📈 Get daily crypto insights that make you smarter about your money

BitoPro Exchange Belatedly Discloses $11.5 Million Hack as ALEX Protocol Suffers Simultaneous $8.3M Exploit

By /
LinkedInMessengerRedditTelegramThreadsWhatsApp

June 6, 2025 will be remembered as one of the most consequential days in recent cryptocurrency security history. Two major incidents struck within hours of each other — a belated disclosure from Taiwanese exchange BitoPro and a sophisticated exploit targeting Bitcoin DeFi protocol ALEX Lab on the Stacks blockchain. Together, the incidents drained over $19 million in digital assets, exposing persistent vulnerabilities in both centralized and decentralized crypto infrastructure.

The Exploit Mechanics

The ALEX Protocol attack demonstrated a level of sophistication that has become increasingly common in DeFi exploits. The attacker began by creating a fake token named ssl-labubu-672d3, which contained a malicious transfer function hidden within its smart contract code. This token was then paired with legitimate assets like Stacks (STX) in a liquidity pool on the ALEX platform.

The core vulnerability lay in ALEX Protocol’s self-listing verification logic — the system that allows new tokens to be added to the platform. Due to insufficient verification controls, the attacker was able to exploit the set-approved-token function, which unintentionally granted their malicious contract vault-level access to the protocol’s treasury. Once permissions were established, the attacker activated the set-enable-farming function, enabling the hidden malicious transfer capability.

During routine token swap operations (swap-x-for-y), the legitimate ALEX Protocol contracts inadvertently triggered the attacker’s malicious transfer function. Weak internal checks caused the protocol to misidentify the vault itself as the initiator of transfers, allowing the attacker to systematically drain funds. The stolen assets included approximately 8.4 million STX tokens worth roughly $5.69 million, 21.85 Stacks Bitcoin tokens valued at about $2.24 million, stablecoins totaling around $149,850, and 2.8 Wrapped Bitcoin tokens worth approximately $287,000. Some reports indicated total losses could reach as high as $16.18 million when accounting for additional stolen tokens.

Meanwhile, BitoPro, a Taiwan-based cryptocurrency exchange, belatedly disclosed that it had suffered an $11.5 million hack. The delayed disclosure raised serious concerns about transparency standards among centralized exchanges and whether regulators would push for mandatory incident reporting timelines.

Affected Systems

The ALEX Protocol exploit specifically targeted the protocol’s self-listing verification system — a component designed to allow permissionless token additions to the platform. Built on the Stacks blockchain, which enables smart contracts on Bitcoin, ALEX Lab had positioned itself as a gateway for Bitcoin DeFi. This incident marks the protocol’s second major breach, following a $4.3 million hack in May 2024 that was attributed to the North Korean Lazarus Group.

The BitoPro breach affected the exchange’s hot wallet systems, though full technical details remained sparse given the belated nature of the disclosure. The exchange’s handling of the incident drew criticism from security researchers who noted that timely disclosure is critical for enabling other platforms to detect and prevent similar attacks.

The Mitigation Strategy

In response to the ALEX Protocol exploit, the ALEX Lab Foundation moved swiftly, pledging full reimbursement to all affected users using USDC from its treasury. Reimbursement amounts were calculated based on average on-chain exchange rates recorded between 10:00 AM and 2:00 PM UTC on the day of the exploit. Users received on-chain notifications regarding claim submissions by June 8, 2025, with a submission deadline of June 10. Reimbursements were distributed within seven business days after verification.

The broader DeFi community responded with renewed calls for enhanced token listing verification processes. Security firms recommended implementing multi-layer verification that includes static code analysis of token contracts before listing, real-time monitoring of unusual permission changes, and automated alerts when new tokens interact with treasury-level functions.

Lessons Learned

These dual incidents underscore several critical lessons for the cryptocurrency ecosystem. First, self-listing mechanisms — while important for permissionless innovation — require robust verification frameworks that can detect malicious contract logic before it reaches production systems. Second, the BitoPro case highlights the ongoing need for mandatory disclosure timelines, as delayed reporting prevents the broader community from taking defensive action. Third, protocols that have been previously exploited face heightened scrutiny and must demonstrate that systemic security improvements have been implemented, not just patches for the specific vulnerability that was exploited.

User Action Required

For users affected by the ALEX Protocol exploit, claims should be submitted through official ALEX Lab channels. All users interacting with DeFi protocols should verify that their funds are not exposed to self-listing token risks, and anyone with balances on centralized exchanges should ensure they maintain only what is necessary for active trading, keeping the majority of funds in self-custody wallets. As Bitcoin trades at approximately $104,390 and Ethereum at $2,477 at the time of these incidents, the stakes for proper security practices have never been higher.

Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before engaging with any cryptocurrency platform.

🌱 FOR BUSINESSES BitcoinsNews.com
Reach 100K+ Crypto Readers
Sponsored content, press releases, banner ads, and newsletter placements. Put your brand in front of Bitcoin's most engaged audience.

14 thoughts on “BitoPro Exchange Belatedly Discloses $11.5 Million Hack as ALEX Protocol Suffers Simultaneous $8.3M Exploit”

  1. stx_whale_

    alex was one of the few defi protocols building on stacks. this exploit sets back the entire bitcoin L2 DeFi thesis

    Reply
    1. stx_bear_

      stx_whale_ ALEX was basically the only DeFi protocol on Stacks with real volume. this exploit killed the bitcoin L2 DeFi narrative for months

      Reply
  2. CryptoSleuth_99

    Another day, another exploit. BitoPro waiting this long to disclose an $11.5M hit is a massive red flag for their transparency. It’s wild how these attacks seem to cluster together. ALEX Protocol getting hit at the same time makes you wonder if there’s a shared vulnerability or just a very busy week for hackers. Stay safe out there and use cold storage!

    Reply
    1. Lucian P.

      BitoPro delayed disclosure is actually worse than the hack itself. users could have moved funds if they knew

      Reply
      1. delay_disclose_

        Lucian P. delayed disclosure should be criminal. users had funds on the exchange while executives knew it was compromised

        Reply
  3. Defi_DeGen_Dan

    Man, the ALEX exploit hurts. I was actually bullish on their protocol for Bitcoin layer 2 stuff. But seeing $8.3M drained just like that is a reality check. We really need better security audits in this space before moving such large amounts of capital. BitoPro’s delayed disclosure is even worse though—users deserve to know immediately when funds are at risk.

    Reply
    1. bridgeauditor_

      ssl-labubu token with a hidden malicious transfer function. this is textbook and yet platforms still dont catch it

      Reply
      1. Raluca D.

        a fake token named ssl-labubu passing verification is embarrassing. the set-approved-token function should never have existed without multisig

        Reply
        1. Kofi M.

          Raluca D. a fake token called ssl-labubu passing self listing verification is beyond embarrassing. the set-approved-token function needed multisig day one

          Reply
  4. Maria Rodriguez

    This is exactly why I keep most of my assets off exchanges. If a platform like BitoPro can lose $11M and not say anything for a while, how can we trust them with our savings? The ALEX situation is also a bummer for the Stacks ecosystem. Hopefully, both projects can recover and improve their security, but the trust takes a long time to rebuild.

    Reply
  5. Satoshi_Spirit

    Skeptical about the “simultaneous” nature of these hits. Is it just a coincidence or is there a sophisticated group targeting specific bridge vulnerabilities? The industry needs to mature beyond these constant headlines of multi-million dollar “exploits” if we ever want mainstream adoption. Transparency is the only way forward, so BitoPro really dropped the ball on this one.

    Reply
  6. labubu_lol

    naming your malicious token ssl-labubu and nobody on the team noticed. the self-listing verification was basically an honor system

    Reply
    1. audit_plz_

      the set-approved-token function giving admin access without checks is a 2021 level mistake. in 2025 this should not be happening on a live protocol

      Reply
  7. delayed_rxn

    BitoPro waiting to disclose is almost worse than the hack itself. how do you lose $11.5M and just hope nobody notices

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

BTC$64,294.00+0.3%ETH$1,731.35-0.1%SOL$72.59-2.1%BNB$593.01+0.4%XRP$1.13-1.2%ADA$0.1583-2.3%DOGE$0.0828-0.8%DOT$0.9442-2.0%AVAX$6.26+0.1%LINK$7.90-0.6%UNI$3.01-1.0%ATOM$1.80+1.2%LTC$44.67-1.0%ARB$0.0839+0.1%NEAR$2.11-3.3%FIL$0.7915-1.5%SUI$0.7139+0.4%BTC$64,294.00+0.3%ETH$1,731.35-0.1%SOL$72.59-2.1%BNB$593.01+0.4%XRP$1.13-1.2%ADA$0.1583-2.3%DOGE$0.0828-0.8%DOT$0.9442-2.0%AVAX$6.26+0.1%LINK$7.90-0.6%UNI$3.01-1.0%ATOM$1.80+1.2%LTC$44.67-1.0%ARB$0.0839+0.1%NEAR$2.11-3.3%FIL$0.7915-1.5%SUI$0.7139+0.4%
Scroll to Top