BigONE Under Scrutiny: An In-Depth Analysis of the July 2025 Hack and Its Aftermath

On July 16, 2025, the Seychelles-based cryptocurrency exchange BigONE experienced a significant security breach, resulting in estimated losses of approximately $27 million.

BigONE Under Scrutiny: An In-Depth Analysis of the July 2025 Hack and Its Aftermath

I. Executive Summary

On July 16, 2025, the Seychelles-based cryptocurrency exchange BigONE experienced a significant security breach, resulting in estimated losses of approximately $27 million.[1, 2] This incident was not a typical private key compromise, which often involves direct theft of cryptographic keys, but rather a sophisticated supply chain attack. In this advanced form of cybercrime, the assailant manipulated the operational logic of BigONE's account-related servers, thereby enabling unauthorized fund withdrawals.[1, 2, 3, 4] The stolen assets comprised a diverse mix of cryptocurrencies, including Bitcoin (BTC), Ethereum (ETH), Tether (USDT), Solana (SOL), TRON (TRX), Mixin (XIN), Dogecoin (DOGE), Shiba Inu (SHIB), and CELR, which were drained across multiple blockchain networks.[1, 2, 3, 4]

BigONE's response to the breach was swift and decisive. The exchange promptly suspended deposits and withdrawals to contain the breach and initiated an immediate investigation.[2, 4, 5] Crucially, BigONE publicly committed to fully covering all user losses from its internal security reserves, which include BTC, ETH, USDT, SOL, and XIN, and stated plans to secure external funding for other affected tokens.[1, 2, 4, 5, 6] Collaboration with leading blockchain security firm SlowMist was established to trace the stolen funds and analyze the intricate attack vector.[1, 2, 5, 6] This proactive stance on user compensation and external collaboration aims to mitigate the immediate financial impact on users and bolster confidence.

The incident provides critical perspectives on the exchange's current standing and its future trajectory. While trading and deposit services were quickly restored within hours of the breach, withdrawals remained suspended as BigONE worked on implementing additional security upgrades.[2, 4, 5] This phased restoration reflects a strategic approach to balancing operational continuity with enhanced security, prioritizing the integrity of fund outflows. This event also underscores the inherent vulnerabilities centralized exchanges face, particularly concerning internal security measures and supply chain dependencies, which could potentially drive users towards decentralized finance (DeFi) solutions.[1] Adding complexity to BigONE's recovery are controversial allegations by blockchain investigator ZachXBT, who claims the exchange had processed significant volumes of funds from illicit activities like romance and pig butchering scams prior to the hack.[2, 3, 7, 8] These claims pose a substantial reputational challenge that BigONE must address transparently to rebuild trust and ensure long-term viability.

II. The July 2025 BigONE Security Incident: A Detailed Account

A. Anatomy of the Attack

The security breach at BigONE was officially confirmed on July 16, 2025. The total estimated financial loss from this incident amounted to $27 million.[1, 2, 3, 6] A detailed breakdown of the stolen assets reveals a diversified portfolio of cryptocurrencies. This included 120 Bitcoin, valued at approximately $14.15 million; 23.3 million TRON tokens, worth about $7.01 million; 1,272 Ethereum, accounting for $4 million; and 2,625 Solana tokens, valued at $428,000. Additionally, 8.54 million USDT and various smaller tokens such as Dogecoin, Shiba Inu, CELR, and UNI were siphoned off. These assets were drained across multiple blockchain networks, including Ethereum, Solana, TRON, and Bitcoin blockchains.[2, 3, 4, 8, 9, 10, 11, 12, 13, 14]

The nature of this attack represents a significant evolution in cyber threats targeting cryptocurrency exchanges. The incident was identified as a sophisticated supply chain attack, meaning the attackers did not directly compromise or steal private keys, which are typically the most guarded assets of an exchange.[1, 2, 3] Instead, the assailants gained access by manipulating the operational logic of BigONE's account-related servers. This allowed them to effectively reprogram the exchange's internal systems to authorize their fraudulent withdrawals as legitimate transactions, bypassing traditional security measures designed to protect private keys.[2, 3, 4, 5, 8, 9, 10, 11, 12, 13, 14, 15, 16]

Specifically, hackers compromised BigONE's production network and modified the operating logic of servers responsible for account management and risk controls. This was reportedly achieved through the deployment of malicious binaries via compromised Continuous Integration/Continuous Deployment (CI/CD) pipelines or server management channels, enabling them to disable key security checks.[2, 11, 17] This method of attack, targeting the underlying infrastructure and development processes rather than direct wallet access, indicates a more advanced and insidious form of cybercrime. It highlights a critical shift in the sophistication of attacks targeting cryptocurrency exchanges, moving beyond direct wallet breaches to exploit deeper systemic vulnerabilities within an exchange's operational and development environments. This implies that exchanges must broaden their security focus from merely protecting cryptographic keys to securing their entire IT infrastructure, including third-party integrations and internal process logic. Such attacks are inherently harder to detect and defend against, as they mimic legitimate internal operations, posing a new frontier in crypto cybersecurity.

The attack went undetected until unusual asset flows triggered internal alarms, suggesting a potential delay in the exchange's real-time monitoring capabilities.[4, 7, 8, 9, 10, 11, 18]

BigONE July 2025 Hack SummaryB. BigONE's Immediate Crisis Response

Immediately upon detection of the breach, BigONE implemented a rapid crisis response. The exchange temporarily suspended deposits and withdrawals to contain the damage and prevent further losses.[2, 4, 5, 7, 8, 12, 19, 20] This swift action was critical in limiting the overall financial impact. The exchange quickly identified and contained the attack path, assuring users that private keys were not compromised and that the attack vector had been sealed.[4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 18, 19, 20, 21]

To aid in the forensic investigation and asset tracing, BigONE engaged with prominent blockchain security firms, notably SlowMist.[1, 2, 4, 5, 6] This collaboration was aimed at tracking the stolen funds and analyzing the precise methods employed by the attackers. The hackers, in a common tactic to obscure their trail and complicate recovery efforts, rapidly converted and moved the stolen assets across various chains.[2, 6, 7, 8, 9, 10, 11, 12, 14, 21] The speed and multi-chain nature of this fund laundering directly impact the feasibility and success of recovery efforts. While blockchain ledgers are public, tracing and freezing assets once they are mixed or swapped across various protocols becomes exponentially more complex.[5] This reinforces the urgent need for real-time, on-chain monitoring and automated incident response systems that can halt transactions or flag suspicious activity before significant amounts are drained and laundered.[1, 17, 20] It also underscores the ongoing challenges for law enforcement and blockchain analytics firms in apprehending perpetrators and recovering funds.

III. BigONE's Recovery and Enhanced Security Measures

A. Operational Restoration

Following the security breach, BigONE moved swiftly to restore core services, demonstrating a strategic approach to maintaining operational continuity. Trading and deposit services were fully restored within hours of the breach disclosure.[2, 4, 5, 6, 7, 8, 10, 12, 13, 15, 19, 20, 21] This rapid resumption of essential functions was crucial in mitigating immediate market panic and retaining user engagement. However, a more cautious approach was adopted for high-risk operations: withdrawal functions remained suspended, with BigONE indicating they would resume only "after additional security reinforcement" and "once the system stabilizes".[2, 4, 5, 7, 8, 12, 15, 19, 20] This phased restoration reveals a calculated risk management strategy. Restoring core trading functionality quickly minimizes immediate market panic and retains user engagement, but withdrawals, being the direct outflow of funds, require a higher level of security assurance. Rushing security upgrades for withdrawals could introduce new vulnerabilities, while prolonged suspension erodes trust. BigONE's choice suggests a prioritization of operational continuity to mitigate immediate reputational and financial fallout, implying that the "additional security reinforcement" for withdrawals is a complex, time-consuming process that cannot be rushed, and is critical for long-term trust. The BigONE Convert service, which facilitates zero-fee asset exchanges, was specifically noted as restored on July 17, 2025.[22]

BigONE Service Status Post-Hack

• Deposits: Fully Restored (Within hours of hack)

• Trading: Fully Restored (Within hours of hack)

• Withdrawals: Suspended (Pending additional security reinforcement)

• OTC (Over-the-Counter): Suspended (Will resume once system stabilizes)

• Convert Service: Restored (July 17, 2025)

B. User Compensation and Liquidity Management

A cornerstone of BigONE's post-hack strategy is its public pledge to fully cover all losses incurred by users, emphasizing that "user assets will not be affected in any material way".[1, 2, 4, 5, 6] This commitment is crucial for maintaining user confidence in the wake of a significant security incident. To fulfill this pledge, BigONE activated its internal security reserves, which comprise Bitcoin (BTC), Ethereum (ETH), Tether (USDT), Solana (SOL), and Mixin (XIN) tokens.[2, 4, 5, 9] For other affected mainstream and non-mainstream tokens, the exchange stated it would actively secure external liquidity through borrowing mechanisms to restore user balances as quickly as possible.[2, 4, 5, 9] Reports indicate that BigONE holds over $91 million in crypto assets.[3, 5] This suggests that the exchange possesses sufficient liquidity to absorb the $27 million loss without external distress, assuming these reported figures are accurate and the assets are readily liquidatable.

C. Post-Hack Security Upgrades

In response to the sophisticated nature of the attack, BigONE is implementing a series of enhanced security measures. These include tightening approval workflows, increasing withdrawal delays, and boosting multi-signature and cold wallet holdings.[20] These measures are designed to fortify the security of asset movements and reduce the exposure of "warm wallets," which were identified as a weakness during the breach.[20]

A key lesson derived from the incident is the urgent need for heightened supply chain security. BigONE is expected to conduct thorough vetting of its partners and implement strict security frameworks for third-party integrations to thwart similar sophisticated supply chain attacks in the future.[1] This signifies a crucial evolution in crypto security threats. Even exchanges with seemingly strong traditional security postures, focused on asset custody and external audits, can be vulnerable through their software development pipelines, third-party integrations, or internal system logic. The "supply chain" here refers to the interconnectedness of tools, scripts, and vendors within the exchange's backend, where a compromise can allow attackers to effectively "reprogram" the exchange to approve fraudulent transactions.[2, 11, 13, 17, 21] This necessitates a fundamental shift in security audits and practices to encompass the entire operational and development stack, rather than just isolated components like smart contracts or hot wallets.

The exchange is also adopting multi-layered security measures, which typically include data encryption, multi-factor authentication (MFA), and role-based access controls. MFA, in particular, has proven effective in reducing account compromises in fintech platforms.[1] Furthermore, there is a clear emphasis on ongoing surveillance and the deployment of AI-driven threat detection tools. These tools are designed to promptly identify unusual activities and facilitate rapid responses to potential breaches, addressing the observed delay in incident detection.[1] BigONE's continued partnership with security firms like SlowMist for tracking stolen assets underscores the necessity for continuous oversight and external expertise in post-incident recovery and prevention.[1] Prior to the hack, BigONE had a "BBB" security rating from CertiK, indicating a previously strong security posture with regular penetration tests and cold wallet usage. They also maintained an existing bug bounty program and third-party audits via platforms like HackenProof and CertiK.[20, 23] The hack, however, highlighted specific weaknesses, including the exposure of "warm wallets" without full multi-signature mechanisms and a potential delay in incident detection, which are now targets for significant improvement.[20]

Key Security Enhancements by BigONE (Post-July 2025 Hack)

IV. Broader Industry Context and Implications

A. Impact on Centralized Exchange Trust and User Behavior

The BigONE incident has clear ramifications for the trust users place in centralized exchanges (CEXs), adding to a growing trend of users becoming more aware of the inherent risks associated with centralized platforms.[1] Given the sophistication of the attack, which sidestepped established security protocols, users may justifiably doubt the overall safety of their funds in centralized exchanges. This situation contributes to a user mentality shift, potentially prompting a noticeable number of customers to consider decentralized finance (DeFi) solutions as safer alternatives.[1] This establishes a direct cause-and-effect relationship: CEX hacks lead to diminished user trust, which in turn drives the adoption of decentralized alternatives. DeFi platforms empower users to maintain possession of their assets through private keys, thereby lessening dependencies on third-party custodians and curtailing risks connected to centralized hacks.[1] The BigONE hack, particularly its nature as a sophisticated supply chain attack rather than a simple wallet compromise, further emphasizes that any centralized system, regardless of its previous security ratings, carries inherent risks. This trend places significant pressure on CEXs to not only enhance their technical security but also to adopt more transparent and "DeFi-like" principles, such as verifiable proof of reserves and multi-signature requirements for all hot wallets, to regain and retain user confidence. If CEXs fail to adapt to these evolving user expectations, a significant shift of capital and users towards the DeFi ecosystem could accelerate.

B. The Evolving Landscape of Crypto Cybercrime

The BigONE incident is part of a concerning broader trend in cryptocurrency security breaches, indicating a rapidly evolving threat landscape. The first half of 2025 alone saw nearly $2.1 billion stolen across 75 incidents, according to TRM Labs, or over $2.47 billion across 344 incidents, as reported by CertiK. These figures already exceed the total losses recorded for all of 2024.[2, 7, 24, 25] This escalation underscores the persistent and growing challenge of securing digital assets.

While private key compromises were a major attack vector in 2024, accounting for 43.8% of stolen cryptocurrency, the BigONE attack signifies a notable shift towards more sophisticated backend infrastructure attacks that bypass traditional wallet security measures.[2] This indicates that threat actors are increasingly targeting the operational core of exchanges rather than just their external interfaces or direct wallet access points. Major crypto hacks in 2025 further illustrate the scale of ongoing threats, including the Bybit hack, which resulted in $1.4-$1.5 billion in ETH stolen and is potentially the largest cryptocurrency heist in history.[20, 26, 27] Other notable incidents include DMM Bitcoin ($308 million in 2024), Coincheck ($534 million in 2018), FTX ($477 million in 2022 post-collapse), Mt. Gox ($460 million in 2014), GMX ($42 million in July 2025), and Arcadia Finance ($3.6 million in July 2025).[3, 4, 7, 11, 14, 16, 19, 24, 25, 27, 28, 29, 30, 31] Some reports suggest that many of these sophisticated attacks originate from infrastructure linked to state-sponsored groups, such as the North Korean Lazarus group, adding a geopolitical dimension to the cybersecurity challenges faced by crypto platforms.[32]

C. Reputational Challenges: Allegations of Illicit Fund Processing

Adding a significant layer of controversy and complexity to BigONE's post-hack recovery, blockchain investigator ZachXBT publicly accused the exchange of processing substantial volumes of funds from illicit activities, specifically romance scams and "pig butchering" operations, prior to the hack.[2, 3, 7, 8, 13, 14, 15, 19] ZachXBT alleged that BigONE processed at least $60 million in scam-related funds through a single deposit address over a period of seven months, with an additional $4.5 million in similar scam proceeds being received in the week leading up to the hack.[2, 14]

ZachXBT's public statements, expressing a lack of sympathy for the BigONE team due to the exchange's alleged role in processing illicit funds, suggest that a segment of the crypto community views such hacks as a "natural cleanse" for the industry.[7, 8, 13, 14, 19] This highlights a critical dual challenge for any crypto platform: simultaneously battling a complex technical challenge (recovering from a sophisticated supply chain hack and implementing robust new defenses) and a severe reputational crisis stemming from allegations of facilitating illicit funds. The latter suggests a potential failure in robust Anti-Money Laundering (AML) and Know Your Customer (KYC) enforcement or a willingness to onboard high-risk clients. Even if BigONE successfully recovers the stolen funds and technically fortifies its systems, the accusations of enabling large-scale scams could severely damage its long-term reputation, hindering its ability to attract legitimate users, institutional investors, and strategic partners. In the highly trust-dependent crypto industry, perceived integrity is as crucial as technical security. This situation could also draw increased scrutiny from global financial regulators, potentially leading to future enforcement actions, even if none are explicitly reported yet. The "natural cleanse" sentiment from ZachXBT underscores a community desire for a more ethical and compliant ecosystem, indicating that platforms failing on the integrity front may face increasing pressure. BigONE acknowledged scam-linked deposits in a reply on X, claiming to have frozen a portion of stolen funds and cooperating with law enforcement, but did not provide specific evidence, citing limitations on sharing screenshots.[14]

V. BigONE's Current Standing and Future Trajectory

A. Current Services and Market Position

BigONE, founded in 2017, has navigated several bull and bear markets in the cryptocurrency space. Originally established in mainland China, the exchange later relocated to Seychelles due to evolving regulatory restrictions on crypto trading.[2, 3, 8, 12] It maintains a global operational presence, serving users in multiple countries, including Singapore, Hong Kong, Brazil, Vietnam, Japan, and Indonesia.[2]

The exchange supports a wide array of digital assets, offering 265 cryptocurrencies and 328 trading pairs. Its primary trading pairs involve major cryptocurrencies such as Bitcoin (BTC), Ethereum (ETH), and Solana (SOL), alongside older meme tokens like BONK and Dogecoin (DOGE).[2, 3] BigONE ranks 25th globally by trading volume, having processed approximately $16.6 billion in trades in the 30 days prior to recent reports, with daily volumes ranging from $684 million to $728 million.[2, 3, 8, 12]

BigONE's current service offerings are comprehensive, positioning it as a one-stop digital asset service provider. These include a global digital currency market information hub, an advanced financial visualization platform with live quotes and crypto price charts, and a variety of technical analysis tools to help users analyze market trends in real-time.[1, 33, 34] The platform also provides 24/7 multilingual customer service and robust cryptocurrency tracking capabilities for a wide range of assets.[1, 33] User reviews from 2020-2021 indicate an expansion of services over time, including spot trading, mining pools, margin trading, futures trading, and crypto financing products.[33] BigONE states it operates with 100% reserves, a claim intended to reassure users about asset backing.[3] Despite its operational scale and diverse offerings, BigONE holds a trust score of 6/10 on CoinGecko, ranking it at position #91 among exchanges.[3, 13, 15] This relatively lower trust score predates the recent hack, suggesting pre-existing concerns within the broader crypto community regarding its reliability or practices.

B. Regulatory Environment and Compliance Efforts

The BigONE incident reinforces the broader cryptocurrency industry's urgent need for robust regulatory compliance. Adherence to clear regulatory frameworks is essential not only to bolster user faith but also to ensure overall market stability and prevent illicit activities.[1] In response to the allegations by ZachXBT regarding scam-linked deposits, BigONE has stated it is cooperating with law enforcement.[14] However, specific details about the agencies involved or the actions taken remain limited, which can hinder public and regulatory confidence.

The year 2025 has been marked by significant global regulatory developments impacting the crypto sector. In the United States, legislative initiatives such as the proposed CLARITY Act aim to demystify the respective jurisdictions of the Commodity Futures Trading Commission (CFTC) and the Securities and Exchange Commission (SEC) over digital assets.[3, 35] Such clarity is anticipated to encourage institutional investment and foster expansion within the digital asset arena. Beyond this, other regulations introduced in 2025 cover beneficial ownership information, children's online privacy, and enhanced Anti-Money Laundering (AML) and Counter-Financing of Terrorism (CFT) measures.[3, 36] These broader regulatory shifts underscore a global trend towards greater oversight and accountability in the crypto space.

Recent enforcement actions in the crypto sector highlight this tightening regulatory environment. For instance, California issued its first fine under its new crypto law in June 2025, imposing a $300,000 penalty against Coinme for violations related to cryptocurrency kiosks.[37] Similarly, Meta has appealed an EU fine related to its compliance with digital market rules.[38] While these examples demonstrate active regulatory enforcement, no specific regulatory fines or lawsuits directly against BigONE related to the July 2025 hack have been reported in the available information.[8, 13, 14, 30, 31, 37, 38, 39, 40, 41, 42, 43, 44, 45]

C. Rebuilding Trust and Strategic Outlook

BigONE's commitment to full transparency and restitution is a crucial step in rebuilding trust following the recent security breach.[20] In a post-FTX and Mt. Gox era, user trust in centralized crypto exchanges is exceptionally fragile.[27] BigONE's rapid and consistent communication, combined with a clear promise of full compensation, is a vital strategy to mitigate immediate panic, retain its user base, and prevent a complete erosion of confidence. This approach, learned from past industry catastrophes where a lack of transparency exacerbated distrust, demonstrates a growing maturity in crisis management within the crypto space. However, the long-term impact will depend on the actual delivery of these promises and the thoroughness of their security enhancements.

The incident's impact on user trust, coupled with the sophisticated nature of the attack, may lead some users to permanently shift towards decentralized finance (DeFi) solutions, where they retain direct control over their private keys.[1] This trend poses a significant challenge for BigONE and other centralized exchanges in the competitive crypto landscape. While pre-hack user reviews were generally positive regarding the platform's interface, coin selection, and customer service [33], direct post-hack user sentiment in crypto forums or review sites is not explicitly detailed in the provided information.[46, 47] The absence of explicit information regarding leadership changes or new strategic partnerships announced by BigONE directly after the July 2025 hack suggests a focus on internal recovery and security hardening rather than immediate external strategic shifts. The restoration of the "Convert service" is an operational update, not a new partnership. The dual challenge of technical security and reputational integrity, particularly given the allegations of illicit fund processing, will be a defining factor in BigONE's ability to rebuild its standing and attract legitimate users and partners in the future.

Conclusion

The July 2025 security breach at BigONE, a $27 million loss stemming from a sophisticated supply chain attack, underscores the evolving and increasingly complex nature of cyber threats in the cryptocurrency sector. This incident highlights a critical shift from traditional private key compromises to more insidious attacks that target the core operational logic and backend infrastructure of centralized exchanges. The rapid laundering of stolen funds across multiple blockchains further complicates recovery efforts, emphasizing the need for advanced, real-time monitoring and automated response systems across the industry.

BigONE's immediate and transparent response, including the commitment to full user compensation and collaboration with security firms like SlowMist, represents a crucial step in mitigating immediate financial fallout and rebuilding user confidence. However, the phased restoration of services, particularly the delayed resumption of withdrawals, illustrates the inherent tension between operational continuity and the imperative for robust security hardening. The exchange's focus on enhancing supply chain security, implementing multi-layered defenses, and improving threat detection mechanisms is essential for its long-term resilience.

Beyond the technical challenges, BigONE faces a significant reputational hurdle due to allegations of processing illicit funds prior to the hack. This dual challenge of technical security and ethical integrity is paramount in the trust-dependent crypto industry. The incident contributes to a broader erosion of trust in centralized exchanges, potentially accelerating a user migration towards decentralized finance solutions where individuals retain greater control over their assets. For BigONE, successfully navigating these challenges will require not only the diligent implementation of security upgrades and full user restitution but also a clear and verifiable commitment to stringent compliance and ethical operations to regain the trust of the wider crypto community and regulatory bodies. The future trajectory of BigONE, and indeed the broader centralized exchange landscape, will depend on how effectively these complex security, operational, and reputational issues are addressed.