On July 16, 2025, crypto exchange BigONE confirmed that it was hacked. The attacker stole around \$27 million in digital assets from its hot wallet. The incident raised questions about exchange security, operational oversight, and risk management in the crypto industry.

---

The Breach

The hack began with unusual outflows from BigONE’s hot wallet. On-chain analysts and security firms flagged the movements early. Blockchain monitoring service Lookonchain was one of the first to confirm the loss.

According to their data, the hacker made off with a large amount of tokens, including:

• 120 Bitcoin (roughly $14 million)
• 1,272 Ethereum (about $4 million)
• 23.3 million TRON (approximately $7 million)
• 2,625 Solana (worth around $428,000)

These tokens were quickly swapped or moved across various wallets, most of which have been identified. The attacker also transferred funds to addresses on multiple blockchains, including Bitcoin, Ethereum, Solana, and TRON.

Security firm CertiK noted that the attacker now holds multiple assets at different wallet addresses, making recovery difficult.

---

What Caused the Hack?

According to an internal investigation and findings from security firm SlowMist, the breach was not due to a leaked private key. Instead, it was a supply chain-style attack. The attacker manipulated internal logic in BigONE’s production systems. That allowed them to bypass account-level risk controls and initiate unauthorized withdrawals.

This kind of attack doesn’t need access to user keys or even to the wallet software itself. It targets backend infrastructure—like servers that manage account activity or approve transactions. By interfering with that logic, the attacker was able to drain the hot wallet without triggering normal security alerts in time.

---

BigONE’s Response

In a press statement issued on the same day, BigONE admitted to the breach. The company said user assets are safe and promised to fully cover all losses using its own reserves. The stolen tokens will be replaced from internal security funds, which include BTC, ETH, USDT, SOL, and XIN.

Other tokens that were lost—such as SHIB, DOGE, CELR, and SNT—will be recovered through borrowed liquidity or other external means. A full breakdown of the lost tokens was published, including:

• 6.97 million USDT (TRC20)
• 1.39 million USDT (ERC20)
• Over 15 million CELR
• Nearly 10 billion SHIB
• 538,000 DOGE
• 4.3 million SNT
• 25,487 UNI
• Other smaller amounts across dozens of tokens

The company paused trading and deposits temporarily. They say the system will be back online within hours. Withdrawals will stay on hold until further security upgrades are complete.

BigONE also promised full transparency and regular updates as the investigation continues.

---

Public Reaction and Allegations

Not everyone reacted with sympathy. Popular blockchain investigator ZachXBT said BigONE has a history of being connected to shady activity. He claimed the platform previously processed funds linked to scams like pig butchering, fake investment schemes, and romance frauds.

ZachXBT also shared addresses allegedly tied to these scams, claiming BigONE failed to block or report them. He said the same wallet used in the current hack had been active for months before the breach.

His comments have sparked debate about how centralized exchanges handle compliance and risk. Some in the crypto community believe this hack is partly a result of weak oversight, not just a technical error.

BigONE has not directly addressed those allegations but said it will cooperate with law enforcement and share all investigation data with the public.

---

Bigger Picture: Crypto Hacks in 2025

This year has seen a string of major breaches across the crypto space. BigONE now joins a growing list of affected exchanges. Just weeks earlier, Iranian exchange Nobitex suffered a data leak and suspected fund loss. Bybit and several DeFi platforms have also reported attacks this year.

As the crypto industry grows, attackers are shifting tactics. Instead of brute-force hacks or phishing, they now often use more complex methods—like exploiting internal systems, API flaws, or weak business logic in backend code.

The BigONE case is a textbook example of this. Even though no private keys were exposed, the attacker still walked away with \$27 million in crypto.

---

What Can Users Learn?

This incident is a reminder that even large exchanges can be vulnerable. If you hold a significant amount of crypto, keeping it all on a single exchange is risky.

Here are a few takeaways for crypto users:

• Avoid storing large funds in exchange wallets
• Use cold wallets for long-term holdings
• Choose exchanges with a proven security record
• Follow news from blockchain security trackers
• Be cautious of exchanges that ignore scam activity or fail to report suspicious wallets

---

The Road Ahead

BigONE says all systems are under review. The internal team is working with SlowMist and other firms to trace the hacker and recover assets if possible. However, funds have already been moved and swapped, which makes recovery hard.

Law enforcement may get involved soon, especially if scam-linked addresses or illegal flows are confirmed.

Meanwhile, BigONE must now repair trust. Whether or not they succeed depends not only on how they fix their systems, but also how open they are about the hack, the cause, and the aftermath.

For now, user assets are said to be safe. The platform is covering all losses. But users, regulators, and security experts will be watching closely in the weeks ahead.

Researchers uncovered a coordinated campaign of over 40 malicious Firefox extensions. These add‑ons mimic trusted crypto wallet tools to steal private keys and seed phrases. Users are at risk. Extensions remain live in Mozilla’s official store. This threat started in April 2025 and continues today.

---

The FoxyWallet Campaign

I. What is FoxyWallet?

The campaign is named “FoxyWallet.” Attackers created dozens of fake extensions posing as popular wallets. Targets include MetaMask, Coinbase Wallet, Trust Wallet, Phantom, Exodus, OKX, Keplr, MyMonero, Bitget, Leap, Ethereum Wallet, and Filfox.

These clones use the real branding—names, logos, and even legit open‑source code—while hiding malicious logic. The result: extensions behave normally, but also steal sensitive data in the background.

II. How They Trick Users

1. Name and logo impersonation
   Clone official wallet tools. Same names. Same icons. Users trust them by design.
2. Fake ratings and reviews
   Many extensions show hundreds of 5‑star reviews—more than their actual installs. This creates false legitimacy.
3. Cloned open‑source code
   Code is taken from official wallets. Attackers add data‑stealing logic. The clones work but also exfiltrate data.

---

Technical Details of the Attack

I. Data exfiltration and tracking

• On install, the extension starts watching for credentials being entered on wallet sites.
• It captures seed phrases, private keys, addresses.
• It silently sends these to attacker‑controlled servers. External IP addresses are included too.

II. Ongoing campaign

• Active since at least April 2025.
• New extensions appeared as recently as last week.
• Mozilla has removed most, but a few still linger on the store.

---

Who is Behind the Scheme?

So far, clues point to a Russian‑speaking actor:

• Russian‑language comments in the code.
• Metadata in a PDF on a control server.

This is not conclusive, but worth noting.

---

Scale of the Attack

• Dark Reading reported around 45 extensions at one point.
• Geekflare confirmed over 40 unique forks remain on the store.
• The campaign uses Mozilla’s store trust features—name, reviews, branding, open‑source—against users.

---

Broader Context and Threat Trend

I. Browser extensions as attack vectors

Socket’s Threat Team recently uncovered that extensions in normal stores are widely used to:

• Redirect users to scams.
• Hijack browsing sessions.
• Inject tracking code.
• Steal OAuth tokens.

II. Similar campaigns

Earlier in 2025:

• “Shell Shockers io” and clones by actor mre1903 infected Firefox and Chrome with gambling‑style popups, affiliate tracking, and OAuth token theft.
• At least eight malicious Firefox extensions used identical tactics to hijack sessions, spy via hidden iframes, and steal tokens .

This shows attackers use multiple tactics and continue evolving.

III. WalletProbe findings

A recent study (April 2025) tested 39 popular wallet extensions. It found 13 attack vectors and 21 strategies. All wallets could be abused to steal assets.

---

The Risk to Individuals

• Once seed phrases leak, attackers can drain wallets instantly.
• Users may trust extensions from the official store.
• Victims often won’t notice until assets are gone.
• Hackers can track victims by IP and target high‑value wallets.

---

Risk to Organizations

• Extensions may access internal tools if browsers are used at work.
• A rogue extension can exfiltrate credentials, tokens, session info.
• Attackers can use OAuth or session tokens to escalate deeper.
• Uncontrolled extensions are a threat to enterprise security integrity.

---

Browser Provider and Security Response

I. Mozilla’s actions

• Most foxeywallet extensions have been removed.
• MyMonero Wallet clone remains under review.
• Mozilla says it uses an “early detection system” to block scam crypto extensions.

II. Industry advice

From Koi Security and Dark Reading:

• Treat extensions like any software—vet them before install.
• Use allow‑lists at work, not block‑lists.
• Monitor installed extensions and changes over time.

Mozilla support suggests:

• Review permissions carefully.
• Check developer identity.
• Look at user reviews and installs count.

---

Practical Recommendations

1. Limit extension installs
   Only add tools you need and from trusted sources.
2. Verify publishers
   Check developer name, website, contact info.
3. Inspect permissions
   Avoid extensions requiring broad access to all web pages.
4. Check reviews manually
   Look for signs of fake or repetitive reviews.
5. Monitor post-install behavior
   Watch for sudden popups, redirects, or hidden frames.
6. Use hardware wallets
   Keep seed phrases offline and away from browser processes.
7. Enterprise controls
   Implement allow‑lists, continuous monitoring, and access boundaries.
8. Stay updated
   Remove unused or unwanted add‑ons regularly.

In the world of cybersecurity, claims of data breaches can cause significant concern and speculation. Recently, a ransomware group named FSOCIETY claimed to have successfully hacked several organizations, including the cryptocurrency exchange Bitfinex. However, Bitfinex’s Chief Technology Officer (CTO), Paolo Ardoino, has dismissed these rumors, stating that a thorough analysis of their systems revealed no evidence of a breach.

According to Ardoino, who is also the CEO of Tether, less than 25% of the email addresses allegedly stolen from Bitfinex’s servers match legitimate users. This casts doubt on the validity of FSOCIETY’s claims regarding the supposed hack.

The ransomware group, styled after the fictional hacking group from the TV show “Mr. Robot,” claimed to have breached several victims, including Rutgers University, consulting firm SBC Global, and a cryptocurrency exchange they referred to as “Coinmoma,” which is likely a misspelling of Coinmama.

Ardoino expressed skepticism about the group’s claims, stating that if they had indeed hacked Bitfinex, they would have demanded a ransom through the exchange’s bug bounty program, customer support channels, emails, or social media accounts. However, Bitfinex received no such requests from FSOCIETY.

Furthermore, Ardoino shared a message from a security researcher suggesting that the real motivation behind the alleged hacks might be to promote FSOCIETY’s ransomware tools, which they reportedly sell access to in exchange for a subscription fee and a commission on stolen profits. Ardoino questioned the group’s need to sell their tools for $299 if they had truly hacked a major exchange like Bitfinex.

It’s worth noting that Bitfinex has previously fallen victim to a significant hack in 2016, resulting in the theft of a substantial amount of Bitcoin. Two individuals, including crypto rapper ‘Razzlekhan,’ pleaded guilty to money laundering charges in connection with that incident.

While the claims made by FSOCIETY have yet to be verified by the alleged victims, Bitfinex’s CTO remains firm in his stance that no breach has occurred. As cybersecurity threats continue to evolve, it is crucial for organizations to remain vigilant and take proactive measures to protect their systems and users’ data.