The BitoPro exchange, part of the BitoPro Group, was reported to have been hacked in May, resulting in the theft of over ten million dollars in assets. An investigation report on the attack has been released. (Background: BitoPro responds to the hacker attack! In May, hot wallet funds were stolen, but reserves are sufficient and operations are completely unaffected.) (Additional background: ZachXBT: BitoPro reportedly lost 11.5 million dollars due to the hacker attack on May 8.) The domestic cryptocurrency exchange BitoPro experienced a hacking incident in May, during which a total of 11.5 million dollars in cryptocurrency assets were stolen from the company's hot wallet. Today (19th), BitoPro announced the investigation results, stating that the attack was carried out by the North Korean hacker group 'Lazarus Group', and law enforcement is continuing to investigate. BitoPro announced that after nearly a month of investigation following the hack, based on a forensic report jointly issued by BitoPro's cybersecurity team and a third-party professional agency on June 11, it was initially ruled out that internal personnel were involved. The method of attack was similar to several past major international cases, including illegal transfers through the SWIFT system of multiple global banks and asset theft incidents from major international cryptocurrency exchanges, all attributed to the North Korean hacker group 'Lazarus Group'. BitoPro detailed the hacker's methods in its announcement, explaining the process of the hack, which began with a 'social engineering attack' targeting a single point employee: The hacker conducted a social engineering attack on a colleague responsible for cloud operations, successfully implanting a Trojan program that bypassed endpoint protection, antivirus, and cloud security detection systems, and remained hidden in the colleague's computer to observe their daily operational behavior to evade routine monitoring by cybersecurity personnel. The hacker hijacked the AWS Session Token to bypass multi-factor authentication (MFA) and sent commands through a C2 server in the AWS environment, quietly transferring malicious scripts to the hot wallet host, waiting for the opportunity to launch an attack. After a long period of observation, the hacker targeted the platform during the wallet system upgrade and asset transfer operations, simulating normal operational behavior to launch the attack. Around 1 a.m. on May 9, the hacker activated the malicious script, simulating a legitimate transaction, and illegally transferred cryptocurrency from the hot wallet. It wasn't until the wallet monitoring system detected anomalies and issued a warning that the cybersecurity team immediately activated an emergency response, which included urgently shutting down the hot wallet system, changing all related keys, isolating and rebuilding affected systems and endpoints, expanding monitoring, and continuously tracking abnormal behavior to further block the hacker's actions. BitoPro stated that the incident has now been handed over to criminal investigation units for investigation and forensic analysis. The platform has re-checked and rebuilt the wallet system, and on May 19, proactively provided the hot wallet address to the on-chain data tracking platform Arkham to update relevant data such as platform levels. As of June 19, the page has updated some wallet addresses (https://intel.arkm.com/explorer/entity/bitopro), and BitoPro users can go check it out. BitoPro calls on the industry to remain vigilant and will continue to strengthen cybersecurity technology and management processes, as well as actively share experiences. Related reports include: Israeli hackers attack the Iranian exchange Nobitex, stealing 83 million dollars and exposing 'pretty number addresses' for political intent. China offers a reward of 10,000 yuan to hunt down Taiwanese 'hacker groups', cybersecurity circles laugh: Is this amount even enough to fill a gap? "BitoPro's investigation into the hack is attributed to North Korea's Lazarus! A social engineering attack stole 11.5 million dollars" was first published by BlockTempo (the most influential blockchain news media).