On-chain sleuth ZachXBT has flagged a potential security breach that rocked the Taiwanese cryptocurrency exchange BitoPro. According to a Telegram post, the exchange witnessed a suspicious outflow of approximately $11.5 million from its hot wallets on May 8.
The alleged exploit involved the attacker making multiple transactions and suspiciously moving funds from various blockchain networks, including Tron, Ethereum, Solana, and Polygon, from BitoPro’s hot wallets.
The attackers transferred the stolen funds to decentralized exchanges (DEXs), where they were likely used to swap or trade for other cryptocurrencies. Following a common laundering pattern used by hackers to evade detection, the attackers funneled some of the funds into the crypto mixer Tornado Cash. They bridged some to the Bitcoin network via THORChain.
BitoPro Keeps Hack Under Wraps for Weeks
Despite the amount siphoned off from BitoPro’s hot wallets, the exchange did not make any official public announcement on either X or Telegram concerning the hack incident. Instead, BitoPro informed its users that the platform was undergoing routine system maintenance, which was purportedly resolved on the same day.
However, numerous users reported having experienced difficulties with withdrawing USDt, suggesting that the underlying problem was more complex and possibly related to the exploit.
BitoPro Finally Responds
About three weeks after the attack, following ZachXBT’s post, BitoPro made an official report of the hack through a Telegram post. The platform stated that the exploit occurred during a wallet system upgrade, when an attacker exploited a vulnerability in an old hot wallet while funds were being reallocated internally.
According to a translated version of BitoPro’s post, the exchange mentioned that at the time of the attack, it swiftly responded to the incident by securing assets, blocking hacker activity, and engaging a third-party cybersecurity firm to investigate.
BitoPro further assured its users that their assets are secure and operations, including deposit, withdrawal, and trading functions, are normal. The platform also stated that it is taking steps to enhance security and transparency by publicly disclosing new hot wallet addresses.
BitoPro’s case isn’t the first instance of a platform delaying the reporting of a hack. In February, Korean game publisher Wemade Co. suffered a significant security breach that affected its native token WEMIX.
According to the platform, the attacker exploited the Play Bridge Vault, resulting in the theft of approximately 8.65 million WEMIX tokens. However, users weren’t notified until four days later, with the Wemade team citing concerns over public panic as the reason for the delay.
Following Wemade Co.’s actions, the Digital Asset eXchange Association (DAXA) took disciplinary action, delisting the token from its platforms.
