SlowMist warns HitBTC of critical vulnerability after private disclosures went unanswered

SlowMist, a blockchain security firm, publicly warned HitBTC after repeated private attempts to disclose a potential critical vulnerability received no response. SlowMist said it used responsible-disclosure channels (direct messages) and urged HitBTC to contact them immediately to coordinate remediation. The alert follows reports that other exchanges (Azbit, ICRYPEX) also failed to respond to private disclosures in recent weeks. HitBTC, founded in 2013 and registered in the British Virgin Islands, reports more than $110m in 24‑hour trading volume and lists over 250 coins across roughly 800 pairs. SlowMist’s 2025 report recorded about 200 security incidents causing $2.935bn in losses; although only 12 incidents involved exchanges, they accounted for roughly $1.809bn of the total. SlowMist helped freeze or recover about $19.29m of stolen funds in 2025 (≈13.2% of traced losses in major incidents). Security analysts warn attacks are becoming more sophisticated and targeted, increasing the risks to exchanges and users. Best-practice guidance recommends exchanges publish clear vulnerability-reporting contacts and respond within two working days; when private contact fails, researchers may disclose publicly to protect users. For traders: this public alert could reduce user confidence in HitBTC and trigger higher withdrawal activity or reduced liquidity until the exchange confirms remediation — monitor HitBTC announcements, on‑chain outflows, and order‑book depth for early signs of market impact.