Skip to main content
Looking for your next role?
December 10, 2025
October 11, 2025

When Legacy Systems Fail The Web2 Weakness Behind Yi He’s WeChat Compromise

Binance co-CEO Yi He’s compromised WeChat account has ignited renewed concern about social engineering on legacy Web2 platforms—offering a stark reminder that even industry leaders are not immune to digital impersonation attacks.

High-profile WeChat breach sends shockwaves through crypto circles

Yi He, co-founder and newly appointed co-CEO of Binance, revealed through an X post that her WeChat account had been hijacked after hackers seized her former mobile number. “WeChat was abandoned long ago, and the phone number was seized for use. It cannot be recovered at present,” she stated in the translated message.

The breach underscores how outdated social platforms can become gateways for cyber exploitation in the modern cryptocurrency ecosystem. Unlike decentralised Web3 tools, Web2 systems such as WeChat still link identity to mobile numbers, creating vulnerabilities long after accounts are inactive.

Blockchain analytics firm Lookonchain uncovered that following the compromise, the attackers exploited Yi He’s identity to promote a token dubbed Mubarakah. The scam reportedly generated an illicit profit of around $55,000 by manipulating the token’s price—an example of how social credibility can be weaponised in crypto frauds.

The incident came just days after Binance CEO Richard Teng announced Yi He’s appointment as co-CEO during Binance Blockchain Week in Dubai, describing the promotion as a “natural progression” for the exchange.

Recurring compromises: the pattern of hijacks on Web2 messaging apps

This is not the first attack targeting high-profile figures in the blockchain space through WeChat. In late November, Tron founder Justin Sun reported a similar account takeover. He had to contact platform administrators to recover access, mirroring the latest sequence of events now troubling Yi He.

While the motives vary, such compromises often serve as precursors to phishing campaigns and fraudulent token promotions that spread rapidly across crypto communities. As Web3 ecosystems increasingly intersect with older communication networks, the disconnect between decentralised identity systems and centralised apps has become a prime target for cybercriminals.

SlowMist’s security expert details the attack vector

Following the attack, Yu Xuan, the founder of Singapore-based blockchain security firm SlowMist, revisited his previous research to break down how WeChat account takeovers occur. He warned that obtaining control over an account can be alarmingly simple under the right conditions.

According to Yu’s tests, if an attacker already possesses leaked login credentials, they can gain full access merely by reaching out to two “frequent contacts”—a vulnerability made possible by WeChat’s account recovery systems. The contacts might not even be individuals who were directly messaged; being connected once via a mutual group or friend list may suffice to validate the attacker’s claim.

In China, telecommunications providers recycle unused mobile numbers within a three-month period after deactivation. This system inadvertently enables “SIM-linked recovery abuse”, where hackers exploit reassigned numbers to hijack digital identities for social engineering or credential stuffing campaigns.

Yu emphasised that this recovery pipeline is severely outdated and inherently unsafe, especially for individuals involved in blockchain, decentralised finance (DeFi), or crypto recruitment circles who routinely handle wallet data and transaction communication. He urged high-profile users and OTC traders to minimise risk exposure by:

  • Deleting or limiting old and unknown contacts on their messaging apps;
  • Rotating passwords and leveraging decentralised authentication systems;
  • Reacting immediately to unknown login or recovery alerts.

Social engineering meets executive impersonation

WeChat’s closed infrastructure and reliance on SIM-linked verification make it particularly appealing to hackers pursuing social trust exploits. Once access is gained, impersonating a prominent crypto executive can have instant financial consequences—both for investors and for platform credibility.

In Yi He’s case, the use of her dormant profile to promote a low-cap token demonstrates the speed with which malicious actors can weaponise brand recognition in crypto circles. This blend of Web2 identity hijacking and on-chain exploitation highlights an ever-growing threat: social engineering within hybrid digital spaces.

For blockchain recruiters, exchanges, and companies managing blockchain talent, the attack reinforces the criticality of continuous security awareness training. In Web3 recruitment operations, online communication channels—whether Telegram, LinkedIn, or WeChat—are integral to professional networking. Any breach along this chain jeopardises trust and exposes sensitive data to phishing or wallet-related scams.

Reactions from Binance leadership and heightened caution

Binance co-founder Changpeng “CZ” Zhao, who stepped down from his CEO post in late 2023, echoed Yi He’s statement in a separate X post. He clarified he had not used WeChat “for a long time”, but reiterated that he would never promote any memecoin contract addresses via that account. His message served as a direct warning to users to treat all unverified posts on compromised accounts with suspicion.

This advisory follows a string of compromises affecting high-profile exchange-owned social platforms. In October, BNB Chain’s official X account was hijacked by unknown attackers who published ten phishing links before being contained. Around $8,000 in user funds were siphoned before Binance reimbursed all account holders in full—a relatively mild fallout compared to similar multimillion-dollar breaches.

These repeated incidents—spanning both communication apps and verified company profiles—signal a broader need for multi-layered authentication beyond Web2 security norms. As leadership transitions take place within exchanges such as Binance and others, social account security is now part of broader executive threat management.

SlowMist’s ongoing role in Web3 defence and talent implications

SlowMist has long operated on the frontlines of blockchain security, conducting forensics and incident response for major centralised and decentralised entities. Its latest advisory builds on the rising need for web3 recruitment of cybersecurity professionals adept at bridging both traditional infrastructure and blockchain-native systems.

Industry-wide, the demand for expert DeFi recruiters and crypto recruitment agencies specialising in compliance, authentication, and digital identity management continues to surge. The growing sophistication of social engineering attacks—combined with high executive visibility—means security must now be factored into organisational hiring strategies, not just technology protocols.

SlowMist founder Yu Xuan’s advice resonates deeply across this professional spectrum: vigilance is no longer optional. Whether for traders, Web3 developers, or blockchain executives, the new era of “credential warfare” demands disciplined operational hygiene. From rotating compromised credentials to reassessing digital footprints, his recommendations point to a decisive truth—the human layer remains the most critical vulnerability in the decentralised age.

As Web3 expands and cross-platform communication remains a necessity, the crypto community finds itself at an inflection point between convenience and control. The message from SlowMist and Binance leadership alike is clear: decentralisation may empower the future, but human missteps can still compromise it in seconds.