Both parties presented verification records to prove their innocence, but no one provided the evidence that the other truly needed.
Written by: Sanqing, Foresight News
On July 8, a user of the Gate exchange named "First Beautiful Girl (@jheioff)" posted on the X platform claiming that their Gate exchange account was hacked, and approximately $1.7 million in assets were emptied. The official Mandarin account of Gate confirmed that this account completed five withdrawals on July 7, totaling 49.96 ETH, 746,475 HSK, and 1,565,982 USDT, amounting to about $1.7 million.

The user stated that the account had phone verification, Google Authenticator, and email verification enabled, but throughout the process, no verification codes were received on the phone, and they had never provided any videos, ID held in hand, or login screen recordings.
Gate's Mandarin official account subsequently released a complete timeline in response, listing every operation of the account from July 4 to July 7, including live facial verification, SMS and email verification codes, and fund password modifications, all shown in the backend records as "verification passed." The incident is initially judged to be an isolated case with no systemic security vulnerabilities. The evidence chains from both parties contradicted each other, leading to extensive discussions in the Chinese crypto community and prompting some users to withdraw from Gate.
Regarding the follow-up developments of the incident and some questions and details, Foresight News has sought verification from both parties involved, with Gate stating that they cannot provide a response until the final investigation is concluded. The other party had not responded by the time of publication.
The more specific the evidence, the sharper the contradictions
Gate's first version of the timeline claimed that on July 4, a "new device" initiated a request to reset the password and security items, which was completed after passing live facial verification (demanding real-time facial motion detection to distinguish between real people and photos, videos, or forged images), SMS verification codes, and email verification codes; on July 5, the account completed mobile unbinding with a recorded video of a payment from a 2019 Alipay C2C order; on July 6, the login password and fund password were modified, and Google verification was reset; on July 7, the account was accessed from the Mac web end of a "historical old device"; on the same day, the account initiated a withdrawal to a new address, which had undergone complete verification through live facial verification, Google verification code, and fund password, after which this new address was added to the whitelist of no verification, and the account completed five withdrawals totaling approximately $1.7 million. @jheioff immediately published a post denying each point, stating that they had never performed the aforementioned facial verification, had not submitted any videos or recordings, and had not requested mobile unbinding or email changes.
The controversy did not stop at this round of each side stating their claims.
On the evening of July 8, Gate provided a second round of response, supplementing previously omitted details quite specifically: the facial recognition at 19:44 (UTC+8) on July 4 corresponded to IP 42.200.39.1XX, the device was an iPhone 14, the live detection result showed "low risk of non-living person," and it was "highly consistent" with the KYC archive facial records; on July 5 at around 3 a.m., the account also submitted a video of themselves holding identification along with handwritten notes for unbinding verification; on the same day at 21:26, the recorded video of the 2019 Alipay C2C order submission was claimed by Gate to have been cross-verified with their own trading records, specifying several received amounts on "October 9, 2019, at 22:28."
@jheioff's second round of response similarly contested each point: she clearly stated that she is currently using an iPhone 16 Pro and the previous old device was an iPhone 13, neither of which matches the iPhone 14 recorded by Gate; she was already asleep at 3 a.m. and could not have submitted the video holding identification; and she had no knowledge of the Alipay recording from 2019.
However, this round of responses also revealed rare overlaps. She acknowledged that the logged-in access from the "historical old device" on July 7 could very likely be from her browser, as she usually keeps the Gate and other exchange websites open in her browser. She added that logging in does not imply that she authorized email changes, mobile unbinding, password resets, and that the final withdrawal was also performed by her, and she requested Gate to explain the internal private IP logged as 10.0.10.9, as well as the unpublished device fingerprint and real public IP.
In response, Gate stated that this operation was processed by customer service after verifying the identity manually, hence the logs show an internal IP, while a considerable amount of the information requested by the victim involves sensitive information from the platform's core risk control and cannot be directly provided externally.

Regarding whether the Alipay records can be traced back to 2019, there were voices in the community questioning Alipay's support for retrieving transaction records from five years ago. However, according to my own tests and verification from Alipay's official help center, billing records can be queried permanently and even deleted records can still be checked by "issuing transaction flow proof."
By July 9, Gate provided the closest point to "solid evidence": that segment of the 2019 Alipay recording was confirmed to be authentic after cross-verification, and theoretically, such records can only be recorded by the account's real name holder when logging into Alipay.
On the same day, Gate also addressed the rumor circulating in the community about another "account email being altered" incident (involving another UID): the email suffix displayed for the involved account @mail.bter.com / @mail.gate.io is an auto-generated placeholder email for users who registered with only a mobile number on the platform, unable to independently log in to send or receive emails, and is used only for backend information filling, not altered by a third party.

Multiple speculations point to the same vulnerability
As the incident escalated, the community offered several conflicting explanations. @hebi555 suggested that the attacker may have used leaked KYC data and AI face-swapping technology to forge a facial video sufficient to pass live detection; @ChzhshchAI and @datiezi began with the unusual internal IP, suspecting that the operation might have been completed with the cooperation of internal personnel from the exchange; @dajingou1’s lengthy analysis suggested that this resembled a long-term trojan implanted on the terminal, with information continuously being stolen.
Another speculation is that the account's real name KYC information did not actually belong to @jheioff but was registered using someone else's identity. To this, @jheioff has not yet directly responded in public materials.
Gate has characterized the incident as an "isolated case," but this is the judgment of one party, and no independent third party has yet intervened for verification; the investigation remains led by Gate.
However, the breach of live detection has precedents in the traditional financial sector. In 2022, Beijing police reported a case where a Traffic Bank account holder's funds were stolen: the attacker, while having control of the victim's mobile verification code, completed multiple large transfers and password resets through the bank’s live facial detection six times without the account holder’s knowledge; at least six similar victims were involved, with a case amount exceeding 2 million yuan; Tsinghua University's RealAI team conducted tests in 2021, showing that using adversarial samples can breach the facial recognition systems of 19 Android phones in 15 minutes, successfully bypassing live detection from several financial apps.
Funds voting with their feet
On the day the incident became public, warning posts from accounts like @xiaomustock and @0xfengxun rapidly spread, prompting some users to choose to withdraw funds from Gate immediately to avoid risks; accounts like @forevergalxy questioned the exchange's organization of positive voices on social media while avoiding core evidence.
According to DefiLlama data, after the incident escalated, Gate experienced a net outflow of about $86.58 million in the past 24 hours, significantly higher than data from other exchanges during the same period.
For Gate, this is not just a case dispute, but a public test of its crisis disclosure capability. The exchange chose to release statements in stages and provide an operational timeline, attempting to hedge trust loss with transparency. The longer it takes, the harder it becomes to break the deadlock.
Setting aside responsibility judgments, this case itself leaves several practical tips for ordinary users: before making large withdrawals, it is advisable to set up delayed payments or manual reviews specifically for the "whitelist of no verification address," rather than default approval; try to disable cloud sync for secondary verification tools and set strong passwords for them; pay close attention to the actual displayed header of official verification SMS/email from exchanges you use regularly to avoid confusing key verification codes with marketing information and ignoring them, and set anti-phishing codes that you can remember; regularly check whether the email linked to your account is the real email you are currently using, especially for older accounts registered quickly with mobile phone numbers, as they can easily conceal real risks with automatically generated placeholder emails.
Additionally, try to avoid exposing specific holding sizes on social platforms or in public settings; high-profile "showing off" can turn oneself into a target for social engineering attacks; further, facial recognition has been proven to have possibilities of being bypassed or forged, so try to minimize the retention and dissemination of clear multi-angle photos and videos of your face on social media and unfamiliar third-party channels; once such materials are collected, they may be used to train or synthesize face-swapping materials capable of deceiving live detection.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。