BitoPro loses $11.5 million due to wallet hacking

Taiwanese cryptocurrency exchange BitoPro has officially confirmed a security incident that resulted in the loss of over $11.5 million in digital assets from hot wallets on Ethereum, Tron, Solana, and Polygon. The attack occurred on May 8, but was not publicly disclosed for three weeks, according to an X post by on-chain researcher ZachXBT on June 2.

How were the funds stolen?

Blockchain data shows that the attackers transferred the stolen assets to decentralized exchanges (DEXs), where they were quickly sold. Part of the funds was sent to the crypto mixer Tornado Cash, while another portion was converted to Bitcoin via THORchain — a typical method used to complicate the tracking of stolen funds.

Exchange’s silence

The day after the attack, on May 9, BitoPro announced "technical maintenance," which ended the same day. However, users soon began reporting issues with withdrawing USDT, raising concerns within the community.

Only on June 2, three weeks after the incident, did BitoPro officially acknowledge the breach.

Cause — “old hot wallet”

In a Telegram statement, the exchange explained that the breach occurred during a wallet system upgrade, when the attacker gained access to an old hot wallet that was still used for internal fund redistribution.

The company emphasized that it holds sufficient reserves of virtual assets, so the incident did not affect users’ ability to withdraw funds. All deposit, withdrawal, and trading functions are operating normally.

BitoPro also stated that it has engaged an external cybersecurity firm to help track the stolen funds. As part of its transparency efforts, the exchange pledged to soon provide the address of the new hot wallet for external auditing.