BitoPro confirms $11.5 million exploit

Taiwan-based cryptocurrency exchange BitoPro confirmed a security breach that resulted in the loss of over $11.5 million in digital assets from its hot wallets on May 8.

The stolen assets were moved across Ethereum (CRYPTO:ETH), Tron (CRYPTO:TRX), Solana (CRYPTO:SOL), and Polygon (CRYPTO:MATIC) wallets before being sent to decentralised exchanges (DEXs) where they were sold, according to onchain investigator ZachXBT.

Blockchain data shows the funds were then routed through the cryptocurrency mixer Tornado Cash (CRYPTO:TORN) or bridged to Bitcoin (CRYPTO:BTC) via THORChain, methods commonly used by hackers to anonymise stolen assets.

Despite the breach, BitoPro did not publicly disclose the incident on social media platforms like X or Telegram for several weeks, as noted by ZachXBT in a June 2 post.

On May 9, the exchange announced a maintenance period, which was resolved the same day; however, some users reported difficulties withdrawing USDT following the event.

Three weeks after the breach, BitoPro acknowledged the exploit in a June 2 Telegram statement, explaining that the attacker exploited an “old hot wallet” during a wallet system upgrade and internal fund reallocation.

The exchange asserted it holds sufficient virtual asset reserves and that user withdrawals remain “completely unaffected.”

BitoPro confirmed that deposits, withdrawals, and trading functions continued to operate normally throughout the incident.

A third-party blockchain security firm has been engaged to trace the stolen funds, and BitoPro plans to share the new hot wallet address for external investigation soon.

Security analysts from Hacken noted that the attack involved multiple failed attempts over six hours, highlighting ongoing vulnerabilities in access control within Web3 systems.

“Access control failures are now one of the most critical threats in Web3,” a Hacken representative said, and mentioned their tool “Extractor” is designed to detect similar exploits in real time.

This incident follows a pattern of high-profile attacks targeting exchanges and decentralised finance (DeFi) protocols, including the recent $220 million exploit of Cetus DEX and a $3 million breach of the Nervos Network (CRYPTO:CKB).