On July 16, cryptocurrency exchange BigONE confirmed a significant security breach resulting in the loss of around $27 million. The exchange disclosed that the hack stemmed from a third-party attack targeting its hot wallet infrastructure. Real-time monitoring tools first detected suspicious asset movements, triggering immediate investigation.
According to BigONE, the breach has been contained, and the attacker’s access route has been identified. Blockchain security firm SlowMist was brought in to help track the stolen assets and monitor the suspicious wallet addresses. Fortunately, BigONE confirmed that private keys remained secure and were not compromised during the incident.
The stolen assets include 120 Bitcoin (BTC), 350 Ether (ETH), millions of USDT (Tether) spread across different blockchains, and large amounts of CELR, SNT, SHIB, and other tokens.
Exchange Pledges to Cover All Losses
In a move to reassure customers, BigONE stated it would cover all losses from the incident to ensure user funds remain intact. The exchange activated its internal emergency reserves, which include BTC, ETH, USDT, Solana (SOL), and Mixin (XIN) to compensate users immediately.
For tokens not already available in their reserves, BigONE is actively securing external liquidity using borrowing mechanisms. This is aimed at quickly restoring all affected assets on the platform and maintaining normal operations.
Attack Originated from Server-Level Breach
A separate report from blockchain security firm Cyvers revealed deeper insights into how the hack was carried out. It appears that the attackers exploited vulnerabilities in BigONE’s production network, possibly through compromised CI/CD (Continuous Integration and Continuous Deployment) systems or other server management tools.

The breach began with the deployment of malicious software on BigONE’s account-operation servers. The hackers initially drained 350 ETH (valued at $1.1 million) and quickly expanded the operation, withdrawing funds from other blockchains such as Bitcoin, Solana, and Tron. The stolen assets were then consolidated into a single external wallet for laundering.
Cyvers pointed out that weak internal controls allowed the attackers to bypass key risk checks. Specifically, there was a lack of code integrity checks, no proper pre-transaction validation, poor segmentation between server environments, and a single point of failure in hot-wallet management.
Stolen Funds Converted and Moved for Laundering
The attacker didn’t stop at stealing the funds, they also began laundering them. According to Cyvers, the stolen assets were converted into WETH (Wrapped Ethereum) or ETH and routed through newly created intermediary addresses. This indicates a likely preparation for using decentralised exchanges or mixers to further obscure the origins of the funds.
Experts warn that such attacks highlight the urgent need for tighter security protocols in the crypto industry. Yehor Rudytsia, an on-chain security researcher at Hacken, stressed the importance of reinforcing CI/CD pipelines, maintaining strict dependency controls, and implementing both on-chain and off-chain monitoring systems.
He also underlined that automated incident response systems are now essential for any crypto exchange, enabling faster reaction times and limiting the scope of damage during cyberattacks.
Industry Impact and Lessons Learned
The BigONE incident came just one day after another DeFi platform, Arcadia Finance, was exploited on the Base blockchain, losing $3.5 million. This string of attacks highlights a broader trend of cyber threats facing both centralised and decentralised crypto platforms.
While BigONE’s swift response and full compensation promise are commendable, the incident exposes the risks associated with hot wallet systems and weak internal infrastructure. Going forward, exchanges must treat cybersecurity as a top priority, not just for compliance, but to ensure long-term trust and user safety.
In conclusion, this breach serves as yet another wake-up call for the entire crypto industry to invest in more robust security frameworks, conduct regular audits, and adopt real-time monitoring tools to defend against increasingly sophisticated threats.