On July 16, cryptocurrency exchange BigONE detected a significant security breach affecting its hot wallet infrastructure, leading to an estimated loss of approximately $27 million in digital assets. The incident was identified as a “third-party attack,” with BigONE swiftly confirming that abnormal asset movements triggered real-time monitoring alerts. Despite the substantial loss, the exchange has assured its users that all private keys remain secure, and the specific attack path has been identified and contained to prevent any further compromise of funds. This proactive response, including immediate collaboration with blockchain security firm SlowMist, aimed to trace the attacker’s wallet addresses and diligently monitor the flow of the stolen funds.
BigONE has publicly committed to covering all losses incurred by its users from this breach, emphasizing its dedication to keeping user assets intact.
To fulfill this pledge, the company has already activated its internal security reserves, which comprise a mix of popular cryptocurrencies such as Bitcoin (BTC), Ethereum (ETH), USDt, Solana (SOL), and Mixin (XIN). These reserves are being utilized to replenish the affected user funds. For other mainstream and non-mainstream tokens that were impacted, BigONE stated it is actively seeking external liquidity through borrowing mechanisms to restore the platform’s wallet balances as quickly as possible, demonstrating a robust effort to mitigate the financial impact on its user base.
Blockchain security firm Cyvers suggested the attacker exploited the platform’s production network, likely through compromised CI/CD (Continuous Integration/Continuous Deployment) or server management channels. This infiltration allowed the attacker to modify business logic and disable crucial risk-control checks, effectively bypassing BigONE’s security protocols. The attack reportedly commenced with the deployment of malicious binaries to account-operation servers, followed by the unauthorized draining of 350 ETH ($1.1 million).
The attacker then rapidly expanded withdrawals across Bitcoin, Solana, and Tron networks, consolidating the stolen assets into a single external address, likely in preparation for laundering.
Industry experts have weighed in on the implications of such an attack. Yehor Rudytsia, an on-chain security researcher at Hacken, emphasized the critical need for strengthened security in CI/CD pipelines, stringent control over dependencies, and continuous on-chain and off-chain monitoring of the entire infrastructure for exchanges. Rudytsia also highlighted that Automated Incident Response is an indispensable security measure for all exchanges, designed to halt exploitation swiftly and secure as much of the funds as possible. This incident serves as a stark reminder that even with sophisticated security measures, vulnerabilities in the supply chain and backend operations can be exploited.
Further analysis by Cyvers revealed several critical security gaps that contributed to the incident. These included a single-point failure in hot-wallet management, insufficient code integrity controls, a lack of pre-transaction validation, and limited network segmentation between build and wallet-management servers. The stolen funds were quickly converted to Wrapped Ethereum (WETH)/ETH and routed through fresh intermediary addresses, indicating preparations for mixing or decentralized exchange activity to obscure the money trail. This BigONE hack follows closely on the heels of another significant exploit, with Arcadia Finance, a decentralized finance (DeFi) platform on the Base blockchain, suffering a $3.5 million theft just a day prior, underscoring the ongoing and evolving security challenges within the broader cryptocurrency ecosystem.
Reference:
