Cloud Credential Hijacking: How the BitoPro Breach Exploited AWS Session Tokens to Drain $11.5 Million

Taiwanese cryptocurrency exchange BitoPro fell victim to a sophisticated cyberattack on May 8, 2025, losing approximately $11.5 million in digital assets during what should have been a routine hot wallet system upgrade. The breach, later attributed to the infamous North Korean Lazarus Group, exposed critical vulnerabilities in how exchanges manage cloud infrastructure during maintenance operations.

As Bitcoin trades above $103,200 and Ethereum surges past $2,200 following the Pectra upgrade, the BitoPro incident serves as a stark reminder that even during bullish market conditions, security threats remain ever-present. The attack targeted hot wallets across Ethereum, Solana, Polygon, and Tron networks simultaneously.

The Exploit Mechanics

The attack chain began with a carefully orchestrated social engineering campaign. Threat actors compromised a cloud operations employee’s device by installing malware, which allowed them to hijack AWS session tokens. With these stolen credentials, the attackers bypassed multi-factor authentication protections and gained control of BitoPro’s cloud infrastructure.

Once inside the system, the attackers established a command-and-control server that communicated with a malicious implant deployed on the hot wallet host. This implant injected scripts designed to simulate normal wallet operations, effectively masking the unauthorized withdrawals as legitimate transactions happening in real time.

The timing of the attack was deliberate. The perpetrators waited for a scheduled hot wallet system upgrade and asset transfer operation to execute their theft, knowing that unusual transaction patterns would be less likely to trigger automated alerts during maintenance windows. The stolen assets were swiftly market-sold through decentralized exchanges before being routed through privacy tools.

Affected Systems

The breach affected multiple blockchain networks simultaneously. Hot wallets on Ethereum, Solana, Polygon, and Tron all experienced suspicious outflows. On-chain investigator ZachXBT identified specific theft addresses across these networks, including Ethereum addresses 0x2453933c98b6e55397103f7c1081626e0a02d2c9 and 0x454cf3892a949c94569ab2663090ecdca811a6f0, along with corresponding addresses on Tron, Solana, and Bitcoin.

The laundering process involved multiple stages designed to impede tracing and recovery. Stolen assets were swapped through decentralized exchanges, then routed to Tornado Cash on Ethereum, bridged to Bitcoin via ThorChain, and subsequently funneled through Wasabi Wallet’s CoinJoin functionality. This multi-layered approach is characteristic of Lazarus Group operations.

BitoPro initially responded by temporarily disabling deposits and withdrawals, posting a system maintenance notification for users. The exchange only publicly disclosed the hack weeks later on June 2, after ZachXBT publicly revealed the suspicious transactions.

The Mitigation Strategy

Upon detecting the breach, BitoPro initiated emergency response protocols, transferring remaining assets to new wallets and blocking the attacker’s access. The exchange engaged a third-party cybersecurity firm to investigate the incident and trace the stolen funds. All cryptographic keys were rotated as a precautionary measure.

BitoPro stated that it replenished the affected wallets using internal reserves, ensuring that user funds remained unaffected. The company emphasized that its cold wallet storage remained secure throughout the incident and that trading operations continued without disruption.

Law enforcement authorities were notified, and BitoPro committed to publishing new hot wallet addresses to increase transparency. The exchange maintained that its virtual asset reserves were sufficient to cover both customer funds and ongoing operations.

Lessons Learned

The BitoPro breach highlights several critical security gaps that affect the broader cryptocurrency exchange ecosystem. First, reliance on cloud infrastructure providers like AWS introduces a significant attack surface that extends beyond traditional blockchain security concerns. Session token theft can bypass even robust multi-factor authentication implementations.

Second, maintenance windows represent peak vulnerability periods. Exchanges must implement additional verification layers during system upgrades, including multi-party approval for large transfers and enhanced monitoring thresholds. The assumption that operational changes explain unusual activity can delay detection of active attacks.

Third, the delayed public disclosure—nearly a month after the breach—raises questions about transparency standards in the industry. While investigations often require time, timely disclosure allows users to make informed decisions about their assets.

User Action Required

Cryptocurrency users should take this incident as a prompt to review their own security practices. Avoid keeping large holdings on any single exchange. Use hardware wallets for long-term storage. Enable all available security features including two-factor authentication, withdrawal whitelist restrictions, and anti-phishing codes. Monitor your accounts regularly for unauthorized activity, and consider distributing assets across multiple platforms to limit exposure to any single point of failure. The Lazarus Group remains an active and persistent threat to the global cryptocurrency ecosystem, and vigilance is the best defense.

Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always conduct your own research before making investment decisions.