Crypto exchange BigONE has suffered a third-party attack targeting its hot wallet infrastructure, resulting in an estimated loss of approximately $27 million.
On July 16, BigONE said it detected the security incident after abnormal asset movements triggered real-time monitoring alerts. “Upon investigation, it was confirmed to be the result of a third-party attack targeting our hot wallet,” it said.
BigONE said all private keys remain secure, and the attack path has been identified and contained to prevent further losses. The exchange collaborated with blockchain security firm SlowMist to trace the attacker’s wallet addresses and monitor the flow of stolen funds.
Affected tokens include 120 Bitcoin (BTC), 350 Ether (ETH), millions of USDt (USDT) across various chains, along with significant amounts of CELR, SNT, SHIB (SHIB), and others.
Related: FOMO, lax rules are fueling the crypto crime supercycle
BigONE pledges to cover all losses
BigONE pledged to cover all losses from the breach to keep users’ assets intact. The company has already activated its internal security reserves, comprising BTC, ETH, USDt, Solana (SOL), and Mixin (XIN), to replenish affected user funds.
“For other affected mainstream and non-mainstream tokens, we are actively securing external liquidity through borrowing mechanisms to restore the platform wallet as soon as possible,” the exchange wrote.
In a report shared with Cointelegraph, blockchain security firm Cyvers said the attacker exploited the platform’s production network, likely through compromised CI/CD (Continuous Integration and Continuous Deployment) or server management channels, modifying business logic and disabling key risk-control checks.
The attack began with malicious binaries deployed to account-operation servers, then the unauthorized draining of 350 ETH ($1.1 million). The attacker quickly expanded withdrawals across Bitcoin, Solana, and Tron, consolidating the stolen assets into a single external address for laundering.
“To mitigate such attacks, you have to strengthen the security of CI/CD pipelines, to enforce strict control of your dependencies and implement continuous on-chain and off-chain monitoring of the whole infrastructure,” Yehor Rudytsia, onchain security researcher at Hacken, told Cointelegraph.
Rudytsia added that Automated Incident Response is a “must-have” security measure for all exchanges in order to halt the exploitation and to secure as much of the funds as possible.
Related: Hacker returns stolen funds from $40M GMX exploit
Stolen funds are converted to WETH
The stolen funds were converted to WETH/ETH and routed through fresh intermediaries, indicating preparations for mixing or decentralized exchange activity, according to Cyvers.
Cyvers identified several security gaps contributing to the incident, including a single-point failure in hot-wallet management, insufficient code integrity controls, a lack of pre-transaction validation and limited network segmentation between build and wallet-management servers.
The BigONE hack comes a day after Arcadia Finance, a decentralized finance (DeFi) platform operating on the Base blockchain, suffered an exploit resulting in the theft of about $3.5 million in cryptocurrency.
The first half of 2025 has seen more than $2.47 billion in losses due to hacks, scams and exploits, representing a nearly 3% increase over the $2.4 billion stolen in 2024.
Magazine: Coinbase hack shows the law probably won’t protect you — Here’s why
