Crypto exchange BigONE was hit by a serious hack on July 16, 2025. The attacker stole about $27 million from its hot wallet. BigONE confirmed the loss and promised to cover it using its own reserves.
What happened?
On July 16, the crypto exchange’s monitoring systems flagged large withdrawals from its hot wallet. The company quickly confirmed it was under attack. It called it a third‑party attack—not a leak of private keys—but a breach in its hot wallet system.
The attacker altered backend server logic. That let them bypass normal withdrawal checks. They moved funds freely out of the wallet.
BigONE says no private keys were stolen. It also says the breach has been contained .
How much was stolen?
Blockchain detectives at Lookonchain tracked the stolen assets. The haul included:
- 120 BTC (~$14 million)
- 1,272 ETH (~$4 million)
- 23.3 million TRX (~$7 million)
- 2,625 SOL (~$428,000)
Additional tokens also vanished: USDT, SHIB, DOGE, CELR, SNT, UNI, LEO, WBTC, XIN, and more (CoinDesk). Altogether, total losses came to about $27 million.
Hacker Wallets:
bc1qwxm53zya6cuflxhcxy84t4c4wrmgrwqzd07jxm
TCAfB8jHbJ56xwmfwKwWEs8HLRjbC2GfHG
0x0A360bD648EB86613961a2AA41dC1610c5305F4F
7RWHQ7ujSFwokAPkAhHTdiPxRF2LmqrvgYEqDiAjLxdHHow the stolen assets have moved
After the hack, the funds were quickly converted. The hacker swapped much of the loot into Wrapped Ethereum (WETH) and other tokens. This likely makes laundering easier by using mixers and DEXes.
CertiK Alerts spotted around $4 million in ETH moved to an attacker address (0x0a360b…) .
SlowMist and BigONE shared addresses linked to the hack. These include a Bitcoin address (bc1qwx…), a Solana address, and others.
BigONE’s response
BigONE sent a press release titled BigONE Security Incident Disclosure and Progress Update – July 16. They said:
- They found abnormal asset movement early that morning.
- They confirmed a hot wallet breach.
- All private keys are safe.
- They quickly contained the breach and stopped further loss.
- The estimated damage is ~USD 27 million.
- They’re working with SlowMist to trace stolen funds.
They also outlined their recovery plan:
- Resuming deposits and trading soon.
- Restoring withdrawals later, after extra checks.
- Covering all losses from internal reserves (BTC, ETH, USDT, SOL, XIN) and borrowed liquidity for other tokens.
- Regular public updates until the situation is resolved.
- A formal apology to users.
Was it a supply‑chain attack?
Yes. SlowMist described the breach as a supply‑chain attack on BigONE’s production environment or CI/CD systems. That let the attacker run malicious code and override logic, bypassing risk systems.
Cyvers, another security outfit, said the attacker tampered with account and risk‑control servers. That allowed funds to flow freely.
Experts warned exchanges to tighten CI/CD pipelines and use real‑time monitoring in both chain and off‑chain systems .
Broader context: crypto hacks in 2025
This isn’t the first big hack in 2025. Bybit lost about $1.5 billion to a hack tied to North Korean hackers. Coinbase had a suspected insider leak that cost $400 million.
GMX lost $42 million in a DeFi exploit, but most funds were returned later.
The total crypto loss in H1 2025 reached $2.4–2.5 billion, already more than H1 2024 .
Community backlash
Blockchain tracker ZachXBT criticized BigONE, saying the hack isn’t their only issue. He points to alleged scam‑linked deposits totaling $60 million tied to romance‑ and investment‑scam addresses over months.
He wrote on X (formerly Twitter):
“I do not feel bad for the team […] They used the same account for 7 months uninterrupted.
BigONE replied that they froze some scam‑linked funds and are working with law enforcement. But they didn’t offer proof.
Why it matters
- Hot wallets remain risky.
This attack didn’t need stolen private keys—it hit internal systems. That’s a big warning to all exchanges. - Supply‑chain threats are real.
Bad code in CI/CD pipelines can let hackers slip in deep. - Need stronger security tools.
Combine multi‑factor checks, code audits, monitoring, and auto‑shutdown systems . - User trust is fragile.
Users might move their money toward decentralized platforms or more trusted exchanges after these repeated breaches. - Regulation may follow.
More oversight and security audits could come into play after so many big losses.
What’s next?
- BigONE aims to resume deposits and trading soon, likely within hours of the hack.
- Withdrawals will come back later, after enhanced security checks .
- They’ll pay for losses using their own funds, so users shouldn’t lose any money .
- BigONE and SlowMist are tracking the funds. They hope to recover some of it.
- The community wants evidence of scam‑linked accounts. BigONE may face more pressure .
Lessons for readers
- Store bulk assets offline: Use cold wallets, not exchange hot wallets.
- Use exchanges with proven backups: Check their reserves and audit history.
- Diversify storage: Don’t keep everything at one exchange.
- Watch big transfers: You can track these via public blockchains.
- Prefer exchanges with strong security protocols: Look for CI/CD audits, bug‑bug bounty programs, transparent practices.
Final take
BigONE’s $27 million hack shows how weak some internal systems can be. The breach came from changing server logic—not stealing keys. That makes it a stealthy and dangerous type of attack.
BigONE is doing its best to fix things. They’re covering users’ losses. They’re rebuilding trust. But they still need better defenses. And users need to stay alert.
This incident is another reminder: crypto isn’t a “set‑and‑forget” world. You need to watch your money. Know where it’s stored and how it’s protected. Don’t rely on one place or solution. Be smart, be careful, and treat security as ongoing.
