Bitrue Hacker Starts Moving Stolen Funds, Converts $2.88M in Assets to ETH

The hacker behind the $23 million Bitrue exchange breach has resurfaced, moving a substantial portion of the stolen funds. This significant transaction has captured attention, with many speculating on the hacker’s next move in the ever-volatile cryptocurrency market.

Stolen Assets on the Move

In an X post, the blockchain analytics firm Onchain Lens revealed that the hacker recently sold $2.88 million worth of Holo (HOT) Shiba Inu (SHIB) tokens. He used this fund to acquire 1,511 Ethereum (ETH), valued at approximately $1.91 million each. 

15 hours ago, the @BitrueOfficial hacker sold $2.88M worth of $HOT and $SHIB to buy 1,511 $ETH at a price of $1,911.

The hacker also sent 1,050 $ETH ($1.89M) through #TornadoCash and still holds 16.34M $DAI and 5,111.45 $ETH in another wallet.

Address:… pic.twitter.com/YBSvMoVWN0

— Onchain Lens (@OnchainLens) April 28, 2025

According to on-chain data, the hacker has also laundered 1,050 ETH, worth approximately $1.89 million. They performed this transaction using Tornado Cash, a decentralized crypto mixer known for obfuscating fund flows. 

Despite moving this substantial amount of the stolen funds, the attacker still holds roughly 5,111 ETH and 16.34 million DAI stablecoins. Notably, the latest movement of SHIB and HOT to acquire additional ETH appears to be part of a slow and systematic laundering strategy.

The Genesis 

In April 2023, Bitrue Exchange suffered a security breach that affected one of its hot wallets. The attacker drained approximately $23 million in various tokens, including Ethereum (ETH), Polygon (MATIC), Shiba Inu (SHIB), Quant (QNT), Gala (GALA), and Holo (HOT).

At the time, Bitrue assured customers that the compromised wallet accounted for less than 5% of total funds and that affected users would be fully reimbursed. The platform has also enhanced its security protocols. However, the breach continues to serve as a reminder of the ongoing risks faced by centralized exchanges. 

The hacker’s renewed activity has rekindled concerns around security practices, particularly the risks posed by hot wallets connected to the internet. While hot wallets offer fast access for trading, they also remain more exposed to breaches compared to cold storage solutions.

Meanwhile, decentralized exchanges (DEXs) are not left behind in security breaches. Earlier this month, the KiloEX platform suffered a $7 million exploit due to a flaw in its oracle system. However, the attacker heeded the platform warning and returned about $1.7 million of the stolen funds three days after the exploit.