BigONE Exploit: How Social Engineering Fueled a $27M Loss

Developer Environment Tampering

In mid-July 2025, centralized exchange BigONE experienced a catastrophic $27 million hack stemming from a social engineering campaign. Attackers gained access to the internal development pipeline by targeting a developer’s cloud-integrated workstation, stealing session cookies and access tokens linked to the CI/CD infrastructure.

With pipeline access, the attacker introduced a subtle payload into a smart contract update, injecting obfuscated withdrawal logic. This logic rerouted native assets from multiple vault addresses to attacker-controlled wallets over time, mimicking standard user behavior to avoid suspicion. Crucially, the attacker exploited the lack of diff validation and event monitoring in BigONE’s deployment process.

Undetected Movement and Post-Mortem Discoveries

The exploit remained active for nearly 11 hours. Blockchain forensics teams traced the stolen assets as they were quickly fragmented, bridged, and obfuscated using Tornado Cash and multiple smaller wallets. Only after users reported withdrawal failures did internal alerts trigger emergency shutdowns of core services.

Post-incident, BigONE confirmed that the developer’s local machine was compromised via a phishing doc impersonating an SDK library update. This gave attackers persistent access to sensitive developer tools and build permissions.

Security Enhancements and Bounty Incentives

BigONE has since launched a public bounty program offering up to $8.1 million for intel on the attackers or technical vectors used. Key changes in protocol operations include:

• Enforcing role-based access control (RBAC) across all DevOps tools
• Introducing mandatory peer-reviewed code merges and diff scans before deployment
• Enabling circuit breakers for suspicious transfer patterns over $100K
• Deploying tamper-evident logging for smart contract builds
• Adding hardware key-based 2FA for all internal dev and ops accounts

These operational changes are being paired with a third-party security audit of their full CI/CD pipeline and key access permissions. Their Web3 wallet contracts are also being transitioned to immutable architectures where applicable, using upgrade-safe proxy patterns.

Lessons for the Ecosystem

The BigONE attack is a sobering reminder that in Web3, the developer environment is part of the attack surface. Critical takeaways for other teams include:

1. Never assume CI/CD credentials are secure—use scoped tokens with timeouts and strict IP rules.
2. Implement pre-deployment validation for bytecode changes—even trusted contributors can be compromised.
3. Alert thresholds should flag contract interactions involving vault contracts or withdrawal functions.
4. Security is not just about solidity—secure DevOps is equally important.

As more complex cross-chain infrastructures emerge, teams must not only secure smart contracts but also harden the full stack—from IDEs to build servers. BigONE’s attack shows how quickly trust can erode if one development credential is breached.