SlowMist issues public security alert about HitBTC

Blockchain security firm SlowMist has found a vulnerability on cryptocurrency exchange HitBTC.

The firm shared the alert on X on Sunday, stating, “We have identified a potential critical vulnerability and reached out via DM in advance under responsible disclosure, but have not yet received a response.”

SlowMist also added that the exchange should contact them “promptly to coordinate next steps.”

How did HitBTC respond to the security threat disclosure?

Going by recent public announcements from SlowMist security analysts, exchanges don’t tend to act with the level of urgency one would expect from custodians of user funds.

The latest one involving HitBTC is at least the third time in recent weeks that SlowMist has publicly disclosed attempted security warnings after failing to establish contact with cryptocurrency exchanges.

In December, the security firm issued similar notices to Seychelles-registered Azbit and Turkish exchange ICRYPEX Global, both of which handle significant daily trading volumes but failed to acknowledge the warnings.

HitBTC is one of the oldest cryptocurrency exchanges still in business since its founding in 2013. The platform, registered in the British Virgin Islands, has a trading volume of over $110 million in the past 24 hours as of the time of writing. Over 250 cryptocurrencies and 800 trading pairs are available on the exchange.

Security concerns are persistent

SlowMist’s 2025 annual security report documented 200 security incidents resulting in losses of approximately $2.935 billion, representing a 46% increase in financial damage compared with the previous year, despite fewer total incidents being recorded as opposed to 2024.

According to SlowMist’s report, “Exchange-related incidents numbered only 12 but caused staggering losses of up to USD 1.809 billion.”

By comparison, decentralized finance (DeFi) protocols experienced 126 incidents resulting in $649 million in losses.

According to data shared by security firm Certik, around $117.8 million was lost to exploits in the crypto space in December 2025 alone.

The shift from higher incident counts to larger individual losses shows that these attacks are becoming more sophisticated and targeted.

Security analysts note that professionalized hacker groups, including state-sponsored actors with alleged North Korean links, are moving from opportunistic attacks to systematic, multi-step operations designed to extract maximum value from fewer high-profile targets.

As Cryptopolitan reported yesterday, one crypto user lost approximately $1.08 million worth of Aave-wrapped Ethereum LBTC (aEthLBTC) in a phishing attack after signing a malicious “permit” signature.

Major AI companies like Anthropic, OpenAI, and Google have also reported that criminals are tapping into their platforms to orchestrate complex phishing operations, develop harmful software, and execute various digital attacks. Security specialists warn that criminals are also producing fake audio and video clips of company leaders to trick employees into giving up sensitive information.

How should crypto exchanges respond to threat warnings?

Security experts usually recommend that cryptocurrency platforms establish clear contact points for reporting vulnerabilities, including publicly available security email addresses and long-term public keys for encrypted communication. Industry guidelines expect that affected parties respond within two working days of initial contact.

When security researchers like SlowMist in this case struggle to establish contact after multiple attempts, they are left with no other option than public disclosure to ensure transparency, especially when user funds face potential risk.

SlowMist has built a reputation for lending weight to the blockchain security apparatus.

The firm assisted in freezing or recovering approximately $19.29 million in stolen funds during 2025 through its threat intelligence network and MistTrack analysis platform. Across 18 major incidents, roughly $387 million of $1.957 billion in stolen funds was frozen or recovered, yielding a recovery rate of 13.2%.

If you're reading this, you’re already ahead. Stay there with our newsletter.