Bitopro exchange hit by $11.5M outflows in potential exploit
Taiwan-based cryptocurrency exchange BitoPro confirmed a security breach that led to the loss of more than $11.5 million in digital assets from its hot wallets on May 8.
The suspicious transactions, which occurred across hot wallets on Ethereum, Tron, Solana and Polygon, saw asset outflows to decentralized exchanges (DEXs) where they were later marked as sold, according to onchain investigator ZachXBT.
Despite the incident, BitoPro did not disclose the exploit on X or Telegram for several weeks, ZachXBT said in a June 2 post on X.
Related: Metaplanet’s Bitcoin ‘premium’ nears $600K per BTC
Blockchain data shows assets were deposited into cryptocurrency mixer Tornado Cash or bridged to Bitcoin via THORChain, patterns often employed by hackers to make funds anonymous and untraceable.
On May 9, BitoPro announced a maintenance period for the exchange, which was resolved on the same day. However, many users have since reported being unable to withdraw USDt (USDT).
Cointelegraph reached out to BitoPro for comment but had not received a response by the time of publication.
Related: Hoskinson promises audit, is ‘deeply hurt’ by $600M Cardano treasury claims
Exchange confirms breach weeks later
Three weeks after the incident, BitoPro confirmed that it had suffered a wallet exploit. In a June 2 Telegram post, the exchange said the breach occurred during a wallet system upgrade, when an attacker exploited an “old hot wallet” during internal fund reallocation.
The platform has “sufficient virtual asset reserves,” and user withdrawals are “completely unaffected,” BitoPro stated.
Deposits, withdrawals and all trading functions remained operational, while a third-party blockchain security firm was commissioned to trace the stolen funds, it added.
In a push for more transparency, BitoPro said it would share the new hot wallet address for external investigation in the “near future.”
DeFi protocols remain top hacker targets
Hackers continue targeting the growing value locked into exchanges and decentralized finance (DeFi) protocols.
On May 22, decentralized exchange Cetus was exploited for over $220 million, but validators managed to freeze $162 million, which was subsequently returned to the protocol after a governance vote on May 30.
On June 2, modular blockchain network Nervos was exploited for $3 million in digital assets.
The stolen funds were all swapped to Ether (ETH) via Tornado Cash, while the team “has paused all contracts and is actively investigating the incident,” Cyvers Alerts said in a June 2 X post.
Magazine: Coinbase hack shows the law probably won’t protect you: Here’s why
