BitoPro confirms $11.5M crypto exploit weeks after breach but says user funds remain safe and withdrawals continue without disruption.
BitoPro, a cryptocurrency exchange based in Taiwan, confirmed a security compromise on May 8 that resulted in the loss of over $11.5 million in digital assets from its hot wallets.
According to on-chain investigator ZachXBT, the suspicious transactions, which took place across hot wallets on Ethereum, Tron, Solana, and Polygon, resulted in asset outflows to decentralized exchanges (DEXs), where they were subsequently designated as sold.
Despite the incident, BitoPro refrained from disclosing the exploit on X or Telegram for several weeks, according to ZachXBT in a post on X on June 2.
As evidenced by blockchain data, assets were deposited into cryptocurrency aggregator Tornado Cash or bridged to Bitcoin via THORChain.
Hackers frequently employ these patterns to conceal and hide funds.
On May 9, BitoPro announced a maintenance period for the exchange, which was resolved on the same day.
Nevertheless, numerous users have since reported being unable to withdraw USDt.
By publication, Cointelegraph had not received a response from BitoPro regarding its request for comment.
Exchange Admits Breach After Weeks
BitoPro acknowledged that it had been the victim of a wallet exploit three weeks following the incident.
In a June 2 Telegram post, the exchange disclosed that the intrusion occurred during an internal fund reallocation when an attacker exploited an “old hot wallet” during a wallet system upgrade.
BitoPro asserted that the platform maintains “ample virtual asset reserves” and that user withdrawals are “unaffected.”
The statement added that the third-party blockchain security firm was commissioned to trace the stolen funds while all trading functions, deposits, and withdrawals remained operative.
The new hot wallet address will be shared with external investigators in the “near future” as part of BitoPro’s efforts to increase transparency.
DeFi Protocols Continue To Be Hackers’ Primary Targets
The increasing value that is sealed into exchanges and decentralized finance (DeFi) protocols is still being targeted by hackers.
On May 22, the decentralized exchange Cetus was exploited for more than $220 million.
However, validators could block $162 million, which was returned to the protocol after a governance vote on May 30.
On June 2, the modular blockchain network Nervos was exploited to the tune of $3 million in digital assets.
In a June 2 X post, Cyvers Alerts stated that the team has “paused all contracts and is actively investigating the incident” and that the stolen funds were all transferred to Ether via Tornado Cash.