Taiwan-based cryptocurrency exchange BitoPro has confirmed a significant security breach, resulting in the loss of approximately $11.5 million worth of digital assets. The confirmation comes after prominent on-chain investigator ZachXBT flagged suspicious outflows from BitoPro wallets, prompting widespread scrutiny and frustration among users over the exchange’s delayed disclosure.

Hack Exposed After On-Chain Sleuth Raises Alarm

The breach was brought to light on Monday, June 2, when ZachXBT alerted the crypto community to unusual activity involving BitoPro’s hot wallets. He identified that the suspicious transactions — traced across Ethereum, Tron, and Solana likely pointed to a major security compromise.

ZachXBT Telegram Update on June 2 | Credit: Telegram

ZachXBT estimated the hack occurred on May 8, over three weeks before BitoPro’s public acknowledgement. He reported that stolen funds had been laundered through Tornado Cash, bridged to Bitcoin via Thorchain, and eventually deposited into Wasabi wallets — a typical pattern for obfuscating crypto theft trails.

Just three hours after ZachXBT’s findings were shared, BitoPro confirmed the breach through an official statement. However, the lack of prior communication and vague details in the announcement sparked criticism.

Breach Occurred During Wallet System Upgrade

According to BitoPro’s translated statement, the attack took place during a wallet system upgrade and asset transfer operation. The old hot wallet used for fund allocation was reportedly targeted and compromised by hackers.

“During the recent wallet system upgrade and asset transfer operation of BitoPro, the old hot wallet of BitoPro exchange was attacked by hackers during the fund allocation process,” the statement read.

BitoPro claimed that emergency measures were swiftly deployed, transferring user assets to a new, secure wallet. The exchange assured customers that it maintains sufficient virtual asset reserves and that no user funds or rights have been affected.

Users Frustrated by Delay and Lack of Clarity

Despite BitoPro’s reassurances, its failure to promptly disclose the incident triggered backlash within its user community. On Telegram, many users voiced concerns over the platform’s transparency, questioning why it took more than three weeks to confirm the breach and why the amount lost wasn’t initially disclosed.

One user commented, “The statement did not mention the important information that users want to know. It did not mention when the incident happened or how much the amount was.”

The delayed response and absence of specific figures in the initial disclosure were widely criticised as being inadequate and damaging to user trust.

Surge in Crypto Exploits in 2025

The BitoPro breach adds to a growing list of high-profile crypto hacks in 2025. Most notably, the Bybit hack in February resulted in losses that accounted for over 92% of Q1’s total stolen assets. In that case, attackers manipulated transaction data in real-time by injecting malicious JavaScript into Safe{Wallet}.

Cybersecurity firm PeckShield reported that Q1 2025 saw $1.63 billion in losses due to hacks, marking a 131% year-on-year increase from Q1 2024. However, May showed signs of recovery, with a 39% drop in losses compared to April — totalling $244.1 million across roughly 20 major incidents.

These increasingly sophisticated attacks underscore the urgent need for improved wallet infrastructure, faster incident response, and greater transparency from crypto platforms.

The BitoPro hack highlights the persistent vulnerabilities within the crypto ecosystem, particularly during system upgrades and wallet transitions. While BitoPro claims user funds remain secure, the delayed communication has cast doubt over its transparency and incident handling.