27M Vanishes in BigONE Hack but That’s Not the Most Shocking Part of the Attack

Key Takeaways:

• Crypto exchange BigONE suffered a $27 million loss in a targeted supply chain attack on July 16.
• Hacker bypassed private keys by compromising the production environment, modifying risk control servers.
• BigONE has pledged full compensation and activated emergency reserves to restore affected assets.

In one of the most sophisticated exploits of 2025, Singapore-based crypto exchange BigONE has confirmed it was hacked, with attackers siphoning off over $27 million worth of digital assets. The breach, discovered in the early hours of July 16, exploited vulnerabilities deep within the exchange’s infrastructure, without compromising private keys. The fallout exposes critical risks in how centralized platforms manage backend security.

Inside the Breach: How the Hack Unfolded

Blockchain security firm SlowMist, which is investigating the incident alongside BigONE, classified the breach as a supply chain attack. Rather than gaining access through user-facing systems or stolen credentials, the attacker infiltrated BigONE’s production network, specifically targeting servers tied to account logic and risk control.

This allowed unauthorized fund withdrawals from the exchange’s hot wallet, which held a wide variety of crypto assets. The attacker did not need private keys, highlighting how backend infrastructure, often overlooked, can become a single point of failure in high-volume platforms.

“The operating logic of the risk control system was modified, giving the attacker direct access to user funds,” SlowMist stated in its July 16 update on X.

The attack went undetected until unusual asset flows triggered internal alarms. Once flagged, BigONE froze critical operations and isolated the breach path. The platform assures users that private keys were not exposed, and that the attack vector has been sealed.

Stolen Assets: A $27M Mix Across Chains

The stolen funds spanned multiple blockchain networks and included both major and obscure tokens. BigONE disclosed the following as part of its preliminary audit:

The varied mix of tokens on Ethe1reum, Bitcoin, Tron, Solana and Binance Smart Chain suggests the attacker was specifically aiming at BigONE’s hot wallet infrastructure, not particular tokens.

The other is that high volume meme coins like SHIBA INU and speculative tokens such as CELR were moved in large amounts which suggests an attempt to frustrate tracking and offload value via DEXes.

Read More: Cetus Protocol Moves Forward with Recovery After Hack

Tracing the Stolen Funds: On-Chain Clues

Multiple wallet addresses tied to the attacker have been flagged by SlowMist:

• Ethereum & BSC: 0x9Bf7a4dDcA405929dba1FBB136F764F5892A8a7a
• Bitcoin: bc1qwxm53zya6cuflxhcxy84t4c4wrmgrwqzd07jxm
• Tron: TKKGH8bwmEEvyp3QkzDCbK61EwCHXdo17c
• Solana: HSr1FNv266zCnVtUdZhfYrhgWx1a4LNEpMPDymQzPg4R

It is now these addresses that are being monitored. On chain-watchers have seen transfers of tokens through mixing protocols and exchanges with lax KYCs. The hacker could try to launder ETH and USDT through obscure DEXs or bridges, though they’re under watch and major platforms like Binance and OKX are blacklisted for any suspicious deposits.

Blockchain analytic platforms such as CertiK Alert and Chainalysis are said to be aiding in finding more links and freezing assets before they can be laundered to completion.

BigONE’s Response: Compensation and Recovery

Within hours of confirming the breach, BigONE released an emergency update detailing its recovery roadmap:

1. Full User Reimbursement: BigONE has activated its internal security reserves (including BTC, ETH, USDT, SOL, XIN) to restore affected balances.
2. Asset Rebalancing: For other affected tokens, BigONE is sourcing liquidity through third-party borrowing to refill the depleted hot wallets.
3. Gradual System Restoration: Trading and deposits resumed within hours. Withdrawals remain paused pending enhanced security reviews.
4. Security Audit: A comprehensive inspection of backend server configurations and deployment logic is underway.

“Users will not bear any losses from this incident,” BigONE emphasized, adding that a transparency portal will be launched soon to track compensation and wallet restoration progress.

While the exchange’s quick response has been praised, the incident raises larger questions about supply chain vulnerabilities within centralized platforms.

Supply Chain Attacks: The New Frontier of Crypto Risk

Unlike traditional phishing or private key thefts, supply chain attacks exploit internal system trust assumptions, making them extremely hard to detect. In this case, the attacker didn’t need access to user accounts, passwords, or even smart contract vulnerabilities. Instead, by breaching backend deployment logic, they gained direct programmatic access to critical wallet infrastructure.

The incident underscores why infrastructure-focused attacks are now seen as a top threat vector in the Web3 space. Even as exchanges spend heavily on front-facing user authentication, backend and DevOps layers often remain less secure.

This event mirrors earlier exploits such as the Harmony Bridge hack and the attack on Ankr’s validator infrastructure, both of which targeted trusted internal systems.

Read More: CZ Sounds Alarm After Ledger Discord Hack Exposes Users to Phishing Trap

What’s Next for BigONE Users?

As of July 16, BigONE has resumed trading and deposits, with withdrawal functions expected to follow after additional security hardening. All affected user accounts are being credited based on pre-hack balances, and a live incident report is scheduled to be published within 48 hours.

Users are advised to:

• Monitor announcements for wallet reactivations and compensation status.
• Avoid transferring assets to flagged hacker addresses to prevent blacklisting.

Enable 2FA and withdrawal whitelists for future transactions.