Inside the $27M BigONE Hack: No Keys Stolen, Yet Wallets Emptied

Hackers used a supply-chain exploit on 16 July, 2025 to steal $27 million from BigONE’s hot wallets across Bitcoin, Ethereum, Solana, BSC and TRON, yet never touched the exchange’s private keys. BigONE froze systems within minutes and promised to cover every cent.

Hack Timeline and Impact

The breach began at 02:00 UTC on July 16 when BigONE’s monitoring flagged abnormal outflows across Bitcoin, Ethereum, Solana, Tron and BNB Chain wallets. Within minutes, attackers siphoned 121 BTC, 350 ETH, nine billion SHIB and eight other tokens, totaling about $27 million at spot prices.

Security firm SlowMist joined the investigation, tracing funds split across five chains to mixers and swap pools in an attempt to obfuscate origin. BigONE suspended deposits and trading, then froze withdrawals pending “extra security upgrades,” but promised full reimbursement from internal reserves and short-term loans for illiquid tokens.

Public on-chain trackers like Lookonchain and CertiK Alert identified the exploiter’s wallets holding 120 BTC, 23 million TRX and 1,270 ETH less than three hours after the hack. This single incident ranked third in July’s record-breaking $142 million hack total, which also hit CoinDCX and GMX, driving 2025 exploit losses beyond $2.1 billion by mid-year.

How the Supply-Chain Attack Worked

Investigators say the attackers first social-engineered a senior developer, breaching the production network through a vendor update pipeline. With privileged access, they altered risk-control logic so any withdrawal they signed auto-approved, removing the private-key check that normally protects hot wallets.

Because the change sat deep in the back-end code, standard wallet alarms never tripped; assets flowed out in batches under routine labels before anyone noticed. The case exposes a blind spot: exchanges often harden keys and front-end spoofing yet leave continuous-integration servers less guarded, letting insiders – or hijacked insiders – rewrite safeguards.

SlowMist, Halborn and PeckShield stress that multisig or MPC alone cannot stop such logic tampering; teams need code signing, role separation and real-time policy attestation. Critics like ZachXBT note BigONE had previously processed scam-linked flows, suggesting looser compliance may correlate with weaker internal security.

Hack Recovery Efforts and Industry Lessons

BigONE posted an $8 million bounty for information leading to fund recovery, mirroring offers that helped GMX claw back assets earlier in July. Law-enforcement liaisons in Singapore and Hong Kong are monitoring known bridges; Bloomberg analysts give a 25% chance of partial claw-back within 90 days, based on past mixer sweeps.

For exchanges, the hack underscores a shift from key theft to supply-chain and CI/CD compromise, pushing boards to budget more for DevSecOps than cold-storage hardware. Insurance markets notice too: crypto exchange premiums rose 35% YoY in Q1 2025, and Lloyd’s underwriters now insist on third-party build-pipeline audits.

Regulators may follow MiCA’s lead by mandating incident disclosure within 24 hours; BigONE’s swift public acknowledgement sets a benchmark many rivals still ignore. Ultimately, exchanges that treat hot-wallet code as critical infrastructure, subject to the same rigorous change management as banking core systems, will fare best as threat actors evolve.

BigOne Lesson Check

BigONE’s loss shows that crypto security now hinges on disciplined software hygiene, not just private-key storage. Supply-chain openings allowed attackers to rewrite guardrails and walk off with $27 million in minutes.

Full reimbursement softens user pain, yet the incident dents trust at a moment when July’s hacks already rattled investors. Exchanges must adopt signed builds, zero-trust access and continuous audits to stay credible.

For Web3 builders and traders, the lesson is blunt: verify how your platform secures its pipelines, or your coins might bankroll the next headline hack.

You might also like: Top 10 Crypto Disasters and the Lessons Behind Them