Centralized Exchange Bitopro Finally Admits to Hot Wallet Exploit

Nearly a month after the incident, Taiwanese centralized exchange Bitopro has finally confirmed that its hot wallets were indeed exploited.

The funds were siphoned from wallets across multiple chains — including Ethereum, TRON, Solana, and Polygon — before being bridged to Bitcoin via Thorchain and routed through privacy-centric services like Tornado Cash and Wasabi Wallet.

These tools, often employed for privacy or obfuscation, have become common in large-scale crypto heists. The use of multiple layers of obfuscation significantly complicates efforts to trace and recover stolen funds — a fact acknowledged by Bitopro in its admission of hiring a third-party blockchain security firm to investigate.

Independent onchain investigator ZachXBT was one of the first to identify suspicious flows from Bitopro’s addresses, highlighting how the funds rapidly moved across chains and into mixing protocols.

When the hack first occurred in May, Bitopro made no public announcements. Instead, it posted messages suggesting ongoing maintenance and claimed full operations would resume the day after. Some users, however, reported that withdrawals, particularly in USDT, were being blocked.

A Delayed Disclosure Sparks User Outrage

Bit0pro only publicly acknowledged the exploit on June 2nd, nearly a full month after the incident. In the interim, the exchange posted vague maintenance notices and promised resumption of services within 24 hours. Users were left in the dark, and some began reporting issues with USDT withdrawals that contradicted the platform’s assurances.

In its June statement, Bitopro described the breach as involving an “old hot wallet” that was compromised during a routine fund reallocation process. The company assured users that its reserves remain intact and claimed that withdrawals are not affected. However, these statements have been met with skepticism given the early withdrawal blocks experienced by some customers.

Security Measures and User Concerns

In its June update, Bitopro promised to enhance transparency by sharing a new hot wallet address and working closely with a forensic security provider to track the flow of stolen assets. Still, user trust has taken a hit. The delayed disclosure and conflicting reports about withdrawal functionality have led to a flood of criticism on social media platforms and community forums.

The exchange has yet to announce any formal compensation plan or further details on the attacker’s identity or the scope of losses per token.

What This Means for the Future of CEX Transparency

For crypto users, the Bitopro saga serves as another reminder of the risks inherent in centralized custody and the need for improved exchange accountability. While cold wallets are typically considered safer, many centralized exchanges still rely on hot wallets for operational liquidity, leaving them exposed to potential exploits.

In May, Brave New Coin covered the US$200 million+ hack of the Decentralized Finance (DeFi) protocol, Cetus.

“The crypto industry has seen numerous high-profile hacks followed by similar promises of improved security measures. From bridge protocols to exchanges to DeFi platforms, the cycle of breach, response, and pledged improvements has become disappointingly routine.”

The Bitopro incident, like the Cetus one, and the Coinbase customer data loss before it, is significant not because it is unique but because it is a broader pattern of poor security and user support in the crypto infrastructure space.

According to crypto security firm Peckshield, ~US$244 million was lost across 20 major crypto hacks in May 2025. In the first quarter of 2025, over US$2 billion was lost in crypto hacks. A major contributor to this total was a US$1 billion hack of another centralized exchange, Bybit. Certik has reported that of the billions of dollars in crypto lost to hackers in Q1 2025, only 0.38% has been recovered.