Cyber Incident Victim: BigONE
Date:
Jul 2025
Location:
Seychelles
Summary
BigONE reported a $27 million loss after a third‑party attack compromised its hot wallet infrastructure, detected through abnormal asset movements that triggered real‑time monitoring alerts. The exchange worked with blockchain security firm SlowMist to trace the attacker’s wallet addresses and monitor the stolen funds, which included 120 BTC, 350 ETH, large amounts of USDT, CELR, SNT, SHIB and other tokens. It pledged to cover all losses using its internal security reserves and external liquidity for non‑mainstream tokens. Investigators found the attacker likely exploited the production network via compromised CI/CD or server‑management channels, deploying malicious binaries to account‑operation servers before draining 350 ETH worth about $1.1 million; the stolen assets were converted to WETH/ETH and routed through intermediaries for laundering. Security gaps identified were single‑point hot‑wallet failures, weak code‑integrity controls, missing pre‑transaction validation and poor network segmentation. The incident followed a separate $3.5 million exploit at Arcadia Finance, contributing to a broader surge in crypto‑sector losses.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On July 16, 2025, BigONE exchange detected a security incident after its real‑time monitoring system flagged abnormal asset movements originating from its hot wallet infrastructure. The exchange immediately initiated an investigation and enlisted the blockchain security firm SlowMist to trace the attacker’s wallet addresses and monitor the flow of stolen funds. According to the exchange’s statement, the attacker gained access to the production network, likely through compromised CI/CD or server‑management channels, and deployed malicious binaries onto account‑operation servers. Using this foothold, the attacker drained approximately 350 ETH, valued at about $1.1 million, before converting the stolen assets into WETH/ETH and routing them through a series of intermediary addresses for laundering. In addition to ETH, the hot wallet held 120 BTC, millions of USDT, and various tokens including CELR, SNT, and SHIB, all of which were reported as affected in the breach.
In response to the loss, BigONE pledged to compensate all impacted users entirely from its internal security reserves, which consist of BTC, ETH, USDt, Solana, and Mixin holdings, supplemented by external liquidity for non‑mainstream tokens that were not covered by those reserves. The exchange emphasized that the compensation would be drawn from its own funds rather than relying on user contributions or external insurance. Throughout the incident, BigONE maintained communication with SlowMist to continue monitoring the movement of the stolen assets and to provide updates on any further developments. The company also confirmed that it had halted the compromised hot‑wallet operations and was conducting a forensic review of the affected servers and deployment pipelines.
Security analysts reviewing the incident identified several gaps that contributed to the breach, including a single‑point failure in the hot‑wallet design, weak code‑integrity controls, the absence of pre‑transaction validation checks, and insufficient network segmentation between production and development environments. Experts noted that the event underscored the need for stronger CI/CD pipeline protections and more automated incident‑response mechanisms. The hack occurred just one day after Arcadia Finance suffered a $3.5 million exploit, adding to a broader trend that saw Q2 2025 accumulate roughly $2.47 billion in losses across the cryptocurrency sector.