Key Takeaways: BitoPro’s breach reveals outdated wallet practices during upgrades. Cross-chain bridges are high-risk targets. BitoPro’s delayed disclosure undermines trust, proving that timely communication is essential even with sufficient reserves. $11.5 million vanished in minutes—Taiwan’s BitoPro bled dry after hackers exploited an exposed wallet during a May 8 upgrade. They drained the exchange’s funds, pilfering Ethereum , Tron, and Solana before disappearing through Tornado Cash’s swirling depths. Do you want to explain to the community why multiple of your hot wallets saw suspicious outflows of ~$11.5M on May 8, 2025 where you still have not disclosed the security incident on X or Telegram several weeks later? pic.twitter.com/HlD0c93Or4 — ZachXBT (@zachxbt) June 2, 2025 This wasn’t just another hack. It was a lesson in how not to handle one. The breach showcases the large gap between crypto exchanges’ promises and their patchy security, particularly during routine upgrades. While BitoPro scrambles to reassure users, the stolen millions continue their whirl through privacy pools, proving once again how money moves faster than the truth in crypto. Upgrade Failures: Why Crypto Exchanges Keep Repeating the Same Mistakes BitoPro’s mishandling of the recent security breach exposes serious flaws in how crypto exchanges manage crises. When the hack occurred on May 8, the exchange initially dismissed the resulting service disruptions as routine “maintenance” the following day. This vague explanation left users confused, especially when USDT withdrawals suddenly froze without warning. BitoPro confirmed that its old hot wallet was compromised during a recent wallet system upgrade and asset migration. The platform responded by immediately transferring assets to a new wallet and halting the attack, with support from a third-party cybersecurity firm. A new wallet… — Wu Blockchain (@WuBlockchain) June 2, 2025 The three-week delay in publicly acknowledging the breach only deepened suspicions, showing how poor communication can amplify security failures. Though BitoPro eventually assured users it had “sufficient reserves” to cover losses and brought in external security teams to track the stolen funds, the damage to its reputation was irreversible. By the time the exchange pledged to publish new wallet addresses for verification, rumors about its financial stability had already begun to circulate. The incident fits a pattern of systemic crypto vulnerabilities. For example, weeks earlier, the decentralized exchange Cetus lost $220 million but froze $162 million within days, returning the funds via a community vote. In contrast, BitoPro’s sluggish response showed the bureaucratic paralysis of centralized exchanges. Alert Announcement There was an incident detected on our protocol and our smart contract has been paused temporarily for safety. The team is investigating the incident at the moment. A further investigation statement will be made soon. We are grateful for your patience. — Cetus (@CetusProtocol) May 22, 2025 The same day BitoPro went public, hackers stole over $3 million from Nervos Network’s Force Bridge, laundering the proceeds through Tornado Cash, which was also used in BitoPro’s breach. Security Alert Nervos Network's ForceBridge was exploited due to Access Control vulnerability for $3.9m worth of assets ($3.1m on ETH and $800k on BNB Chain)! There was failed attempt to execute an attack 6 hours prior to successful one. Most of funds were already… pic.twitter.com/bxKKuauO5F — Extractor | Web3 Threat Detection & Compliance (@extractor_web3) June 2, 2025 Nervos acted swiftly, pausing contracts and launching a forensic investigation. The divide is becoming clearer. While centralized exchanges falter due to slow disclosures, DeFi faces agile cross-chain attacks. Without transparency and adaptability, crypto risks losing user trust entirely. Are Declining Hack Numbers a Mirage? The Hidden Spike in Small Breaches PeckShield reports $244 million stolen across 20 attacks, down 39% from April, and the improvement came from fewer big heists, not better security. #PeckShieldAlert In May 2025, ~20 major crypto hacks were recorded, resulting in total losses of $244.1M—a 39.29% decrease from April. Notably, @CetusProtocol & #SUI have frozen a combined $157M of stolen funds (representing 71% recovery from the $220M theft). #Top 5 Hacks in… pic.twitter.com/ZJmGZvbthS — PeckShieldAlert (@PeckShieldAlert) June 1, 2025 The $220 million Cetus attack alone made up nearly all of May’s losses. Smaller thefts still added up: $12 million from the Cork Protocol, $5.2 million from North Korean hackers, $2.2 million from MBU tokens, and $1.2 million from MapleStory Universe. The crypto industry’s response to mounting security threats reveals both genuine progress and concerning gaps. Exchanges have stepped up their defenses. Coinbase, Kraken, and BitMEX now enforce two-factor authentication for all users, while Binance and OKX keep more than 90% of funds in offline cold storage. Bitstamp also requires multiple approvals for withdrawals. Regular security testing and bug bounty programs help uncover weaknesses before hackers can exploit them, yet breaches keep happening. BitoPro’s recent hack was the result of lax security during a system upgrade. No amount of advanced technology can prevent such human errors. This inconsistency hurts crypto’s credibility. Research shows that current safeguards could dramatically reduce attacks if properly implemented. However, with $2.2 billion stolen in 2024, public trust remains low. Many potential investors still see crypto as too risky, and the BitoPro case made things worse. Even after the hack, delayed warnings and confusing statements undermined confidence. Frequently Asked Questions(FAQs) Why was BitoPro’s hack disclosure delayed for weeks? BitoPro’s three-week delay likely reflected internal assessments of the damage and adequacy of its reserves. However, this delay violates industry best practices and may breach Taiwan’s transparency expectations for crypto exchanges, potentially triggering regulatory scrutiny. How can user funds remain safe when USDT withdrawals were frozen? The contradiction between BitoPro’s safety claims and frozen USDT withdrawals suggests either liquidity constraints or internal mismanagement. While the exchange blamed security protocols, the discrepancy undermines confidence in their reserve adequacy claims. Can the stolen funds be recovered after using Tornado Cash and THORChain? Recovery is unlikely, and privacy tools like Tornado Cash obscure trails. BitoPro’s reliance on external tracking suggests a weak cross-chain monitoring system, a common flaw in centralized exchanges. The post Taiwan-Based Exchange BitoPro Suffers $11.5 Million Hack, User Funds Unaffected appeared first on Cryptonews .
