Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 244Private Key Compromise

BtcTurk Second Hot Wallet Hack

A hot-wallet compromise across 7 chains drained $48M from Turkish exchange BtcTurk, its second major hack in 14 months. Cold storage was untouched.

Date
Victim
BtcTurk
Chain(s)
EthereumAvalancheArbitrumBaseOptimismPolygon
Status
Funds Stolen

On August 14, 2025, the Turkish exchange BtcTurk suffered its second major hot-wallet hack in 14 months, losing approximately $48 million across seven chains — Ethereum, Avalanche, Arbitrum, Base, Optimism, Mantle, and Polygon. The exchange had previously lost $55M in June 2024 under similar circumstances. Cold-storage customer assets remained untouched in both incidents.

What happened

The 2025 breach mirrored the 2024 pattern: simultaneous, coordinated outflows from BtcTurk's hot wallets across multiple chains, identified by Cyvers' anomaly-detection system before BtcTurk's own disclosure. The exchange paused deposits and withdrawals within hours.

BtcTurk did not publicly detail the specific compromise vector for the 2025 incident. The on-chain pattern — multi-chain coordinated sweep, immediate cross-chain conversion via aggregators, immediate Tornado Cash routing — is consistent with private-key compromise of a centralised signing system rather than a smart-contract bug or supply-chain attack.

The repeat nature of the incident — same exchange, same TTPs, similar loss magnitude, 14 months apart — strongly suggests the same operational weakness had not been fully remediated after the first hack. Industry analysts noted the breach matched Lazarus-style operations but no formal attribution was issued.

Assets stolen included ETH, AVAX, ARB, BASE, OP, MANTLE, MATIC — primarily long-tail tokens chosen specifically to outrun any token-issuer freeze coordination.

Aftermath

  • BtcTurk paused deposits and withdrawals and announced full customer reimbursement from corporate reserves.
  • The exchange emphasised that most assets remained in cold storage — the loss was contained to a relatively small percentage of total holdings.
  • No public recovery from the attacker's wallets; the funds were laundered through Tornado Cash and standard mixing routes.

Why it matters

BtcTurk's two breaches in 14 months illustrate a recurring pattern in exchange security: a successful first compromise often signals exploitable structural weakness that a defending team underestimates how thoroughly to address.

The post-incident playbook between June 2024 and August 2025 included key rotations, infrastructure audits, and (per BtcTurk's public statements) hardening of hot-wallet controls. Whatever was actually done was either incomplete, insufficient, or focused on the wrong layer — because the same attack class succeeded again at similar scale.

The general lesson for 2025 exchange security:

  1. A first hot-wallet breach should trigger an outside-in review by an independent firm, not just internal hardening. Internal teams often miss the systemic issue that allowed the first breach.
  2. Repeat compromises destroy customer confidence even if reimbursements are paid in full. BtcTurk remained operational after both incidents, but its competitive position in the Turkish market eroded measurably between incidents.
  3. State-aligned threat actors return to soft targets. Lazarus and similar groups maintain target lists; a successful operation against an exchange increases the probability of a follow-up operation, not decreases it.

Sources & on-chain evidence

  1. [01]halborn.comhttps://www.halborn.com/blog/post/explained-the-btcturk-hack-august-2025
  2. [02]decrypt.cohttps://decrypt.co/335251/hacked-again-turkish-exchange-btcturk-suspends-withdrawals-50m-moved
  3. [03]coindesk.comhttps://www.coindesk.com/business/2025/08/14/turkish-crypto-exchange-btcturk-witnesses-usd48m-of-suspicious-outflows-amid-hack-fears

Related filings