BigONE's $27M Loss Highlights the Growing Threat of Supply Chain Attacks

Key Points

- BigONE, a cryptocurrency exchange, was hacked on July 16, 2025, with losses estimated at $27 million due to a supply chain attack.

- Research suggests the attackers compromised the exchange's production network, likely through its Continuous Integration/Continuous Delivery (CI/CD) pipelines or server management, enabling unauthorized withdrawals.

- The evidence leans toward the stolen assets, including Bitcoin, Ethereum, and others, being traced to specific wallet addresses, with BigONE committing to cover all losses.

- There is some controversy around BigONE's past associations with scam activities, which may influence public perception of the incident.

Incident Overview

On July 16, 2025, BigONE, a Singapore-based cryptocurrency exchange, confirmed a security breach resulting in the theft of approximately $27 million in digital assets. The attack targeted the exchange's hot wallet infrastructure through a sophisticated supply chain compromise, allowing hackers to bypass security without accessing private keys. BigONE has pledged to cover all losses, using internal reserves and external borrowing to ensure user funds remain safe.

Technical Details

The attack likely involved exploiting vulnerabilities in BigONE's CI/CD pipelines or server management channels, deploying malicious binaries to account-operation servers. This enabled the attackers to modify business logic and disable risk-control checks, facilitating unauthorized withdrawals across multiple blockchains like Bitcoin, Ethereum, Solana, and Tron.

Impact and Response

The immediate financial impact is significant, with stolen assets including 120 BTC, 350 ETH, and millions of USDT. BigONE is working with security firms like SlowMist and Cyvers to trace the funds and has temporarily suspended withdrawals while enhancing security measures. This incident highlights ongoing risks in the crypto industry, potentially affecting trust in centralized exchanges.

Comprehensive Analysis of the BigONE Exchange Hack - July 16, 2025

Introduction

On July 16, 2025, at 09:48 AM BST, BigONE, a prominent cryptocurrency exchange based in Singapore, confirmed a major security breach, marking another significant incident in the crypto industry's ongoing battle with cyber threats. This report provides a detailed examination of the hack, leveraging insights from various sources to offer a comprehensive understanding of the event, its technical underpinnings, and its broader implications. The analysis aims to inform security professionals, industry stakeholders, and the public, emphasizing the need for robust security practices in the rapidly evolving digital asset ecosystem.

Incident Background

The hack, first detected by BigONE's real-time monitoring system on the morning of July 16, 2025, resulted in the unauthorized draining of approximately $27 million in digital assets. Initial reports from blockchain security firms like SlowMist and Cyvers, as well as on-chain trackers like Lookonchain, confirmed the scale of the breach, with stolen assets spanning multiple blockchains, including Bitcoin (BTC), Ethereum (ETH), Tron (TRX), Solana (SOL), and various stablecoins and altcoins.

BigONE's official statement, cited in multiple news outlets, assured users that all private keys remained secure and that the exchange would fully bear all losses. The company activated its internal security reserves, comprising BTC, ETH, USDT and SOL, and secured external liquidity through borrowing mechanisms to restore affected user funds. Deposits and trading were expected to resume shortly, with withdrawals delayed until further security upgrades were implemented.

Technical Analysis

The attack vector was identified as a supply chain compromise, a hard to detect and increasingly common tactic in compromises across most industries.

The attack sequence, as detailed by Cyvers, began with the unauthorized draining of 350 ETH, valued at approximately $1.1 million, followed by expanded withdrawals across multiple blockchains. The stolen funds were consolidated into a single external address and subsequently converted to WETH/ETH, routed through fresh intermediaries for mixing or decentralized exchange activity to obscure their trail.

Technical indicators of compromise (IOCs) include the following wallet addresses, identified by security firms and on-chain trackers:

Wallet Addresses

| Ethereum & BSC | 0x9Bf7a4dDcA405929dba1FBB136F764F5892A8a7a

| Solana | HSr1FNv266zCnVtUdZhfYrhgWx1a4LNEpMPDymQzPg4R

| Bitcoin | bc1qwxm53zya6cuflxhcxy84t4c4wrmgrwqzd07jxm

Threat Actor Analysis

The attack currently has no apparent attribution. The sophistication, involving supply chain compromise and server manipulation, suggests a well-resourced and technically adept group.

The threat actor's capabilities include:

- Compromising supply chain elements, such as CI/CD pipelines or third-party server management services.

- Deploying malicious binaries to production servers, indicating access to advanced malware development tools.

- Modifying business logic to bypass security controls, demonstrating deep understanding of exchange infrastructure.

- Executing large-scale withdrawals and laundering stolen funds through mixing services and decentralized exchanges, showcasing expertise in cryptocurrency operations.

The intent analysis points to financial gain as the primary objective, with no indications of ideological or nation-state motivations. The Diamond Model analysis further contextualizes the incident:

- Adversary: Cyber criminal group with advanced technical capabilities.

- Capability: Supply chain compromise, malware deployment, server manipulation, cryptocurrency laundering.

- Infrastructure: Compromised CI/CD pipelines, production servers, blockchain networks (Ethereum, Bitcoin, Solana, Tron, etc.).

- Victim: BigONE Exchange, its users, and the broader cryptocurrency ecosystem.

Impact Assessment

The immediate financial impact is the loss of $27 million in digital assets, affecting a wide range of tokens and potentially impacting market sentiment. BigONE's commitment to covering all losses mitigates direct user financial impact, but the incident erodes trust in centralized exchanges, potentially driving users towards decentralized alternatives or increasing regulatory scrutiny.

The ecosystem impact is significant, with the crypto industry already facing $2.47 billion in losses due to hacks, scams, and exploits in the first half of 2025, a 3% increase from $2.4 billion in 2024.

Recommendations

To address the immediate threat, BigONE and similar exchanges should:

1. Strengthen CI/CD Pipelines: Implement strict access controls, continuous monitoring, and automated validation of code and dependencies to prevent supply chain attacks.

2. Enhance Network Segmentation: Isolate build and wallet-management servers to limit lateral movement in case of a breach.

3. Implement Continuous Monitoring: Deploy on-chain and off-chain monitoring tools, such as those offered by SlowMist and Cyvers, to detect unusual transaction patterns and server behavior.

4. Automated Incident Response: Utilize automated systems to quickly respond to and contain security incidents, reducing the window of opportunity for attackers.

Strategically, exchanges should:

1. Adopt Multi-Signature Wallets: Require multiple approvals for hot wallet transactions to enhance security.

2. Regular Security Audits: Conduct frequent audits and penetration testing to identify and remediate vulnerabilities.

3. Employee Training: Educate staff on security best practices, particularly regarding supply chain security and social engineering risks.

4. Incident Response Plan: Develop and regularly update a comprehensive incident response plan to ensure swift and effective action during breaches.

Industry-wide, stakeholders should:

1. Standardize Security Practices: Develop and adopt industry standards for securing cryptocurrency exchanges, focusing on supply chain security and hot wallet management.

2. Regulatory Oversight: Advocate for regulatory guidelines to enforce minimum security standards, enhancing overall industry resilience.

3. Information Sharing: Promote collaboration among exchanges and security firms to disseminate threat intelligence and best practices, fostering a collective defense against cyber threats.

Controversies and Public Perception

The incident has stirred controversy, with blockchain investigator ZachXBT claiming BigONE previously processed significant volumes tied to "pig butchering," romance, and investment scams. This has led to mixed public reactions, with some expressing sympathy for affected users and others criticizing BigONE's past associations. Such controversies may influence regulatory attention and user trust, highlighting the need for transparency and accountability in the crypto industry.

Conclusion

The BigONE Exchange hack on July 16, 2025, is a stark reminder of the vulnerabilities inherent in centralized cryptocurrency exchanges, particularly in their supply chain and hot wallet management. While BigONE's commitment to covering losses mitigates immediate user impact, the incident underscores the urgent need for enhanced security measures, industry collaboration, and regulatory oversight to safeguard the growing digital asset ecosystem. This report, informed by insights from Cointelegraph, Cryptonews, Coindesk, BeInCrypto, and security firms like SlowMist and Cyvers, aims to provide a thorough resource for understanding and addressing such threats.