WOO X Suffers $14 Million Crypto Breach

On July 24, 2025, Taiwan-based trading platform WOO X was targeted in a significant summer wave of cryptocurrency breaches, losing approximately $14 million through unauthorized withdrawals from nine user accounts. The exchange subsequently paused withdrawals to investigate and pledged to reimburse affected users.

Organized Attack

Chain-analysis shared by Yehor Rudytsia, Head of Forensics and Incident Response at Hacken, indicates that this breach was meticulously planned rather than a spontaneous theft. Hacken correlates the incident, which occurred in July, to a DPRK-linked actor known in law enforcement circles as “TraderTraitor.”

Hacken is actively tracking the movements of the stolen funds and aiding recovery efforts by flagging malicious addresses within the security community. The laundering process left half of the stolen funds in EVM networks, with the remainder distributed across Tron and Bitcoin.

In the past 24 hours, investigations revealed that over $7 million from the EVM side was channeled through THORChain and converted into Bitcoin. Observers note that this route has become increasingly favored for laundering after various high-profile exchange thefts earlier in the year. Rudytsia remarked that THORChain’s cross-chain swap capability makes it appealing for sophisticated individuals looking to disperse stolen assets.

> Tweet: No need to change laundering path when @THORChain in charge.
>
> First bridge tx was for only 1 ETH – probably to see if it “connects” well… Yeah, it “connected” smoothly for almost 700 ETH just for this single address: Link
> — Ye in Web3 (@muststopye) October 1, 2025

On-chain Evidence

Hacken’s report further details the handling of the Tron-denominated funds (around $2.5 million in TRX), which were exchanged for USDT, bridged to Ethereum using LayerZero infrastructure, with portions subsequently pushed to Bitcoin via THORChain.

Public transaction records from October 1, 2025, confirm a significant USDT transfer arriving on Ethereum, aligning with the patterns outlined by Hacken.

Adding complexity to the investigation, some of these funds were sent to a wallet associated with the BingX hot-wallet exploit from 2024, also linked to North Korean groups. This connection implies either a reuse of laundering strategies or coordinated efforts across multiple thefts.

Records reveal that around $8–9 million from the WOO X breach was bridged from Ethereum to Bitcoin on the same day via THORChain, with an estimated 90% of the stolen amount now on Bitcoin addresses. This shift significantly complicates tracking and raises the likelihood of cash-out.

Security teams observing these flows warn that as funds consolidate on Bitcoin, tracing and intervention become increasingly difficult. Rudytsia reassured that Hacken will continue monitoring the accounts and will alert exchanges and compliance partners in hopes of freezing the flagged addresses.

This incident serves as a crucial reminder that the enhanced capabilities of cross-chain tools provide sophisticated attackers with expedited and low-friction means to convert stolen tokens into more challenging-to-trace assets. Ongoing forensic work across multiple chains, combined with collaboration from on- and off-ramp services, remains vital for defense today.