Taiwan-based crypto exchange BitoPro has confirmed a major security breach that resulted in over $11.5 million in losses from its hot wallets. The exploit took place on May 8 across Ethereum, Tron, Solana, and Polygon wallets, with stolen assets quickly routed through DEXs and mixed via Tornado Cash and THORChain to obscure their origin. Despite the severity of the breach, BitoPro did not publicly acknowledge the incident until June 2—nearly three weeks later—prompting criticism from blockchain investigator ZachXBT.

According to BitoPro, the hack occurred during an internal wallet upgrade. The attacker exploited an outdated hot wallet during fund reallocation. While the company admitted the breach, it assured users that the platform’s reserves are intact and that user withdrawals, deposits, and trading operations remain unaffected. However, some users had previously reported problems withdrawing USDt shortly after the attack.

BitoPro has brought in an external blockchain security firm to trace the stolen assets and promised to share its new wallet address publicly for transparency. The firm insists that the platform is still safe for trading and withdrawals.

This incident highlights a broader trend of rising DeFi exploits. On May 22, DEX Cetus was hit for over $220 million, although $162 million was recovered. And on June 2, Nervos Network suffered a $3 million breach, with attackers funneling the funds through Tornado Cash. Blockchain security firm Hacken reported that access control failures are among the most urgent risks facing the Web3 space, revealing that these hacks often take hours and several attempts to execute.

As cyberattacks on decentralized platforms surge, experts are urging crypto companies to prioritize access control and transparent incident reporting.