Taiwanese Crypto Exchange BitoPro Targeted by North Korean Hackers

On June 2, 2025, a brief post by blockchain researcher ZachXBT on Telegram caused a stir in the Crypto Assets industry: multiple hot wallets on the Taiwanese Crypto Assets exchange BitoPro experienced suspicious outflows of funds, totaling as much as 11.5 million USD.

At this point, nearly 3 weeks have passed since the actual attack occurred, and the exchange has only suspended services citing “system maintenance”, without mentioning a word about the Hacker attack.

Timeline of Events, from Covert Attack to Public Disclosure

The attack occurred between May 8 and 9, 2025. At that time, the Hacker took advantage of the window period for wallet system upgrades and asset migrations at the exchange to launch a raid on its old hot wallet.

Multiple public chains have been affected: Tron, Ethereum, Solana and Polygon The hot wallet assets on the exchange were gradually transferred out. After the Hacker succeeded, they acted quickly, liquidating the funds at market price through decentralized exchanges (DEX) and transferring them to the Tornado Cash mixer, or through Thorchain Deposit to the Bitcoin network via cross-chain into the Wasabi wallet, attempting to cut off the tracking path of the funds.

Despite users reporting withdrawal issues, BitoPro’s official statement confirming the attack came on June 2, after ZachXBT publicly exposed it, claiming that “user assets are intact, and the platform has sufficient reserves.”

The handling method, which was hidden for three weeks, has sparked strong doubts within the community about its transparency and crisis management capabilities.

Analysis of Attack Techniques: A Classic Social Engineering Intrusion

On June 19, BitoPro released a report from a third-party security company confirming that the attacker was the notorious North Korean Hacker organization Lazarus Group.

The attack path clearly demonstrates its highly specialized modus operandi:

• Social engineering phishing attack: Hackers disguise communication to target BitoPro employees, luring them to click on malicious links or files.
• Malware infiltration: The successfully implanted malware evaded the exchange’s antivirus systems, endpoint protection, and cloud security detection.
• Infiltration Observation: Hackers lurk in the victim’s employees’ computers for a long time, observing the operation processes, especially targeting cloud business personnel who control Amazon AWS resource management.
• Token hijacking and bypassing MFA: stealing AWS session tokens and directly bypassing multi-factor authentication (MFA) mechanisms.
• Control the hot wallet host: Connect to the attacker’s C2 server, inject malicious instructions into the host responsible for hot wallet transactions, and ultimately simulate legitimate transactions to implement the transfer at 1 AM on May 9.

This method is highly consistent with Lazarus’s past attacks on the global banking SWIFT system and several exchanges, highlighting the maturity of its attack template.

The Hidden Hand: The Shadow of the Lazarus Group

The Lazarus Group is not a first-time offender. The organization is widely regarded as a network crime group supported by the North Korean regime, which has long aimed at stealing Crypto Assets to fund its weapons programs.

His criminal record is shocking:

• In 2016, attempted to steal 1 billion dollars from the Bangladesh central bank using a vulnerability in the SWIFT system (ultimately successfully transferred 81 million dollars)
• In February 2025, the exchange ByBit was attacked, resulting in a record theft of 1.5 billion dollars in Crypto Assets.
• Continuously targeting global Crypto Assets exchange supply chain attacks, vulnerability exploits, and complex social engineering fraud.

Security experts point out that the organization excels at combining technical vulnerabilities with human weaknesses, and the BitoPro incident once again confirms this.

The exchange’s response, measures to mend the fold after the sheep are lost

After the incident was exposed, BitoPro took a series of crisis response measures:

• Immediately shut down the hot wallet system to cut off the attack path.
• Replace all relevant encryption keys
• Isolate infected systems and conduct environmental reconstruction
• Entrust a third-party blockchain security company to trace the stolen funds

To regain trust, BitoPro proactively submitted a new hot wallet address to the on-chain data analysis platform Arkham on May 19, updating liquidity data for public oversight.

The company’s founder, Zheng Guangtai, emphasized that “customer assets will not be lost; any losses will be borne by the platform,” and pledged to enhance wallet management processes and monitoring levels. The Financial Supervisory Commission of Taiwan has also intervened, requiring the company to strengthen cybersecurity and submit an incident explanation.

Security Insight: The Most Vulnerable Link Remains “Human”

The BitoPro incident, although the amount lost is far less than ByBit’s $1.5 billion massive theft case, reveals vulnerabilities in the industry that are universal:

• Maintenance periods become high-risk windows: during system upgrades or asset migrations, risk control mechanisms may have temporary blind spots.
• Technical defenses are hard to withstand social engineering breaches: even the most sophisticated firewalls and MFA mechanisms can be completely compromised by an employee clicking a malicious link.
• The crisis of transparency exacerbates the collapse of trust: delayed disclosure and vague communication often harm user confidence more than the events themselves.

“The weakest link in any security system is always the human factor,” a conclusion that has been repeatedly validated in security reports.

Conclusion: The Evolution of Defense and the Never-Ending Offensive and Defensive Battle

The attack by the Lazarus Group is a systemic threat that the global Crypto Assets ecosystem continues to face. From the Central Bank of Bangladesh, ByBit to BitoPro, their attack methods are constantly evolving, yet the core remains unchanged: exploiting human weaknesses to breach technical barriers.

BitoPro incurred a loss of 11.5 million USD and upgraded its system, but the bigger challenge is: how the exchange can establish an internal control culture that is “anti-social engineering” and achieve a rapid and transparent response when faced with an intrusion.

In the world of blockchain, trust is the underlying currency, and each hacking incident tests whether its true reserves are sufficient.