Taiwan-based cryptocurrency exchange BitoPro has confirmed it suffered a security breach that resulted in the loss of over $11.5 million in digital assets weeks after the incident occurred. Despite the exploit, the platform maintains that user withdrawals and funds remain unaffected.
The breach took place on May 8 and involved unauthorized transactions from BitoPro’s hot wallets across multiple blockchain networks, including Ethereum, Tron, Solana, and Polygon. Onchain investigator ZachXBT flagged the suspicious activity, noting that the stolen assets were funneled through decentralized exchanges (DEXs) and ultimately sold.
In a June 2 post on X (formerly Twitter), ZachXBT criticized BitoPro for its delayed disclosure, stating that the exchange had not informed users via X or Telegram for several weeks after the incident.
Blockchain data indicates that the stolen funds were later transferred to the crypto mixer Tornado Cash and bridged to Bitcoin via THORChain techniques commonly used by attackers to obscure the origin of funds and evade tracking.
Although BitoPro announced a maintenance update on May 9, claiming the issue had been resolved the same day, several users have since reported issues withdrawing USDt (Tether).
Breach confirmed following weeks of silence
In a June 2 Telegram post, BitoPro officially acknowledged the breach, stating the exploit occurred during a wallet system upgrade when an attacker gained access to an “old hot wallet” during internal fund transfers.
The exchange assured users that it holds “sufficient virtual asset reserves” and emphasized that withdrawals and trading activities have remained fully operational throughout. A third-party blockchain security firm has been enlisted to investigate and trace the stolen funds.
BitoPro also stated its intention to increase transparency, pledging to publicly share the new hot wallet address to aid external investigations “in the near future.”
DeFi protocols continue to be hacker targets
The BitoPro incident adds to a string of recent high-profile exploits targeting cryptocurrency platforms and DeFi protocols. On May 22, decentralized exchange Cetus was drained of over $220 million. However, validators managed to freeze $162 million, which was later returned following a governance vote on May 30.
On June 2, modular blockchain network Nervos suffered a $3 million exploit, with all stolen assets converted to Ether (ETH) via Tornado Cash. The team has paused all contracts and is actively investigating the incident, blockchain security firm Cyvers Alerts reported on X.
These events underscore the persistent threat facing crypto exchanges and DeFi platforms, even as the sector matures and security practices improve.
