Major Cyberattack on BigONE Crypto Exchange: $27 Million Loss, Reasons for the Hack, and Comprehensive Security Enhancement Measures

BY KEYHUNTER 24.07.2025

Cryptocurrency exchange BigONE was the victim of a massive cyberattack on July 16, 2025, which resulted in the theft of digital assets worth approximately $27 million . The incident caused serious concern in the crypto community and once again highlighted the importance of strengthening security measures on centralized platforms.

The essence of the incident is that hackers managed to gain access to the infrastructure of the exchange’s hot wallet – a system designed to store cryptocurrencies that are necessary for the rapid processing of user transactions. The first alarm signal was the triggering of the anomaly monitoring system, which recorded suspicious activity with the platform’s assets. Soon after, it became known that large sums were being withdrawn.

As a result of the attack, the attackers managed to steal significant amounts of various crypto assets listed on the exchange. Among them:

  • 120 Bitcoins (BTC),
  • 350 Ether (ETH), which is equivalent to approximately $1.1 million,
  • millions of Tether (USDT) stablecoins across multiple blockchains,
  • as well as large volumes of CELR, SNT and SHIB tokens.

Security analysts from Cyvers, the company involved in the investigation, found that the attack began with a compromise of the exchange’s production network. Among the likely entry points were vulnerabilities in continuous integration and delivery (CI/CD) systems or in server management channels. The hackers introduced malicious code that disabled important security checks and allowed unauthorized withdrawals 5 .

In an official statement, BigONE representatives emphasized that all private keys — secret data used to access digital assets — remained safe and were not compromised. The point of attack was quickly identified and localized, which eliminated the possibility of further losses. To track the stolen funds and find the intruders, the exchange cooperates with SlowMist, a well-known expert in the field of blockchain security. SlowMist helps monitor the addresses to which the stolen cryptocurrencies were withdrawn in order to control their movement 6 .

In response to the incident, BigONE management promised to fully compensate the affected users for their losses. For this, the platform’s internal reserve funds will be used, including reserves in BTC, ETH, USDT, SOL and XIN. For some assets, external borrowed funds are planned to be attracted to restore liquidity. In addition, the exchange has already begun work on restoring the infrastructure: deposits and trading by users are planned to be restored within a few hours, and withdrawals will be possible a little later – after the implementation of additional security measures to prevent repeated attacks 7 .

Security experts like Hacken’s Yegor Ruditsa recommend that cryptocurrency platforms in general improve their security by:

  • strengthening the security of CI/CD pipelines,
  • strict control of dependencies at all stages of development,
  • implementation of integrated infrastructure monitoring systems,
  • creation of automated incident response systems 2 .

Traces of the attackers’ activity show that the stolen digital assets are converted into Wrapped Ethereum (WETH/ETH), which suggests that they are preparing to launder them further through decentralized exchanges or specialized transaction mixing services. This is a typical strategy for cybercriminals to hide traces of the origin of the stolen funds 2 .

It is worth noting that the attack on BigONE occurred just a day after a large-scale hack of the Arcadia Finance DeFi platform on the Base blockchain, where criminals stole about $3.5 million. Overall, an analysis of statistics for the first half of 2025 shows a steady increase in crypto crime: the total damage from hacks, fraud, and exploitation of vulnerabilities exceeded $2.47 billion, which is 3% more than in the same period of 2024 2 .

Thus, the incident with BigONE is one of the significant examples of modern risks in the cryptocurrency industry, indicating the need for further development of security and control technologies to protect users’ digital assets.

Sources:
The main information is based on news and statements from the BigONE platform, as well as expert reports from SlowMist, Cyvers and Hacken, published in July 2025 7 .

How did the attackers manage to hack BigONE’s infrastructure?

Attackers hacked the infrastructure of the BigONE cryptocurrency exchange by compromising the production network . According to security analysts from Cyvers, the probable entry points were vulnerabilities in continuous integration and delivery (CI/CD) systems or in the exchange’s server control channels. The hackers were able to inject malicious code that disabled key security check mechanisms, allowing them to unauthorizedly withdraw digital assets from the platform’s hot wallet 1 .

Additionally, experts from SlowMist point to the possibility of interference through elements of the supply chain, which could also be one of the reasons for the successful attack 3 .

Thus, the main technical scheme of the attack included penetration through vulnerabilities in the development and management infrastructure of server systems, introduction of malicious code, deactivation of security systems and withdrawal of funds without permission.

Why the leak was not initially detected and how quickly BigONE responded

The BigONE cryptocurrency exchange leak was initially not immediately detected because the attack was carried out through the compromise of internal servers and supply chain infrastructure, allowing the attackers to manipulate the logic of user accounting and risk control within the system. This scheme bypassed traditional security mechanisms, as it did not involve the theft of private keys, but directly affected the authorization and withdrawal processes without activating standard security mechanisms. This type of hack is more difficult to detect in the early stages, as it uses trusted infrastructure elements and disguises its actions 1 .

As for BigONE’s reaction, the incident was detected quite quickly – the monitoring system was triggered and suspicious transactions were identified as early as the morning of July 16, 2025. After detecting the anomalies, the exchange immediately localized the leak, stopping further losses, and immediately sought help from blockchain security specialists from SlowMist to track the stolen funds and monitor suspicious activity. This speaks to the high speed and decisiveness of the platform’s response to the crisis situation 1 .

Thus, the delay in detecting the leak is due to the specifics of the technical implementation of the attack aimed at the internal infrastructure, and BigONE’s fairly quick response allowed the problem to be quickly localized and damage minimized after the incident was identified.

Why did it take so long to detect the leak at BigONE?

The BigONE cryptocurrency exchange breach took a considerable amount of time to detect due to the nature of the attack itself. The attackers carried out the breach by compromising the production network and supply chain infrastructure, exploiting vulnerabilities in continuous integration and delivery (CI/CD) systems or server management channels. This allowed them to inject malicious code that disabled key security checks and carried out unauthorized withdrawals.

The peculiarity of this attack is that it bypassed traditional detection methods, since the attackers did not steal private keys directly, but affected the internal processes of the system. In addition, the hackers carefully carried out transactions so that they did not look suspicious, avoiding the immediate activation of protection. As a result, the monitoring system detected anomalies only after the theft of assets had already begun.

Thus, the delay in detecting the leak is due to the use of complex technical attack methods, masking of malicious operations and bypassing standard security control procedures, which made it difficult to quickly respond to the incident 1 .

How will this attack experience impact BigONE’s security protocol changes?

The experience of the attack on the BigONE cryptocurrency exchange will significantly change and strengthen the platform’s security protocols. In particular, the exchange’s management announced the implementation of comprehensive measures to protect and restore the infrastructure after the incident.

The main areas of security changes and improvements indicated by the attack experience are as follows:

  • Strengthening the security of CI/CD (continuous integration and delivery) systems – since vulnerabilities in these systems have become a likely entry point for attackers, stricter controls and protections will now be implemented at the stages of software development and deployment.
  • Implementation of comprehensive infrastructure monitoring and automated response will allow for timely detection of anomalies and prevention of malicious actions at early stages.
  • Strict control of dependencies and components used in the infrastructure – to eliminate the possibility of introducing malicious code through the supply chain.
  • Increasing the level of protection for hot wallets and server management systems , given that the attack was aimed specifically at these elements.

The exchange’s official statements emphasize its readiness to use internal reserve funds to compensate for the damage and, in parallel, restore liquidity, while introducing additional security measures until the resumption of withdrawals.

Industry experts like Hacken have noted the need for a comprehensive approach to security in crypto platforms, including enhanced CI/CD, monitoring, and rapid incident response, which BigONE plans to implement in response to the attack.

Thus, the attack that occurred became an incentive for BigONE to rethink and improve security standards in order to minimize the risks of repeated hacks and increase user confidence in the platform 5 .

What measures are planned to be introduced to prevent similar attacks in the future?

To prevent similar attacks in the future, the BigONE cryptocurrency exchange plans to implement comprehensive security measures based on the lessons learned from the incident and expert recommendations. The main measures include:

  • Strengthening the security of CI/CD (continuous integration and delivery) systems , as vulnerabilities in these processes have become a likely entry point for attackers. This involves stricter control and protection at the stages of software development, testing and deployment.
  • Implementation of comprehensive infrastructure monitoring and automated incident response. This will allow timely detection of anomalies and prevention of hacker actions at early stages.
  • Strict control of dependencies and components used in the infrastructure to eliminate the possibility of introducing malicious code through the supply chain.
  • Increased protection of hot wallets and server management systems that were targeted by the attack.
  • Restricting administrator and user access to critical systems using the principle of least privilege , which will reduce the risk of unauthorized interference.
  • Update software and security systems to patch vulnerabilities and protect against known hacking methods.
  • Use multiple-factor authentication (MFA) and other identity verification technologies to protect accounts and critical operations.
  • Educating employees and raising their awareness of cybersecurity issues is an important element of protection against social engineering and other attack methods.
  • Use of specialized security tools such as antiviruses, firewalls, and intrusion detection and prevention systems (IDS/IPS) to reduce the likelihood of successful penetration.

This comprehensive strategy is intended to significantly increase the platform’s resilience to modern cyber threats and minimize the likelihood of recurring incidents 5 .

How Future Measures Will Reduce the Likelihood of Internal Intrusion by Attackers

Future security measures planned to be implemented by the BigONE cryptocurrency exchange will significantly reduce the likelihood of internal intrusion by attackers through a comprehensive approach that includes technical, organizational and procedural means of protection.

The main mechanisms for reducing the risk of internal penetration will be as follows:

  • Least privilege policy and access restrictions : Users and administrators will have access only to those resources that are necessary to perform their tasks. This will significantly limit the attacker’s capabilities within the organization and reduce the damage if one account is compromised. Role-based access control (RBAC) will help to separate duties and prevent the concentration of rights in the hands of one person 4 .
  • Control and monitoring of user activity : the implementation of operational control systems, registration of actions and monitoring of anomalies will allow for the rapid identification of suspicious activity within the network and prompt response to it, which prevents the long-term unnoticed presence of intruders 5 .
  • Employee cybersecurity training and awareness : Regular employee training helps minimize the risk of accidental or intentional internal incidents due to employee errors or abuse 4 .
  • Technical measures to protect the infrastructure : strengthening the security of CI/CD systems, using multi-factor authentication (MFA), regular software updates and patch management, using data leak prevention systems (DLP), anti-virus solutions, firewalls, incident detection and response systems (SIEM, EDR) – all this reduces the likelihood of successful penetration and allows for timely detection of attacks 4 .
  • Supply chain control : Close control of dependencies and components used in the infrastructure will eliminate the possibility of malicious code injection through external services and suppliers 6 .
  • Restricting and controlling the use of removable media and data transmission channels : prohibiting the use of USB drives and data encryption will prevent information leakage and the introduction of malware through physical devices 4 .
  • Regular security testing (pentesting) : Conducting penetration tests helps identify vulnerabilities before they can be exploited by attackers, allowing for timely remediation of deficiencies 10 .

Thus, the integration of all these measures will reduce the likelihood of internal intrusion by attackers and increase the overall resilience of BigONE’s infrastructure to cyber threats, especially those coming from insiders or compromised accounts within the organization.

  1. https://www.open-vision.ru/about/news/5-sposobov-kak-snizit-risk-vozniknoveniya-vnutrennix-ugroz-kiberbezopasnosti/
  2. https://ptsecurity.com/ru-ru/research/knowledge-base/kak-zashchititsya-ot-cyberatak/
  3. https://asher.ru/security/book/its/06
  4. https://rt-solar.ru/products/solar_inrights/blog/3203/
  5. https://www.tadviser.ru/index.php/%D0%A1%D1%82%D0%B0%D1%82%D1%8C%D1%8F:%D0%98%D0%BD%D1%84%D0%BE%D1%80%D0%BC%D0%B0%D1%86%D0%B8%D0%BE%D0%BD%D0%B D%D0%B0%D1%8F_%D0%B1%D0%B5%D0%B7%D0%BE%D0%BF%D0%B0%D1%81%D0%BD%D0%BE%D1 %81%D1%82%D1%8C_%D0%B2_%D0%BA%D0%BE%D0%BC%D0%BF%D0%B0%D0%BD%D0%B8%D0%B8
  6. https://cloudnetworks.ru/protection-it-infrastructure/
  7. https://www.sberbank.ru/ru/person/kibrary/articles/mery_zashchity_ot_vredonosnogo_po
  8. https://yandex.cloud/ru/docs/security/standarts
  9. https://tquality.ru/blog/testirovanie-na-proniknovenie/
  10. https://masksafe.ru/directions/penetration-test/
  1. https://www.garant.ru/article/1508725/
  2. https://www.kaspersky.ru/resource-center/preemptive-safety/how-to-prevent-cyberattacks
  3. https://wiki.merionet.ru/articles/tekhniki-i-instrumenty-predotvrashcheniya-atak-na-povyshenie-privilegij
  4. https://tatcenter.ru/rubrics/razbor/10-pravil-kak-zashhitit-biznes-ot-kiberatak/
  5. https://blog.ishosting.com/ru/social-engineering-attacks
  6. https://roscongress.org/materials/tsifrovaya-bezopasnost-kak-strategicheskiy-prioritet-novye-vyzovy-i-resheniya/
  7. https://ddos-guard.ru/blog/rasprostranennye-kiberugrozy-i-kak-s-nimi-borotsya
  8. https://www.tadviser.ru/index.php/%D0%A1%D1%82%D0%B0%D1%82%D1%8C%D1%8F:%D0%97%D0%B0%D1%89%D0%B8%D1%82%D0%B0_%D0%BE%D1%82_DDoS-%D0%B0%D1%82%D0%B0%D0%BA
  9. https://zscomp.ru/news/kak_zaschititsya_ot_hakerskih_atak_i_obezopasit_svoi_dannie_text_/
  10. https://ibs.ru/media/chto-takoe-ddos-ataka-vidy-posledstviya-i-kak-zashchititsya/
  1. https://incrypted.com/bigone-bank-lost-27-mln-yz-due-to-hacker-attacks/
  2. https://itc.ua/news/hakery-ukraly-u-kryptobyrzhy-bigone-27-mln/
  3. https://www.binance.com/ru/square/hashtag/Hacker
  4. https://forklog.com/exclusive/kak-stejblkoiny-vytesnyayut-traditsionnye-banki-rasskazyvaet-gem-wallet
  5. https://www.block-chain24.com/news/novosti-bezopasnosti/kriptovalyutnaya-birzha-bigone-poteryala-27-mln-v-rezultate-ataki-tretey
  6. https://forklog.com/glavnoe-za-mesyats-vyzovy-dlya-bitkoina-aktualnaya-kiberbezopasnost-i-militarizatsiya-ii
  7. https://cbr.ru/Content/Document/File/162005/analytical_report_10072024.pdf
  8. https://www.fedsfm.ru/content/fb_38.pdf
  9. https://masi.ru/upload/iblock/a56/xb2rl1kh2ke9gm0qmgkh1h2nv0xlj00k.pdf
  10. https://cyberleninka.ru/article/n/povliyal-li-vooruzhennyy-konflikt-v-afganistane-na-normy-vedeniya-voennyh-deystviy
  1. https://www.binance.com/ru/square/hashtag/Hacker
  2. https://t.me/s/RBCCrypto?before=19021
  3. https://ingc.ru/upload/iblock/8c1/e0phh2p8aaiu773gwndflf7e1bdo37vn.pdf
  4. https://m.fastbull.com/ru/news-detail/%D0%BE%D0%BF%D0%B5%D1%80%D0%B0%D1%82%D0%B8%D0%B2%D0%BD%D1%8B%D0%B5-%D0%BE%D0%B1%D0%BD%D0%BE%D0%B2%D0%BB%D0%B5%D0%BD%D0%B8%D1%8F-%D0%BE-% D1%82%D0%B0%D1%80%D0%B8%D1%84%D0%B0%D1%85-%D1%82%D1%80%D0%B0%D0%BC%D0%BF%D0%B0-%D1%82%D 1%80%D0%B0%D0%BC%D0%BF-%D0%B4%D0%B0%D0%BB-%D0%BF%D0%BE%D0%BD%D1%8F%D1%82%D1%8C-4335636_3
  5. https://www.gov.kz/memleket/entities/minfin/press/article/1?undefined=5
  6. https://ivran.ru/f/Vostochnaia-analitika-2024-Vypusk-1.pdf
  7. http://www.sov-europe.ru/images/pdf/2021/03-2021.pdf
  8. https://www.lihachev.ru/pic/site/files/fulltext/aljfredo_peres_bravo.pdf
  9. https://yandex.ru/maps/org/energiya_servis/6492755243/
  10. https://raapa.ru/upload/iblock/cc5/cc5bef7c976ee81073a349e138d05b7a.pdf
  1. https://coinedition.com/ru/%D1%85%D0%B0%D0%BA%D0%B5%D1%80%D1%8B-%D1%83%D0%BA%D1%80%D0%B0%D0%BB%D0%B8-27-%D0%BC%D0%B8%D0%BB%D0%BB%D0%B8%D0%BE%D0%BD%D0%BE%D0%B2-%D0%B4%D0%BE%D0%BB%D0%BB%D0%B0%D1%80%D0%BE%D0%B2-%D1%83-%D0%B1%D0%B8/
  2. https://veorus.ru/%D0%B1%D0%B8%D0%B1%D0%BB%D0%B8%D0%BE%D1%82%D0%B5%D0%BA%D0%B0-%D0%B2%D1%8D%D0%BE/%D0%B1%D0%B5%D1%81%D0%B5%D0%B4%D1%8B-%D0%BE%D0%B1-%D1%8D%D0%BA%D0%BE%D0% BD%D0%BE%D0%BC%D0%B8%D0%BA%D0%B5/%D0%91%D0%B5%D1%81%D0%B5%D0%B4%D1%8B%20%D0%BE%D0%B1% 20%D1%8D%D0%BA%D0%BE%D0%BD%D0%BE%D0%BC%D0%B8%D0%BA%D0%B5_%D1%82%D0%BE%D0%BC%20III.pdf
  3. https://dissovet2.urfu.ru/pluginfile.php/132/mod_data/content/100945/2_%D0%9A%D0%B0%D0%BB%D0%B8%D0%BD%D0%B8%D1%87%D0%B5%D0%BD%D0%BA%D0%BE_%D0%B4%D0%B8%D1%81%D1%81%D0%B5%D1%80%D1%82%D0%B0%D1%86%D0%B8%D1%8F.pdf
  4. https://m.fastbull.com/ru/news-detail/%D0%BE%D0%BF%D0%B5%D1%80%D0%B0%D1%82%D0%B8%D0%B2%D0%BD%D1%8B%D0%B5-%D0%BE%D0%B1%D0%BD%D0%BE%D0%B2%D0%BB%D0%B5%D0%BD%D0%B8%D1%8F-%D0%BE-% D1%82%D0%B0%D1%80%D0%B8%D1%84%D0%B0%D1%85-%D1%82%D1%80%D0%B0%D0%BC%D0%BF%D0%B0-%D1%82%D 1%80%D0%B0%D0%BC%D0%BF-%D0%B4%D0%B0%D0%BB-%D0%BF%D0%BE%D0%BD%D1%8F%D1%82%D1%8C-4335636_3
  5. https://ru.beincrypto.com/rynki/feed/
  6. https://religio.amursu.ru/images/Volumes/2024/1/1_2024.pdf
  7. http://www.philsoc.psu.ru/images/journal/SOCIAL_AND_HUMANITIES_THEORY_AND_PRACTICE/_2022.pdf
  8. https://t.me/s/Pravda_Gerashchenko/87620
  9. https://dramafond.ru/wp-content/uploads/2014/12/Nora_Gal_Slovo_zhivoe_i_mertvoe.pdf
  1. https://www.block-chain24.com/news/novosti-bezopasnosti/kriptovalyutnaya-birzha-bigone-poteryala-27-mln-v-rezultate-ataki-tretey
  2. https://www.securityvision.ru/blog/vzlomy-v-informatsionnoy-bezopasnosti-chto-eto-kak-oni-proiskhodyat-i-kak-ot-nikh-zashchititsya/
  3. https://cisoclub.ru/hakery-vyveli-kriptovaljutu-na-27-mln-dollarov-posle-ataki-na-birzhu-bigone/
  4. https://www.binance.com/ru/square/hashtag/Hacker
  1. https://incrypted.com/bigone-bank-lost-27-mln-yz-due-to-hacker-attacks/
  2. https://www.block-chain24.com/news/novosti-bezopasnosti/kriptovalyutnaya-birzha-bigone-poteryala-27-mln-v-rezultate-ataki-tretey
  3. https://forklog.com/news/bigone-vzlomali-na-27-mln
  4. https://ru.cointelegraph.com/news/bigone-exchange-27m-hot-wallet-hack
  5. https://ru.investing.com/news/cryptocurrency-news/article-2830287
  6. https://cryptocurrency.tech/u-birzhi-bigone-ukrali-bolee-27-mln/
  7. https://minfin.com.ua/2025/07/16/154801042/
  8. https://ru.beincrypto.com/vzlom-birzhi-bigone-ukradeno-27-mln-dollarov/
  9. https://www.coindesk.com/ru/markets/2025/07/16/crypto-exchange-bigone-confirms-27m-hack-vows-full-user-compensation
  10. https://cryptorank.io/news/feed/8a595-slowmist-kriptobirzha-bigone-poteryala-svyshe-27-mln-iz-za-vzloma