administrative controls.
Specific technical evidence provided by Gate intensifies the dispute. The face recognition event recorded at 7:44 PM on July 4 (UTC+8) is linked to IP address 42.200.39.1XX and an iPhone 14 device. The system logged a 'low risk of non-live person' and 'high consistency' with the face in the KYC archive, suggesting the biometric check was passed. Around 3 AM on July 5, the account owner submitted a video holding an ID document along with handwritten notes for unbinding verification.
Additionally, the screenshot of the 2019 Alipay C2C transaction submitted at 9:26 PM on the same day was cross-verified by Gate against their own records, matching specific payment amounts from '10:28 PM on October 9, 2019.' These details form the backbone of Gate’s defense that the legitimate owner performed the actions.
Woofun AI data shows, The user’s rebuttal directly challenges these technical assertions. She clarifies that her current device is an iPhone 16 Pro, and her previous device was an iPhone 13, neither of which matches the iPhone 14 recorded by Gate. She also states she was asleep at 3 AM and could not have submitted the ID video or the Alipay screenshot.
However, she admits that the login via the Mac web version on July 7 might have occurred through her browser, as she typically keeps exchange websites open. She argues that mere login does not equate to responsibility for subsequent security changes or withdrawals. She demands an explanation for the internal private IP address 10.0.10.9 shown in the logs, as well as the undisclosed device fingerprint and actual public IP address, suggesting that the logs may reflect internal platform actions rather than user-initiated events.
Gate responded that operations involving internal IP addresses are handled manually by customer service after identity verification, which explains the presence of 10.0.10.9 in the logs. The platform considers many of the requested details, such as device fingerprints, as confidential core risk control information that cannot be disclosed publicly. Regarding the Alipay records, community doubts existed about the ability to retrieve transactions from five years ago.
However, tests by the author against Alipay’s official help center confirmed that bill records can be queried permanently, and even deleted records can be retrieved through 'issuing a transaction statement.' By July 9, Gate confirmed the 2019 Alipay screenshot was authentic, theoretically implying the account holder logged into Alipay to create it. Gate also addressed rumors about altered account emails, clarifying that @mail.bter.com and @mail.gate.io addresses were placeholder emails automatically generated for phone-only registrations, used only for backend information and not for independent login or third-party binding.
Community theories regarding the breach point to various vulnerabilities. @hebi555 suggested attackers may have used leaked KYC data and AI face-swapping technology to create videos capable of passing liveness checks. @ChzhshchAI and @datiezi suspected insider involvement based on the abnormal internal IP address. @dajingou1 proposed a Trojan virus implanted in the device for long-term data theft. Another theory posits that the KYC information did not belong to @jheioff but was obtained using someone else’s identity. Precedents in traditional finance support the feasibility of biometric bypasses. In 2022, Beijing police reported a case where a Bank of Communications customer’s funds were stolen after an attacker bypassed liveness face verification six times, involving over 2 million RMB. A 2021 test by Tsinghua University’s RealAI team showed that adversarial examples could bypass liveness recognition on 19 Android phones within 15 minutes, highlighting the persistent risk of such technologies.
The market reaction to the incident was swift and significant. Warning posts from accounts like @xiaomustock and @0xfengxun spread rapidly, prompting immediate precautionary withdrawals. @forevergalxy and others criticized Gate for promoting positive narratives while avoiding key evidence. Consequently, Gate experienced a net outflow of approximately $86.58 million in the 24 hours following the incident, significantly higher than other exchanges during the same period. This financial movement underscores the erosion of trust, as users vote with their feet in response to perceived security failures. The exchange’s staged release of statements and timelines has been viewed as an attempt to use transparency to counter trust losses, but the delay in resolution has only deepened the confusion.
This incident serves as a critical case study for security best practices. Users are advised to implement delayed payouts and manual reviews for 'exemption whitelist addresses' to prevent automatic approvals of large withdrawals. It is recommended to turn off cloud synchronization for two-factor authentication tools and set strong, unique passwords for them. Users should verify the actual sender display names of official verification SMS/email messages to avoid phishing attempts and set up memorable anti-phishing codes. Regular checks of linked email addresses are essential, especially for older accounts with placeholder emails.
Furthermore, minimizing the retention and sharing of clear, multi-angle facial photos and videos on social media is crucial, as these materials can be used to train AI models for face-swapping attacks. Avoiding public disclosure of holding sizes also reduces the risk of targeted social engineering attacks, ensuring that personal data does not become a liability in the event of a breach..