Taiwan-based cryptocurrency exchange BitoPro has now confirmed a security breach resulting in over $11.5 million in digital asset losses. This significant theft occurred on May 8th from its hot wallets on the Ethereum, Tron, Solana, and also Polygon networks. Onchain investigator ZachXBT reported suspicious transactions showed asset outflows to decentralized exchanges where they were subsequently marked as sold. Despite this major incident, BitoPro did not publicly disclose the exploit on its X or Telegram channels for several weeks. Blockchain data indicates the stolen assets were quickly moved into cryptocurrency mixer Tornado Cash or bridged to Bitcoin using THORChain.
Three weeks after the May 8th security incident, BitoPro officially confirmed that it had indeed suffered a serious wallet exploit.
In a June 2nd Telegram post, the exchange stated the breach occurred during a planned wallet system upgrade by their team. An attacker reportedly exploited an “old hot wallet” during a complex process of internal company fund reallocation at that specific time. BitoPro further asserted that the platform currently has “sufficient virtual asset reserves” to cover any potential shortfalls resulting from this theft.
They also claimed that user withdrawals are “completely unaffected” and all trading functions remained operational throughout this entire challenging period for them.
Hackers persistently continue targeting the growing value that is locked within cryptocurrency exchanges and various decentralized finance (DeFi) protocols globally. For example, on May 22nd, the decentralized exchange Cetus was exploited for over $220 million in a very large-scale attack. However, Sui network validators commendably managed to quickly freeze approximately $162 million of those particular funds, which were later returned. More recently, on June 2nd, the modular blockchain network Nervos was also unfortunately exploited for about $3 million in digital assets. The stolen funds from the Nervos exploit were all swapped by the attackers to Ether via the Tornado Cash mixing service.
According to security analysts from the blockchain security firm Hacken, the attackers who were targeting Nervos took over six hours. They also made multiple failed attempts before finally succeeding in their illicit operation against the network’s existing defenses. A Hacken analyst told Cointelegraph that “Access control failures are now one of the most critical threats in Web3 environments today.” The firm also mentioned that their “Extractor” tool was purpose-built to catch early warning signs for similar exploits in real-time. These expert insights clearly underscore the persistent challenges and the critical ongoing need for robust security measures across all active Web3 platforms. The BitoPro incident serves as another example of these prevailing security concerns.
Reference:
