Taiwan Crypto Exchange BitoPro Confirms $11.5M Hack Weeks After Silence

Blockchain investigator ZachXBT, who first flagged the suspicious transactions, revealed on June 2 that the stolen funds were quietly moved across Ethereum, Tron, Solana, and Polygon networks. The assets were later funneled into decentralized exchanges and swapped, with portions routed through crypto mixer Tornado Cash and bridged to Bitcoin using THORChain—tactics often used to obfuscate stolen funds.

Do you want to explain to the community why multiple of your hot wallets saw suspicious outflows of ~$11.5M on May 8, 2025 where you still have not disclosed the security incident on X or Telegram several weeks later? pic.twitter.com/HlD0c93Or4

— ZachXBT (@zachxbt) June 2, 2025

Despite the magnitude of the exploit, BitoPro kept quiet on public channels like X (formerly Twitter) and Telegram, failing to acknowledge the breach until three weeks later. On May 9, just a day after the attack, the exchange only announced a brief maintenance period. Users have since complained of persistent withdrawal issues, particularly with USDT.

In a June 2 Telegram statement , BitoPro finally confirmed the hack, explaining that the attacker gained access during a wallet system upgrade and exploited an outdated hot wallet amid internal fund transfers. The platform assured users that it maintains sufficient asset reserves and that all deposits, withdrawals, and trading operations continue to function normally.

To recover the stolen assets, BitoPro stated that it has enlisted the services of a third-party blockchain security firm. It also pledged to release the address of the new hot wallet soon, enabling external tracking efforts.

This incident adds to a growing list of crypto exploits targeting both centralized and decentralized platforms. On May 22, DeFi protocol Cetus lost over $220 million to an attacker, although validators were able to freeze and return $162 million after a community vote on May 30.

More recently, on June 2, modular blockchain Nervos was hit by a $3 million exploit . The stolen assets were swiftly swapped to ETH via Tornado Cash, prompting the project team to pause all contracts and launch an investigation. According to security firm Hacken, the attack took over six hours and involved multiple failed attempts before it was successful.

If you want to read more news articles like this, visit DeFi Planet and follow us on Twitter , LinkedIn , Facebook , Instagram , and CoinMarketCap Community.

“Take control of your crypto portfolio with MARKETS PRO, DeFi Planet’s suite of analytics tools.”