Taiwan-based cryptocurrency exchange BitoPro confirmed a security breach that led to the loss of more than $11.5 million in digital assets from its hot wallets on May 8.
The suspicious transactions, which occurred across hot wallets on Ethereum, Tron, Solana and Polygon, saw asset outflows to decentralized exchanges (DEXs) where they were later marked as sold, according to onchain investigator ZachXBT.
Despite the incident, BitoPro did not disclose the exploit on X or Telegram for several weeks, ZachXBT said in a June 2 post on X.
Blockchain data shows assets were deposited into cryptocurrency mixer Tornado Cash or bridged to Bitcoin via THORChain, patterns often employed by hackers to make funds anonymous and untraceable.
On May 9, BitoPro announced a maintenance period for the exchange, which was resolved on the same day. However, many users have since reported being unable to withdraw USDt (USDT).
Exchange confirms breach weeks later
Three weeks after the incident, BitoPro confirmed that it had suffered a wallet exploit. In a June 2 Telegram post, the exchange said the breach occurred during a wallet system upgrade, when an attacker exploited an “old hot wallet” during internal fund reallocation.
The platform has “sufficient virtual asset reserves,” and user withdrawals are “completely unaffected,” BitoPro stated.
Deposits, withdrawals and all trading functions remained operational, while a third-party blockchain security firm was commissioned to trace the stolen funds, it added.
In a push for more transparency, BitoPro said it would share the new hot wallet address for external investigation in the “near future.”
DeFi protocols remain top hacker targets
Hackers continue targeting the growing value locked into exchanges and decentralized finance (DeFi) protocols.
On May 22, decentralized exchange Cetus was exploited for over $220 million, but validators managed to freeze $162 million, which was subsequently returned to the protocol after a governance vote on May 30.
On June 2, modular blockchain network Nervos was exploited for $3 million in digital assets.
The stolen funds were all swapped to Ether (ETH) via Tornado Cash, while the team “has paused all contracts and is actively investigating the incident,” Cyvers Alerts said in a June 2 X post.
It took the attackers over six hours and multiple failed attempts to steal the funds, according to analysts from blockchain security firm Hacken.
“Access control failures are now one of the most critical threats in Web3,” a Hacken analyst told Cointelegraph, adding that “Extractor” was purpose-built to catch warning signs for similar exploits in real-time.
Quick Summary of the News
- BitoPro, a Taiwan-based crypto exchange, confirms an $11.5 million exploit from its hot wallets.
- The breach occurred on May 8, affecting Ethereum, Tron, Solana, and Polygon wallets.
- Stolen funds were moved to DEXs and later to Tornado Cash and THORChain, obscuring their origin.
- BitoPro claims user withdrawals are unaffected and that they have sufficient reserves.
- A third-party security firm is investigating, and BitoPro plans to share the new hot wallet address.
Why It Matters
This incident highlights the ever-present security risks within the cryptocurrency space, particularly for centralized exchanges. Despite advancements in security measures, exchanges remain attractive targets for hackers due to the large volumes of assets they hold. The delayed disclosure by BitoPro raises questions about transparency and user trust. This event could further fuel the ongoing debate about self-custody versus exchange-based storage.
Market Impact
While BitoPro claims withdrawals are unaffected, such incidents can erode investor confidence, especially in smaller, less-known exchanges. The price of the exchange’s native token (if any) might experience a short-term dip due to negative sentiment. More broadly, recurring exchange hacks could contribute to downward pressure on the overall crypto market, as investors become wary of systemic risks.
Expert Take & Personal Insight
The increasing sophistication of these attacks suggests a need for exchanges to invest heavily in proactive security measures, including penetration testing, multi-signature wallets, and robust monitoring systems. The reliance on Tornado Cash by the hackers also underscores the ongoing challenge of balancing privacy with regulatory compliance in the crypto space. It’s concerning that the exchange delayed the announcement, as timely disclosure is crucial for maintaining user trust.
Actionable Insight
- Traders: Be cautious about holding large amounts of assets on smaller exchanges. Consider diversifying your holdings across multiple platforms or opting for cold storage solutions for long-term investments.
- Investors: Research the security practices of any exchange you use. Look for exchanges with transparent security policies, regular audits, and insurance coverage.
- Watch: Monitor the progress of the investigation into the BitoPro hack. Any further developments, such as the recovery of funds or identification of the perpetrators, could impact market sentiment.
Conclusion
The BitoPro hack serves as a stark reminder of the vulnerabilities that still plague the crypto industry. As the space matures, a greater emphasis on security and transparency will be essential for fostering long-term growth and investor confidence. Expect to see increased regulatory scrutiny and pressure on exchanges to improve their security protocols in the months ahead.