ZachXBT flags suspicious $11.5M outflows from BitoPro exchange’s hot wallets, says it was ‘likely exploited’

Another day, another crypto mystery unraveled by ZachXBT. On June 2, the on-chain investigator shook up the community once again, this time pointing to suspicious outflows from Taiwan-based cryptocurrency exchange BitoPro. His verdict: the platform was “likely exploited” to the tune of $11.5 million, with funds shuffled through mixers and privacy tools across multiple blockchains.

It’s a serious accusation, and more importantly, it raises fresh questions about transparency, accountability, and how platforms handle security breaches in an era of constant cyber risk.

A Silent Breach

The exploit didn’t come to light via an official statement from BitoPro. Instead, ZachXBT flagged it through his Telegram channel, known for exposing rug pulls and tracking stolen funds in real time.

The breach itself occurred on May 8, 2025, during what BitoPro later described as a wallet system upgrade. Funds were quietly drained from a hot wallet and moved across Ethereum, Tron, Solana, and Polygon networks.

More than $11.5 million in assets were then obfuscated through Tornado Cash, Thorchain, and Wasabi Wallet. These are privacy tools often used by hackers to cover their tracks. It had all the hallmarks of a sophisticated laundering operation.

The Community Finds Out

ZachXBT message was direct. “The stolen funds were then deposited to Tornado or bridged to Bitcoin via Thorchain and deposited to Wasabi.”

But that wasn’t all. The community soon realised BitoPro had said nothing publicly. No announcement, no warning to users, and no transparency.

So users took it upon themselves to sound the alarm. They posted ZachXBT’s findings to BitoPro’s official Telegram. The response was brief, vague message from a BitoPro admin, “Just received numerous inquiries, and we will respond uniformly to all of you later.”

It took more than two hours before the company released a formal statement. Even then, the message was written in Chinese and posted without fanfare. It seemed more like damage control than a full confession.

What BitoPro Said (and Didn't Say)

At 5:12 p.m. local time on May 8, BitoPro finally acknowledged what had happened. There had been a breach that occurred during a wallet system upgrade. The exchange activated an emergency response, moved assets to new wallets, and hired a cybersecurity firm, but the key details were missing.

Who exactly was behind the attack? How did the exploit happen? When did they discover it? And perhaps most importantly, why wasn’t this disclosed earlier?

The statement emphasised that no user funds were affected. That’s good news, if true. But the lack of upfront communication has left many users feeling uneasy. After all, if ZachXBT hadn’t spoken up, would the public have ever found out?

A Pattern of Obfuscation?

This isn't the first time a major crypto exchange has opted for quiet containment instead of upfront communication. Earlier this year, Bybit was linked to a $1.4 billion exploit, later traced to North Korea’s Lazarus Group. The stolen funds in that case were also laundered through Tornado, Thorchain, and Wasabi.

Whether BitoPro’s breach is linked to Lazarus remains unknown. But the overlap in laundering methods and delayed reporting points to a disturbing trend: security incidents being buried until forced into the open.

Hot Wallets: A Constant Weak Spot

At the heart of most exchange exploits is a weak point: hot wallets. These wallets are connected to the internet to facilitate fast deposits and withdrawals. They’re convenient but risky. Once compromised, they provide direct access to liquid funds.

In this case, ZachXBT tracked the stolen assets across at least four networks. This wasn’t a one-time breach. It was a coordinated siphoning of funds from multiple vectors, all timed to coincide with a scheduled wallet upgrade.

If attackers gained access during the upgrade process, they may have exploited internal vulnerabilities or social engineering. It’s the kind of thing you expect to see in an attack simulation, not real life. Yet, here we are.

A Bigger Conversation: Trust and Timing

Let’s be clear, the exploit itself is bad. But the delayed disclosure is worse. Crypto moves fast, news spreads faster, and in this environment, silence can look a lot like negligence.

BitoPro's failure to notify its users in real time erodes trust. Even if no customer assets were lost, the optics matter. People expect transparency, especially when it comes to their money.

Compare this to traditional finance. If a bank suffers a breach, customers are often notified within hours. In some cases, regulators mandate it. In crypto? Too often, it's up to blockchain sleuths to uncover the truth.

The Role of Independent Investigators

That brings us back to ZachXBT. He’s not a journalist, not a regulator, and not a developer on BitoPro’s team. But over the past two years, he has become one of the most respected (and feared) figures in crypto.

His work has helped recover millions in stolen funds. He’s exposed NFT rug pulls, tracked down scammers, and embarrassed big-name projects that failed to own up to their mistakes.

Once again, he’s shown that independent oversight,  the kind that doesn’t rely on press releases or PR filters, is vital for keeping the industry honest.

What Happens Next?

Right now, BitoPro says it has secured its systems and blocked further hacker activity. It also says it’s working with a third-party cybersecurity firm to investigate what happened.

There’s no public timeline for when more information will be shared, no mention of police or regulatory involvement, and no updates on whether they’ve recovered any funds.

This can be frustrating for users. In the days following the breach, there has been no clear message from leadership. No dedicated webpage tracking the incident. Just a translated statement buried in a Telegram thread and on-chain movement followed by one determined investigator.

Crypto’s Growing Pains Continue

BitoPro isn’t a household name like Coinbase or Binance, but this event echoes issues we’ve seen across exchanges big and small:

• Hot wallet vulnerabilities
   
• Poor incident response
   
• Delayed communication
   
• Misuse of privacy tools like Tornado and Wasabi

As regulators around the world move to tighten controls on crypto trading platforms, incidents like this offer ammunition. The UK’s Financial Conduct Authority (FCA), for example, recently proposed new rules requiring exchanges to report every customer transaction. The goal is to Increase transparency and reduce the use of privacy-focused mixers in criminal activity.

The U.S., meanwhile, has pushed to sanction platforms like Tornado Cash and label them as national security threats. So, whether exchanges like it or not, the days of operating in silence are numbered.

Final Thoughts

The BitoPro hack, and more importantly, the exchange’s initial silence, is a cautionary tale. Security is only part of the equation. Trust matters, and in crypto, trust is earned not by avoiding breaches, but by how openly and swiftly they’re handled. ZachXBT did what BitoPro should’ve done on day one: alert the community, track the funds, and ask tough questions.

As this story develops, it is clear that the crypto industry can no longer afford to treat hacks like private embarrassments. They’re public failures, and they demand public accountability. So if your funds are on an exchange, it’s worth asking who’s watching the watchers?