The Taiwanese cryptocurrency exchange BitoPro announced the results of an investigation today (19th), concluding that the theft of hot wallets in early May was perpetrated by the North Korean hacker group 'Lazarus Group', and has ruled out the possibility of internal personnel involvement. The attack methods are highly similar to those used in several past international SWIFT illegal transfer cases and large exchange thefts.
BitoPro was hacked for 11.5 million USD, ruling out internal involvement.
In early June, blockchain detective ZachXBT warned on his personal channel: 'On May 8, 2025, the Taiwanese cryptocurrency exchange BitoPro may have been stolen approximately 11.5 million USD. Suspicious fund flows from hot wallets such as Tron, Ethereum, Solana, and Polygon have been observed, with market assets sold through DEX. The stolen funds were subsequently deposited into Tornado or cross-chain to Bitcoin via Thorchain and stored in Wasabi.' He questioned why BitoPro did not disclose the incident on official social media, telling users it was merely maintenance.
(Taiwanese exchange BitoPro suspected of being hacked! Blockchain detective ZachXBT questions why the theft of 11.5 million was not announced.)
BitoPro stated that, according to the internal security team and third-party investigations, the attack methods of this cybersecurity incident are similar to several past major international cases, including illegal transfers in the SWIFT system of multiple global banks and asset theft incidents from international large cryptocurrency exchanges, all attributed to the North Korean hacker group 'Lazarus Group'.
The North Korean group targeted BitoPro with a social engineering attack.
The Lazarus Group first launched a social engineering attack against a cloud operations engineer, successfully implanting a Trojan program, bypassing endpoint protection, antivirus, and cloud security detection systems, and lurking in the engineer's computer to observe daily operations. They hijacked the AWS Session Token to bypass multi-factor authentication (MFA), sending commands through a C2 server in the AWS environment, quietly transferring malicious scripts to the hot wallet host, and waiting to launch an attack.
Hackers lurked to observe daily operations until 1 AM on May 9, when they exploited the platform's wallet upgrade and asset reallocation, launching scripts to 'simulate legitimate operations' and illegally transferring multi-chain assets from hot wallets. Within a few minutes, approximately 11.5 million USD in Ethereum, Tron, Solana, and Polygon was transferred out, then cashed out via DEX and diverted to decentralized services like Tornado Cash and Thorchain, before cross-chaining to Bitcoin and depositing into Wasabi Wallet for mixing.
Currently, the case has been handed over to criminal investigation and forensic units. The platform promptly rechecked and rebuilt the wallet system. BitoPro's new wallet can now be observed on Arkham.
North Korean and Israeli hacker groups targeting centralized exchanges.
In February, Bybit was hacked for 1.5 billion, with the same mastermind being the Lazarus Group.
(Truth about Bybit hacking incident revealed: Multi-signature wallet Safe frontend was compromised and modified, supply chain attacks become a new concern.)
Recently, the Iranian exchange Nobitex was hacked for 80 million USD, with the mastermind being Gonjeshke Darande, reportedly for political purposes rather than profit.
(Iranian banking system and cryptocurrency exchanges completely paralyzed! If a cyberwar occurs in the Taiwan Strait, can holding Bitcoin hedge against risks?)
This article discusses how North Korean hackers targeted Taiwanese exchanges! BitoPro suffered a hack losing 11.5 million USD, linked to the 1.5 billion theft case from Bybit, which is from the same group. It first appeared in Chain News ABMedia.
