Investigating the ‘Dark Phantom’: Short Currency Prices to Rob All Leading Exchanges, Except for Binance

July 24th, 2018 at 2:08 pm UTC · 7 min read

The FCoin security team uncovered that a number of bot accounts had been activated for “even trading”, executing buy and sell orders every 5 seconds to attempt to suppress the price.

Luo Zhiquan, a senior quantitative team leader, had been watching these accounts. He found that they came from a highly coordinated team, with IP addresses traced to Japan, Taiwan and Hong Kong. Some of the IP addresses even came from the Tokyo Stock Exchange. This highly coordinated team is known in the industry as “Dark Phantom”.

An interesting point is that Dark Phantom has been spotted on Huobi, OKEx, ZB, and now FCoin, but has so far spared Binance. A bloody war among exchanges is about to break out, and will only become more real and impactful over time.

Bots Come to Life

As part of the external security team for FCoin, Luo Zhiquan was alerted by data anomalies during the afternoon of July 21.

Many accounts with very few transactions after their registration were suddenly activated for “even trading”.

They sold FT at a low price every 5 seconds. “This is the spearheading of sell orders.” Meanwhile, a large volume of USDT was shown in some accounts, which started to execute buy orders in a regular pattern. The interval between buying and selling was only 1 second. A battle of life and death ensued.

FCoin took immediate action and froze the abnormal accounts. However, they soon found out more bots were quickly activated. The opponent was fierce. If accounts with the USDT trading pair were frozen, they would immediately activate those with the ETH trading pair, a cunning tactic.

Jeff, quantitative trader speaking against the bot accounts, said:

“They have been planning this for a long time… there are numerous bot accounts hidden just for the battle.”

After the market had been suppressed, many users succumbed to fear and started underselling FT, leading to price drops of up to 14%.

“As a matter of fact, you don’t need too much funding to influence the market sentiment. To speculate in currency is to utilize sentiment.”

Jeff claimed that they had taken advantage of people’s fear in a bear market.

Obviously, FCoin noticed these negative influencers. On the morning of July 22, FCoin made an emergency announcement, saying that FT prices were being deliberately suppressed by a serial program trading with the intent of diverting the market direction. FCoin took a series of actions against the “malicious short selling”. They closed market orders of 3 FT-related trading pairs and set the upper limit of daily selling of each pair to 100. The limit for daily FT withdrawal is 10.

These actions were designed to stop their programmed bots from functioning. After the actions were taken, FCoin prices started to climb steadily to its former level that same afternoon.

Another Encounter

Luo Zhiquan has provided security services for many exchanges. When he monitored the data anomalies of FCoin on July 21, he knew he had met an “old friend”.

“This is a professional attack.”

Luo Zhiquan has engaged them many times and knows their ferocious and cruel nature well. They have attacked other exchanges as well. Luo Zhiquan said:

“Huobi, OKEx, and ZB have experienced their attacks.”

He also helped fend off similar attacks for these exchanges. Through his experience, Luo Zhiquan observed two major tactics.

The most common one is “short selling”, which is also their major purpose.

He can recall clearly that after Elastos was listed on Huobi Exchange, it was “ambushed” by an unknown force. On the evening of March 4, the price of Elastos started to fluctuate violently. It dropped by 20% but rocketed again soon after. The price went up and down in minutes. The red and green candles took turns, indicating dramatic fluctuations.

Luo Zhiquan who soon after joined the battle, said:

“Someone was launching a malicious attack by registering a large number of accounts and inputting transactions amounting to millions and even billions…”

He mobilized huge funds to defend against the attack, which resulted in the dramatic fluctuations. This was his first encounter with the enemy. Luo Zhiquan was able to fight the opponent back, but it came at the cost of huge capital losses.

Luo Zhiquan said:

“Dark Phantom fights at all costs. They tend to eliminate enemies at the cost of their own benefits.”

He thought to himself, who is so desperate to take others down that they do so without consideration of the cost?

A few months earlier, Dark Phantom was spotted on a global top 5 exchange.

The founder of an exchange claimed:

“IP addresses and wallet addresses were exactly the same as those appeared in the Elastos incident.”

The difference was that this time they were not shorting selling; they came for “robbery”.

Many currencies use bots to maintain the currency value, such as keeping the value between 5 and 6. The team will suddenly suppress the price to 4.8 and buy in to sell them at the price of 5.5.

The founder of the above exchange platform said:

“They have taken advantage of the rules of bot operations.”

This is just like implanting their own program in the quantitative bots of others for stealth benefits. In quantitative terminology, this is known as “extracting”.

By the time the exchange platform discovered this practice and tried to stop it, Dark Phantom had successfully robbed 80 million. Dark Phantom is a notorious name among exchanges for robbing and short selling…

The Mysterious Team

Who is behind this mysterious team?

Luo Zhiquan has never ceased seeking the answer to this question. Clues show that Dark Phantom has close association with a certain exchange.

Dark Phantom has once opened a dozen wallets on one computer. This proves that it is a team of individuals. Luo also monitored their IP addresses and found that they could be traced back to Taiwan, Hong Kong, and Japan.

Luo Zhiquan further found that, as shown by the IP, some of the accounts in this attack came from the Tokyo Stock Exchange. This was the same as those accounts discovered in the Elastos incident in March. This brings attention to a report which stated Binance’s founder Zhao Changpeng once developed a system for matching trading orders on the Tokyo Stock Exchange.

Of course, this is not proof of any wrongdoing and perhaps a coincidence.

However, Luo Zhiquan revealed an even more surprising detail.

“This IP address once showed up in a building in Japan, while the office venue of a world-class exchange happens to be in the same building.”

It does not prove that the exchange is behind the attacks, but there is something strange in such a coincidence.

Dark Phantom is ruthless; it has launched quantitative attacks against almost all major exchanges. Interesting enough, it seems that Dark Phantom is not concerned about making money and instead focuses on crushing competitors, such as suppressing FT prices and manipulating Elastos. Any profits are just ammo for their next battle.

Luo Zhiquan suspects that Dark Phantom is the “weapon” of an exchange to suppress competitors. He points out an important detail: Dark Phantom has ravaged almost all major exchanges, except for Binance. Of course, Binance has experienced security issues and technical attacks, such as the hijacking of their API. Luo Zhiquan said:

“This is a circle of tangling grudges and revenge.”

The world of exchanges is full of blood and fire. There is war everywhere with attacks, secret sabotage, and lies running rampant in the industry. There are tens of thousands of exchanges, with exchanges now outnumbering cryptocurrency projects some insiders say.

The war is only just beginning, and the battles between exchanges will only become more intense…

(Characters in this article use an alias as requested by the interviewees)