A major Taiwanese cryptocurrency exchange waited weeks to reveal a massive security breach. BitoPro finally confirmed an $11.5 million digital asset theft this week. The hack actually occurred back on May 8th. Shockingly, the platform kept silent publicly for nearly a month. This was followed by users reporting frustrating withdrawal problems. Despite the significant loss, BitoPro insists customer funds remain secure. Furthermore, the exchange claims normal operations continue unaffected. This assurance clashes directly with mounting user complaints. Many customers specifically struggled to withdraw the stablecoin USDT.

Exploit Hits During Wallet Upgrade

The attack exploited a critical moment. Hackers struck during an internal wallet system upgrade. They targeted an “old hot wallet” while funds were being moved internally. This vulnerability allowed the massive theft. Onchain investigator ZachXBT first flagged suspicious transactions weeks ago.

He tracked the stolen assets moving across multiple networks. These included Ethereum, Tron, Solana, and Polygon. The funds flowed rapidly into decentralised exchanges (DEXs). Subsequently, the assets were quickly marked as sold on these platforms. Blockchain data reveals clear laundering attempts. For instance, some funds entered cryptocurrency mixer Tornado Cash. Others were bridged to Bitcoin using ThorChain. Hackers routinely use these methods to obscure stolen funds.

Delayed Disclosure

BitoPro’s silence amplified user frustration. The exchange announced routine maintenance on May 9th. This resolved the same day officially. However, numerous users immediately reported being unable to withdraw USDT. 

Three weeks passed after the actual hack. Finally, on June 2, BitoPro admitted the exploit via Telegram. The exchange blamed the breach on the upgrade vulnerability. Simultaneously, BitoPro tried to reassure customers. It stated the platform holds “sufficient virtual asset reserves.” Moreover, it claimed user withdrawals are “completely unaffected.” Deposits, withdrawals, and trading stayed operational, it added.

Tracking Stolen Funds

BitoPro has commissioned a third-party security firm. This firm will actively trace the stolen $11.5 million. The exchange also pledged greater openness moving forward. Specifically, it promised to share its new hot wallet address soon. This allows external investigators to examine it. Therefore, the community can potentially verify BitoPro’s security claims.

Security analysts noted the attack required persistence. Hacken reported the thieves needed over six hours. They also made multiple failed attempts before succeeding. “Access control failures are now critical Web3 threats,” a Hacken analyst said. The firm developed “Extractor” specifically to detect such real-time exploits.

DeFi Hacks Remain a Persistent Threat

The BitoPro incident highlights a relentless trend. Indeed, exchanges and DeFi protocols remain prime hacker targets. Recently, decentralised exchange Cetus suffered a $220 million exploit. Fortunately, validators froze $162 million of it. Consequently, that amount was returned after a governance vote. Similarly, the modular blockchain Nervos was hacked on June 2nd. Thieves stole $3 million in digital assets. Cyvers Alerts confirmed the stolen funds were swapped for Ether. Moreover, they were sent through Tornado Cash. The Nervos team paused all contracts immediately. Presently, they are actively investigating the breach.

BitoPro maintains its core user assets are safe offline. Yet, the delayed disclosure and unresolved withdrawal issues undermine trust. Consequently, the crypto community watches closely. They await proof of recovered funds and genuine transparency. The exchange’s next moves are crucial for restoring its damaged reputation.

Written By Fazal Ul Vahab C H

×