What was the BigONE $27 million hack?

The Seychelles-based cryptocurrency exchange BigONE confirmed that on July 16, 2025, it suffered a crypto supply chain attack that allowed cybercriminals to drain $27 million from the exchange’s hot wallets.

With a sophisticated attack, the hackers compromised the exchange’s production network and gained access to the funds without ever accessing private keys.

Interestingly, BigONE has reported that no private keys were leaked during the exploit. Instead, internal systems were manipulated to grant unauthorized fund withdrawals across various assets. As confirmed by onchain data, the attackers took:

• 121 Bitcoin (BTC).
• 350 Ether (ETH).
• 9.69 billion Shiba Inu (SHIB).
• 538,000 Dogecoin (DOGE).
• Digital assets like Tether USDt (USDT) and more.

These unauthorized fund withdrawals were officially confirmed by BigONE, saying: “In the early hours of July 16, BigONE detected abnormal movements involving a portion of platform assets. Upon investigation, it was confirmed as the result of a third-party attack targeting our hot wallet.”

BigONE also continued to assure users that the threat was contained and that all customer private keys were secure. It concluded that the attack vulnerability had been identified and closed, removing the risk of further losses.

This joined the list of high-profile crypto exchange hacks in 2025. BigONE was quick to restore its services, including deposits and trading, while working with blockchain security experts SlowMist to begin tracing stolen funds.

Did you know? Crypto attacks now target multiple vectors, often combining social engineering, malicious contract deployment, UI spoofing and deepfake deception. These have become standard practices for top cybercriminals, representing a significant evolution from simple phishing scams. 

How the BigONE crypto exchange hot wallet exploit happened

The BigONE exchange hack was different from many of the attacks seen in recent months. Instead of using compromised private keys or smart contract vulnerabilities, this attack vector targeted weaknesses in the exchange’s back-end infrastructure. 

It added another threat that centralized exchanges (CEX) need to be aware of, with the potential to circumvent many of the industry-standard security practices. Plus, it left a difficult-to-trace digital footprint.

According to HackenProof, a bug bounty platform that connects companies with cybersecurity experts, the exploit started with social engineering tactics. Criminals targeted a key BigONE developer to compromise the developer’s device. This enabled them to gain unauthorized access and permissions to the exchange.

The hackers then orchestrated a sophisticated supply chain attack. With unauthorized access, malicious code was deployed, which enabled the temporary alteration of accounting and risk management service logic within the exchange. This allowed hackers to transfer $27 million worth of crypto from hot wallets.

Once the internal logic had been bypassed, fund extraction occurred with precision. Attackers moved assets rapidly, millions vanished almost instantly, followed by cleanup transactions totaling 102,000 USDC (USDC) and 79,000 USDT, revealing extensive pre-planning and deep understanding of internal systems.

HackenProof noted that the system has been reinforced and that private keys and user data remained secure. BigONE is covering all user losses from its insurance reserve fund.

In an attempt to recover funds, a bounty program has been issued to encourage the identification of the attackers and trace stolen funds. Any useful intelligence and successful recoveries could lead to rewards of up to $8 million in reward bounties.

Did you know? The crypto insurance market has grown from $1.3 billion in 2023 to $4.2 billion in 2025. It shows the escalation in the industry, with exchange premiums rising 35% year-over-year for Q1 of 2025. 

Tracing the BigONE July 2025 crypto hack funds

Blockchain security firm SlowMist has joined the investigation. The firm is renowned for providing security audits, consultancy and attack investigations. SlowMist’s X account confirmed the process hackers used to steal funds before listing the addresses used in the heist on Ethereum and BNB Chain networks.

Following the heist, the attackers began laundering stolen assets through other cryptocurrencies. Analysis from Lookonchain, a blockchain observatory company, showed that funds had been laundered through other blockchains including Tron, Solana, Ethereum and Bitcoin.

Beyond this BigONE hack investigation update, figuring the final destination of the funds has been tricky for the crypto community. Investigators are working through blockchain transaction proofs, exchange intelligence, technical analysis and chain-of-custody proofs to provide additional forensic blockchain intelligence.

Ironically, famous pseudonymous blockchain investigator Zach XBT responded not by being helpful but commenting on X: “Do not feel bad for the team as this CEX processed a good bit of volume from pig butchering romance and investment scams,” intimating that the hack may have been karma for BigONE’s involvement in processing funds from investment scams.

Did you know? Criminals are getting increasingly creative in washing the proceeds of crypto heists. This includes methods like leveraged trading on decentralized exchanges (DEX) to open large bets and hedge them with clean capital.

Why understanding supply chain attack vulnerabilities is more important than ever

This incident is another dent in the trust that crypto users place in centralized exchanges. In the past, threats of exchange hacks and the preference for self-custody were often cited as best practices.

Now attacks are becoming more sophisticated and making headlines every week. BigONE joins a scary list in 2025. As you can see on Web3IsGoingGreat.com, which keeps track of scams and frauds in the industry, the list is growing quickly:

The BigONE attack shows an important difference between cryptographic security and protecting private keys, compared with infrastructure security and system integrity. Many of these exchange organizations rely heavily on continuous integration (CI) systems to rapidly update software. This automation is essential for efficient operation, but clearly can become compromised.

One single point of failure, like a vital developer, can lead to malicious code injection to bypass security safeguards. Effectively, systems can be reprogrammed to allow for fund extraction, going undetected by monitoring systems that look for external threats instead of internal server compromises.

Fortunately, top exchanges do use tiered systems to protect funds. This includes segregation in different funding areas and insurance reserve funds so that when losses do occur, customers can be reimbursed.

You can’t help but think that blockchain security firms are having a bumper year in 2025, with $2.5 billion already stolen in the first half. That already exceeds total annual losses in 2024.