In a major blow to crypto security in 2025, Taiwan-based cryptocurrency exchange BitoPro has confirmed a $11.5 million hack, weeks after on-chain sleuth ZachXBT raised concerns about suspicious wallet outflows. The breach, which reportedly occurred during a wallet system upgrade, went unreported to the public for over three weeks, prompting criticism from users and raising questions about transparency within the exchange.

The attack, identified by ZachXBT on June 2, involved unauthorized outflows from BitoPro’s hot wallets across multiple blockchains. In a statement issued hours later, the exchange admitted its old hot wallet was compromised during a routine upgrade and asset reallocation.

Wallet Upgrade Turns into Attack Vector

According to BitoPro, the security breach occurred during a recent upgrade of its wallet infrastructure. Hackers took advantage of a vulnerability during the transition of funds from the old hot wallet, managing to siphon off a substantial amount of assets.

“During the recent wallet system upgrade and asset transfer operation of BitoPro, the old hot wallet… was attacked by hackers,” the exchange said in a translated statement.

The company insisted that its emergency response protocols were activated immediately, and the remaining assets were moved securely to a new wallet. BitoPro also reassured its users that customer assets are safe and that the platform holds enough reserves to cover the loss. However, the company declined to specify the exact time of the incident or provide a full breakdown of the stolen assets.

ZachXBT Traces the Funds and Timeline

Blockchain investigator ZachXBT was the first to publicly raise the alarm, suggesting that the exploit occurred around May 8, nearly a month before BitoPro’s admission. In a detailed post, he highlighted suspicious movements across Tron, Ethereum, and Solana wallets, with the stolen assets ultimately funneled through Tornado Cash, Thorchain, and Wasabi Wallet, common destinations for laundering illicit crypto funds.

At the time, BitoPro had informed users that the exchange was undergoing “maintenance,” with no mention of a possible breach. The lack of immediate disclosure led to growing frustration in the exchange’s Telegram group, where users criticised the platform for failing to notify them sooner.

“The statement did not mention the important information that users want to know,” one user wrote. “It did not mention when the incident happened or how much the amount was.”

2025 Sees Rise in Crypto Exploits

The BitoPro breach adds to a growing list of crypto hacks in 2025, with cybercriminals increasingly targeting infrastructure upgrades and cross-chain vulnerabilities. The year began with the Bybit hack in February, which remains the most damaging to date, accounting for over 92% of Q1’s losses.

That attack involved a complex exploit in Safe{Wallet}, where attackers injected malicious JavaScript code to manipulate transaction data in real-time.

Security firm PeckShield reported that Q1 2025 witnessed $1.63 billion in crypto losses, a staggering 131% increase from Q1 2024. However, there has been a slight reprieve: in May 2025, total crypto thefts dipped by 39% compared to April, with around $244.1 million lost in 20 major incidents.

Transparency and Security in Question

BitoPro’s delayed response has sparked wider debate in the crypto community about exchange accountability, particularly in the face of rising threats. While the platform has pledged that user assets remain unaffected, the delayed disclosure and absence of detailed reporting may undermine user trust.

As attackers evolve with more sophisticated tactics, industry experts are calling for stronger security frameworks, proactive disclosure policies, and greater transparency from exchanges to restore confidence in the ecosystem.

The BitoPro hack serves as a stark reminder that even routine operations—such as wallet migrations can become entry points for devastating exploits if not meticulously secured.