BigONE Crypto Exchange Suffers $27M Supply Chain Exploit

TheCryptoTimesPublicado em 2025-07-16Última atualização em 2025-07-17

Crypto exchange BigONE has confirmed it was hit by a suspected supply chain attack early on July 16, leading to losses exceeding $27 million. The incident was first flagged by blockchain security firm SlowMist, which reported that the attacker compromised BigONE’s production environment by altering server logic related to account and risk control. 

The attacker was able to withdraw funds without permission, but BigONE confirmed that private keys were not compromised.

In a blog post, BigONE said the attack specifically hit their hot wallet. They noticed unusual fund activity, looked into it, and managed to find and block the source of the breach. They assured users there’s no further threat of ongoing losses and that private keys have not been exposed.

According to the exchange, the stolen funds include 120 BTC, 350 ETH, over 8.5 million USDT across TRC20, ERC20, BSC, and Solana networks, along with other tokens such as 20,730 XIN, over 4.3 million SNT, 15.7 million CELR, 16,071 LEO, 25,487 UNI, nearly 9.7 billion SHIB, 1,800 SOL, and 538,000 DOGE. BigONE said these figures will be updated as their investigation progresses.

Despite the scale of the loss, BigONE has promised users won’t be impacted materially. The exchange has activated its internal security reserves: BTC, ETH, USDT, SOL, and XIN, to replenish user funds while sourcing external liquidity for other affected tokens through borrowing mechanisms.

The hacker’s wallet addresses have been identified across multiple blockchains. 

  • Ethereum & BSC: 0x9Bf7a4dDcA405929dba1FBB136F764F5892A8a7a
  • Solana: HSr1FNv266zCnVtUdZhfYrhgWx1a4LNEpMPDymQzPg4R
  • Bitcoin: bc1qwxm53zya6cuflxhcxy84t4c4wrmgrwqzd07jxm
  • Tron: TKKGH8bwmEEvyp3QkzDCbK61EwCHXdo17c

BigONE is now working with SlowMist to monitor these addresses and track the hacker’s movements. While deposit and trading services are expected to resume within a few hours, withdrawals will stay suspended until additional security layers are in place. The exchange has committed to transparent updates as the situation develops.

Also Read: Hackers Drain $2.5M from Arcadia Finance on Base Network



Leituras Relacionadas

Anthropic Creates an AI Jailbreak 'Penal Code': Your Requests, Four Ways to Die

Anthropic has publicly detailed its security measures and a new "Cyber Jailbreak Severity" (CJS) framework following the controversial takedown of its Fable 5 model. The incident, triggered by simple user requests like counting letters or stating a profession, highlighted overzealous safety filters. Anthropic classifies cybersecurity-related prompts into four tiers: malicious activities (blocked), high-risk dual-use (like pentesting, with strict limits), low-risk dual-use (often blocked by "safety margin" errors), and harmless tasks (theoretically allowed but still frequently flagged). The company admits its classifiers are tuned for high sensitivity, leading to many false positives. The newly proposed CJS framework aims to objectively score the severity of AI "jailbreaks" (prompts that bypass safety rules) on a 0-10 scale across four dimensions: Capability Gain (does it grant new attack abilities?), Breadth (does it work across multiple attack types?), Weaponization Ease (how hard is it to turn into a real attack?), and Discoverability (how easy is it to find?). The score determines the response, from no action (CJS-0) to a potential model takedown (CJS-4). The score is context-dependent; for example, discovering a major unknown vulnerability today scores high, while asking about a well-known one scores low. The article raises concerns about Anthropic's dual role: it is both creating powerful models (like the restricted Mythos 5) and defining the rules (CJS) for judging their misuse, potentially giving it disproportionate influence. This is set against the backdrop of U.S. export controls, which for the first time directly restricted API access to a model (Fable 5), creating a "tiered" system where public models are heavily filtered and advanced ones are limited to vetted partners. The CJS framework is portrayed as potentially providing regulators with a metric to justify future API shutdowns. For users, the advice is to carefully phrase prompts, watch for signs of being downgraded to a weaker model, and wait indefinitely for promised filter improvements.

marsbitHá 26m

Anthropic Creates an AI Jailbreak 'Penal Code': Your Requests, Four Ways to Die

marsbitHá 26m

$100M Annual Revenue, Two Berkeley Roommates in Their 20s Build the Most Profitable AI Business

Arena, the AI model ranking platform, has become a $100 million annual revenue business just eight months after launching its commercial service. Originally a UC Berkeley open-source research project called Chatbot Arena, it created a "battle arena" where users blind-test and vote on anonymous AI model responses. This has generated a highly trusted, community-driven leaderboard based on over 10 million user evaluations and 82 million votes. Major AI companies like OpenAI, Google, and Anthropic submit their flagship models to be ranked. The core monetization strategy is its AI Evaluations service, where model developers and large enterprises pay for in-depth performance analysis from Arena's massive user community. This provides real-world feedback on model strengths, weaknesses, and hallucinations—a critical service as models become more complex. The company, spun out from Berkeley in early 2025, quickly raised $100 million in seed funding at a $600 million valuation and later secured a $150 million Series A at a $1.7 billion valuation. The founding team includes CEO Anastasios Angelopoulos, a mathematician focused on rigorous model evaluation; CTO Wei-Lin Chiang, creator of the popular Vicuna chatbot; and co-founder Ion Stoica, a renowned Berkeley professor. Arena is now expanding beyond chat benchmarks into "Agent Mode," evaluating AI agents on complex, multi-step tasks like coding and research. The company's success illustrates the growing value and cost of independent, real-world AI model evaluation as the industry intensifies.

marsbitHá 30m

$100M Annual Revenue, Two Berkeley Roommates in Their 20s Build the Most Profitable AI Business

marsbitHá 30m

Racking Up 24,000 Stars: With One Command, AI Can Now Find Its Own Skills

Vercel, known for its developer tools like Next.js, has launched 'skills', a package manager for AI coding agents, garnering 24,000 GitHub stars. It allows developers to add specialized capabilities, such as React best practices, to AI assistants like Claude Code or Cursor with a single command: `npx skills add <package>`. Skills are shareable, reusable modules that define an AI agent's behavior for specific tasks, moving beyond one-off prompt engineering towards standardized 'capability engineering'. A key innovation is the 'find-skills' skill, which acts as an internal search engine, allowing an agent to autonomously find and install the right skill for a user's request. This lowers the barrier for non-developers to leverage advanced AI coding assistance. However, this 'npm moment' for AI brings significant security risks. Security audits of thousands of skills on platforms like skills.sh and ClawHub found over 30% contained security flaws, with about 13% classified as severe. Threats include malicious scripts that can access local files and credentials, and prompt injection hidden within skill documentation. Unlike traditional code packages, skills blend instructions, code, and system access, posing a direct risk to user machines and data. Experts advise treating skills like code—reviewing them carefully before installation, especially their scripts, and being wary of excessive permissions. Ultimately, Vercel's initiative represents a major shift towards modular, reusable AI capabilities, but its rapid adoption requires developers to bring the same caution used in managing traditional software dependencies.

marsbitHá 31m

Racking Up 24,000 Stars: With One Command, AI Can Now Find Its Own Skills

marsbitHá 31m

Claude Engineer Finally Unveils Fable 5's Ultimate Strategy, Teaching You How to Bridge the Information Gap with AI Models

This article, titled "Claude Engineer Finally Releases Fable 5 'Skill-Burning' Guide, Teaching How to Bridge the Information Gap with Models," details a blog post by Claude Code engineer Thariq Shihipar. The core concept is the "information gap" or "unknowns"—the disconnect between a user's instructions (the "map") and the actual task requirements (the "territory"). The article argues that with powerful models like Claude Fable 5, work quality depends on the user's ability to identify and clarify these unknowns. Shihipar categorizes unknowns into four types: Known Knowns (explicit instructions), Known Unknowns (awareness of gaps), Unknown Knowns (implicit, unstated knowledge), and Unknown Unknowns (unforeseen issues). The blog provides a framework for addressing these gaps throughout the workflow: * **Before Implementation:** Techniques include "Blindspot Scanning" to uncover Unknown Unknowns, brainstorming/prototyping for visual or complex tasks, having Claude ask clarifying questions, using reference code/examples, and creating implementation plans. * **During Implementation:** Maintaining an "implementation notes" file for Claude to document deviations and decisions made due to encountered edge cases. * **After Implementation:** Creating summary documents for review and having Claude generate quizzes to ensure the user fully understands the completed changes. The article concludes that as models become more capable, the key to success is systematically discovering and defining these unknowns through low-cost methods like prototyping and planning, allowing for more effective collaboration.

marsbitHá 35m

Claude Engineer Finally Unveils Fable 5's Ultimate Strategy, Teaching You How to Bridge the Information Gap with AI Models

marsbitHá 35m

Trading

Spot
活动图片