On-chain security investigation resurfaces, BitoPro hot wallet operations raise external concerns.

Blockchain investigator ZachXBT recently revealed a suspected major security incident in the community, pointing out that the Taiwanese cryptocurrency exchange BitoPro may face capital outflows on May 8, 2025, involving an amount as high as $11.5 million. He observed abnormal fund movements in BitoPro’s hot wallets across Ethereum, Tron, Solana, and Polygon chains, and these funds were exchanged via decentralized exchanges before being directed to anonymous trading tools such as Tornado Cash, or transferred across chains into the Bitcoin mainnet via Thorchain and stored in Wasabi, suggesting potential money laundering activities.

The platform token BITO has dropped sharply, and the user community is worried about asset security.

Following the exposure of the news, the BitoPro platform token $BITO fell by more than 8% in a single day. The user community has raised questions about the authenticity of the event and the platform’s response, especially since ZachXBT pointed out that BitoPro only referred to it as “system maintenance” at the time and did not promptly disclose the specific situation of the suspected hacking through official channels, which further deepened market concerns.

(Image source: BitoPro)

The cybersecurity company has intervened in the investigation, and the platform has activated its response mechanism.

In response to external doubts, BitoPro has issued an official statement acknowledging that it suffered a hacker attack during the upgrade of its hot wallet and the transfer of assets. The platform stated that it immediately activated emergency response measures at the time of the incident, swiftly transferring the remaining assets to a new hot wallet, while also blocking suspicious activities and commissioning a third-party cybersecurity company to assist in a comprehensive investigation and tracking of the hacker’s whereabouts. BitoPro emphasized that its overall asset reserves are sufficient, and most digital assets are stored in offline cold wallets, which were not affected by this incident.

Suspected to be related to an international hacker organization

According to a joint analysis by its internal cybersecurity team and third-party organizations, the attack method bears a high similarity to several previous global cybersecurity incidents, and is suspected to be the work of the notorious North Korean hacker group Lazarus Group, which has been involved in multiple illegal SWIFT transfers from multinational financial institutions, as well as large-scale asset theft incidents on cryptocurrency platforms, demonstrating a high level of technical skill and operational stealth.

Social engineering infiltrates cloud permissions, targeting operational nodes to launch attacks.

The hacker used social engineering as an entry point to target an engineer responsible for maintaining cloud infrastructure, successfully implanting a trojan and bypassing multiple protective mechanisms, including endpoint detection, antivirus, and cloud security alert systems. They then lurked for an extended period to observe the engineer’s operational behavior. During this process, the attacker hijacked the engineer’s AWS Session Token, successfully bypassing Multi-Factor Authentication (MFA), and pushed malicious scripts to the cloud environment via a C2 control endpoint, ultimately directing the attack towards the hot wallet host.

Lock the timing for scheduling platform assets, multi-chain assets are stolen and transferred.

During the attack, the platform was undergoing a wallet upgrade and fund allocation. The hacker took the opportunity to trigger a pre-deployed script, simulating the daily legitimate operation process, and quickly transferred assets illegally from chains such as Ethereum, Tron, Solana, and Polygon, totaling approximately $11.5 million. The assets were converted and obfuscated through decentralized tools like Tornado Cash and Thorchain, and then cross-chain to the Bitcoin network, ultimately flowing into mixing services like Wasabi Wallet, further concealing the source of the funds.

The event has entered a judicial investigation, the wallet has been rebuilt and has become public and transparent.

The incident has now been fully handed over to the judicial authorities for criminal investigation and tracing. The platform has also initiated a comprehensive security check, rebuilding the wallet infrastructure. Users can now view the latest hot wallet deployment status of BitTrust through the Arkham platform. The platform promises to continuously enhance security levels in the future and strengthen monitoring of operational permissions and prevention of abnormal behaviors to prevent similar incidents from occurring again.

The latest deployment status of Bit托’s hot wallets:https://intel.arkm.com/explorer/entity/bitopro

If you want to learn more about Web3 content, click to register:https://www.gate.com/

Summary

In the cryptocurrency market, asset security is always the most fundamental commitment of trading platforms. The BitoPro incident reminds all practitioners and users that layered management of hot and cold wallets and transparency of information will be crucial for the security of digital assets in the future. This incident will undoubtedly prompt a comprehensive review of the security protection of exchanges within the community once again.