July 2025 will be remembered as one of the most punishing months for cryptocurrency security, with approximately $285 million lost to various crypto-related crimes and over $139 million attributed to hacking incidents alone. While phishing and insider threats dominated headlines, a more insidious attack vector quietly emerged as the most dangerous threat facing exchanges: supply chain compromise. The $27 million BigONE exchange hack demonstrated that attackers no longer need private keys when they can simply rewrite the rules governing how those keys are used.
The Threat Landscape
The BigONE breach, disclosed on July 16, 2025, represents a paradigm shift in exchange security. Attackers did not steal private keys or exploit smart contract logic. Instead, they infiltrated the exchange’s Continuous Integration and Continuous Deployment (CI/CD) pipeline, injecting malicious code that fundamentally altered the operating logic of account and risk control servers. This manipulation enabled unauthorized hot wallet withdrawals while bypassing every traditional security checkpoint.
The stolen assets painted a picture of a carefully planned operation: 120 Bitcoin, 350 Ethereum, 1,800 Solana, 7.1 million USDT across multiple chains, and various altcoins including XIN, CELR, UNI, and SHIB. With Bitcoin trading near $117,600 at the time of the attack, the Bitcoin component alone was worth over $14 million. The sophistication of the operation suggests a well-resourced threat actor with deep understanding of both DevOps infrastructure and exchange operations.
This attack came during a month that also saw CoinDCX lose $44.2 million to an insider threat, GMX suffer a $42 million re-entrancy exploit, WOO X lose $14 million through a phishing attack, and Future Protocol drained of $4.6 million through a smart contract flaw. The diversity of attack vectors underscores that crypto platforms face threats across every layer of the technology stack.
Core Principles
Supply chain security rests on three foundational principles that every crypto platform must internalize. First, the principle of build integrity: every piece of code running in production must be verifiable from source to deployment. This means implementing signed commits, reproducible builds, and artifact attestation that creates an immutable chain of custody for every deployment.
Second, the principle of least privilege: even within trusted CI/CD pipelines, no single step should have unrestricted access to production systems. The BigONE attackers exploited excessive permissions within the deployment pipeline to modify account and risk control servers simultaneously. Segmented permissions and multi-party approval for production deployments could have prevented the attack from achieving its full scope.
Third, the principle of continuous verification: security cannot be a one-time gate but must be continuously validated at every stage. Runtime integrity monitoring, file system change detection, and behavioral analysis of production systems provide the ongoing assurance needed to catch supply chain compromises before they cause catastrophic damage.
Tooling and Setup
Crypto exchanges looking to harden their supply chain defenses should implement a layered security architecture. Start with a secure software development lifecycle that includes mandatory code review by at least two senior engineers, automated static analysis scanning, and dependency vulnerability monitoring. Deploy Sigstore or similar cryptographic signing frameworks to ensure that only verified artifacts reach production environments.
For CI/CD pipeline protection, implement pipeline-as-code with version-controlled configurations, secret scanning for credentials embedded in build scripts, and ephemeral build environments that are destroyed after each deployment. Consider using tools like SLSA (Supply-chain Levels for Software Artifacts) to establish provenance guarantees for every deployed artifact.
On the runtime side, deploy file integrity monitoring solutions that alert on unauthorized changes to production binaries, kernel-level process monitoring that detects unexpected code execution, and network segmentation that prevents deployment systems from directly accessing hot wallet infrastructure. The goal is to ensure that even a fully compromised CI/CD pipeline cannot single-handedly authorize fund movements.
Ongoing Vigilance
Supply chain security is not a destination but a continuous process. Establish a regular cadence of security audits that specifically target infrastructure and deployment workflows, not just application code. Conduct tabletop exercises simulating supply chain compromise scenarios and validate that incident response procedures can detect and contain such attacks within minutes rather than hours.
Monitor threat intelligence feeds for indicators of compromise related to supply chain tooling, and participate in information-sharing consortiums with other exchanges. The attackers targeting BigONE are almost certainly probing other platforms using similar techniques, and early warning from peer organizations can provide crucial defensive advantages.
Finally, invest in bug bounty programs and red team assessments that specifically target supply chain vectors. Many platforms test their application security thoroughly but neglect the infrastructure layer that attackers increasingly find more attractive. A dedicated supply chain penetration test can reveal vulnerabilities that standard application security assessments will miss entirely.
Final Takeaway
The BigONE hack proved that in the world of cryptocurrency security, the most dangerous attack may not be the one targeting your keys but the one rewriting the system that governs them. As institutional capital floods into crypto — with $4.39 billion in ETF inflows during a single week in July 2025 — the stakes have never been higher. Supply chain security must become a board-level priority for every crypto platform that holds user funds. The next $27 million theft will not come through the front door; it will arrive through the build pipeline.
Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always conduct your own research and consult with qualified professionals.
injecting malicious code into the CI/CD pipeline to rewrite hot wallet withdrawal logic. BigONE didnt lose keys, they lost control of the code that uses the keys
ci_cd_nightmare rewriting withdrawal logic through the CI/CD pipeline. no key theft needed. this is the scariest attack vector in crypto right now
$285M lost in July alone and CI/CD attacks dont need private keys. the entire security model of crypto exchanges is built on protecting keys when the real threat is the build pipeline
dev_ops_42 $285M in a month and most of it wasnt even smart contract exploits. infrastructure attacks bypass all the code audits
Man, the ripple effects from those July attacks are still being felt. It’s crazy how a single compromised library can take down a multi-billion dollar platform. Really goes to show that ‘trustless’ doesn’t mean you don’t have to trust your dependencies. Always keep your main stack cold!
The industry is finally catching up with SBOM (Software Bill of Materials) requirements, but we’re still so vulnerable. We need decentralized code review processes for any open-source components used in exchange infrastructure. Until then, we’re just playing whack-a-mole with these hackers.
Elena Rodriguez the SBOM push is good but decentralized code review for CI/CD pipelines is where the actual defense needs to be. supply chain is the new perimeter