A recently issued security advisory has raised concerns about vulnerabilities at the HitBTC Exchange. This alert follows a disclosure by blockchain security firm SlowMist, which identified a potentially serious flaw on the trading platform.
In a post on X (formerly Twitter), SlowMist detailed its attempts to notify HitBTC through direct messaging about the vulnerability, efforts that reportedly went unanswered. The firm stated that it adhered to responsible disclosure protocols before making the issue public. However, the lack of response from HitBTC left researchers with few alternatives to safeguard user security.
In SlowMist’s official statement, the firm emphasized, “We have identified a potential critical vulnerability and reached out via DM in advance under responsible disclosure, but have not yet received a response. Please contact us promptly to coordinate next steps.”
While technical specifics were withheld to avert potential exploitation, SlowMist highlighted that this vulnerability could jeopardize user funds and sensitive data on the HitBTC platform.
HitBTC Exchange: Historical Context and Recent Security Concerns
Established in 2013, HitBTC Exchange is recognized as one of the oldest cryptocurrency trading platforms, registered in the British Virgin Islands. It facilitates access to over 250 cryptocurrencies and more than 800 trading pairs. Current data indicate that HitBTC recorded trading volumes exceeding $110 million within a 24-hour timeframe.
Despite its longstanding reputation, HitBTC has faced scrutiny regarding transparency, customer support, and communication practices in recent years. The latest vulnerability alert has intensified criticism, especially given parallels with similar incidents across the cryptocurrency sector.
This warning from SlowMist represents the third instance in recent weeks where the firm has publicly addressed security vulnerabilities due to unsuccessful attempts to reach exchange officials. Previous disclosures involved the Seychelles-registered Azbit and Turkey-based ICRYPEX Global, both of which reportedly failed to respond despite active trading operations.
Rising Threat Landscape in Cryptocurrency Security
The alarming situation with HitBTC underscores broader trends in cryptocurrency security. According to SlowMist’s 2025 annual security report, approximately 200 incidents affecting blockchain security occurred within the year, with estimated losses totaling $2.935 billion. Although the number of incidents decreased from 2024, the financial impact increased significantly, reflecting a shift toward more sophisticated and targeted attacks.
While only 12 incidents were linked to exchanges, they represented a staggering $1.809 billion in losses. In contrast, decentralized finance (DeFi) protocols accounted for 126 incidents, culminating in $649 million in losses. In December 2025 alone, blockchain security firm CertiK reported $117.8 million lost to cryptocurrency exploits.
SlowMist continues to play a crucial role in the mitigation of these threats, having assisted in freezing or recovering around $19.29 million in stolen assets through its threat intelligence network and MistTrack analysis platform. During 2025, approximately $387 million of the $1.957 billion in stolen funds was recovered, translating to a recovery rate of 13.2%.
This vulnerability at HitBTC not only presents immediate risks to its users but also underscores the importance of organizations adopting rigorous security measures to safeguard against increasingly prevalent adversary tactics identified in the MITRE ATT&CK framework, including methods related to initial access and privilege escalation. The incident serves as a stark reminder for all stakeholders in the cryptocurrency ecosystem to enhance their security postures and remain vigilant against potential risks.
Related
