The cryptocurrency exchange BitoPro, headquartered in Taiwan, has confirmed a security breach that resulted in the loss of over $11.5 million in digital assets from its hot wallet on May 8.
According to on-chain investigator ZachXBT, these suspicious transactions occurred in the hot wallets of Ethereum, Tron, Solana, and Polygon, with assets flowing out to decentralized exchanges (DEX) and subsequently marked as sold.
Despite the incident, ZachXBT stated in a post on the X platform on June 2 that BitoPro did not disclose this attack on X or Telegram for several weeks.
Blockchain data shows that the assets were deposited into the cryptocurrency mixer Tornado Cash or bridged to Bitcoin via THORChain, patterns typically used by hackers to anonymize and obfuscate funds.
On May 9, BitoPro announced that the exchange was entering a maintenance period, which was resolved on the same day. However, many users reported being unable to withdraw USDT afterward.
Cointelegraph has contacted BitoPro for comment but has not received a response as of the time of publication.
Three weeks after the incident, BitoPro confirmed that it had suffered a wallet attack. In a Telegram post on June 2, the exchange stated that the vulnerability occurred during a wallet system upgrade, with the attacker exploiting the "old hot wallet" during the internal fund redistribution process.
BitoPro stated that the platform has "sufficient virtual asset reserves" and that user withdrawals are "completely unaffected."
The exchange added that deposit, withdrawal, and all trading functions remain operational, and it has engaged a third-party blockchain security company to track the stolen funds.
To enhance transparency, BitoPro stated that it will share a new hot wallet address for external investigation "in the near future."
Hackers continue to target the growing value locked in exchanges and decentralized finance (DeFi) protocols.
On May 22, the decentralized exchange Cetus suffered an attack exceeding $220 million, but validators successfully froze $162 million, which was returned to the protocol after a governance vote on May 30.
On June 2, the modular blockchain network Nervos experienced a $3 million digital asset attack.
All stolen funds were exchanged for Ether (ETH) through Tornado Cash, and the team "has paused all contracts and is actively investigating this incident," Cyvers Alerts stated in a post on the X platform on June 2.
According to analysts from blockchain security company Hacken, the attacker spent over six hours and went through multiple failed attempts to steal the funds.
"Access control failures are now one of the most serious threats in Web3," a Hacken analyst told Cointelegraph, adding that "Extractor" is specifically designed to capture early warning signals for similar attacks in real-time.
Related: Binance co-founder Zhao Changpeng (CZ) proposed launching a dark pool perpetual DEX to address manipulation issues.
Original article: “BitoPro Confirms $11.5 Million Attack Incident, Claims Withdrawals Unaffected”
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
