HOYA BIT Exchange Quietly Hacked: Why Taiwanese Users Emerged Unscathed This Time

GM,

Let me start with two announcements. First, last week I forgot to remind everyone to fill out the 2025 content satisfaction survey—and, no one did 😂 So here’s another reminder: if you haven’t filled it out yet, please spare 10 minutes to share your thoughts on your Blocktrend subscription.

Second, Blocktrend will be hosting a one-day blockchain workshop, “Enterprise Web3 Essentials,” on Friday, March 6. The program includes hands-on exercises and a one-on-one needs assessment after the course. If your company is evaluating Web3, stablecoins, or blockchain applications—or simply wants to bring the team up to speed on the fundamentals—this workshop is a solid place to start.

For many companies, their first encounter with crypto comes when they suddenly realize, “Wait, we might receive stablecoins.” The problem is that most enterprises have no experience managing crypto assets, and the people in charge aren’t sure how deep their understanding needs to go. This course distills the practical experience I’ve shared over the past few years with enterprises and government agencies, helping you see where others are today and what challenges they’re facing. Now, on to the main topic.

Last Friday, I was invited to Taiwan’s Financial Supervisory Commission to share three major events from the crypto industry in 2025 and the regulatory lessons they offer. Only afterward did I learn that, at the same time, Taiwanese exchange operator HOYA BIT was reporting a hacking incident to the FSC. Yet so far, discussion around this incident has been minimal—inevitably raising the question: has the market grown so cold that even a Taiwanese exchange being hacked barely draws attention?

Let’s start with how this incident unfolded.

Ants on the Move

At 11:00 a.m. Taiwan time on January 22, the HOYA BIT exchange posted an emergency maintenance notice on Facebook, announcing that all platform functions were suspended, with no estimated time for restoration. When information is that sparse, it’s usually not a good sign—it suggests that even the exchange itself hasn’t yet fully figured out what’s going on.

All trading, deposits, and withdrawals were brought to a complete halt. Users quickly flooded the comments under the post, asking: How long will the maintenance take? Why was the platform shut down without warning? What exactly happened?

Although HOYA BIT has yet to disclose the full details of the incident, its announcement stated that during a routine check that morning, staff discovered abnormal withdrawal records from the exchange’s hot wallet in the early hours. On-chain data is like a surveillance camera that anyone can access, faithfully recording everything that happened that night.

According to on-chain records, at 2:02 a.m. that day, HOYA BIT’s hot wallet began showing abnormal ETH withdrawals. Each transaction was for exactly 1 ETH, all sent to the same recipient address. Strangely, these abnormal activities appear not to have triggered any of the exchange’s alert systems at all. The funds were transferred out bit by bit—like “ants moving house.” Twenty-six minutes later, the ETH in the hot wallet had been completely drained.

After that, on-chain data began to show a large number of outgoing USDT transfers, each in fixed amounts of USD 10,000, followed by BNB and USDC. The hacker did not rush to drain the funds in one go, but instead maintained a constant withdrawal size and continued extracting funds steadily.

In this way, with no interference whatsoever, the hacker gradually emptied all the assets in the exchange’s hot wallet over the course of a little more than an hour. In total, 147 transactions were executed, siphoning off approximately USD 600,000 worth of assets.

A few hours later, as HOYA BIT staff began arriving at work, they realized something was seriously wrong. The exchange immediately “pulled down the shutters,” suspending all services to confirm whether the hacker had already left and to assess the scale of the losses.

Using the on-chain analytics tool Arkham, I created the fund flow diagram shown below. The node in the lower-left corner, starting with 0xBA5c, is the hot wallet that was compromised at HOYA BIT. The green lines in the middle represent the flow of funds into the hacker’s wallet, while the right side shows the hacker’s laundering paths. The stolen assets were split and sent to the non-KYC offshore exchange ChangeNow, deliberately creating breaks in the on-chain trail to make tracing more difficult.

Law enforcement agencies likely grasped these on-chain fund flows at a very early stage. However, with nothing more than a wallet address starting with “0x,” it is still impossible to determine where the hacker is actually located. To bring them to justice, additional clues are required.

At this point, the first question on everyone’s mind is probably: Is HOYA BIT still safe? If you have assets stored on the exchange, should you withdraw them immediately?

A Low-Key Hack

When an exchange runs into trouble, withdrawing funds to protect yourself is never a bad idea. That said, HOYA BIT’s response this time was relatively swift and decisive. The exchange was back online within 24 hours and announced that all losses would be fully absorbed by the platform itself. Precisely because user assets were not affected, the incident failed to spark much discussion within the community. According to the official statement:

HOYA BIT … has confirmed that hackers launched an attack starting at 3:00 a.m. on January 22, 2026, stealing assets from the hot wallet … The affected wallet is a mandatory intermediary for all withdrawal transactions … However, we strictly adhere to cold–hot wallet segregation and the separation of user assets … and follow the principle that more than 85% of user assets must be stored in cold wallets. Therefore, user assets were not impacted in this incident.

Why Could HOYA BIT Afford the Loss?

Many people assume exchanges are simply well-capitalized. Industry insiders, however, know that the real reason lies in a regulatory notice issued by Taiwan’s Financial Supervisory Commission (FSC) on December 30, 2025. The notice mandates that, starting January 1, 2026, exchanges must keep at least 85% of their assets in cold wallets.

A cold wallet is like a vault, while a hot wallet is more like a bank teller counter. In the past, there was no unified standard for how exchanges should allocate funds between the vault and the counter. For the sake of operational convenience and to avoid users being unable to withdraw funds, many exchanges kept a relatively large portion of assets at the “counter.” But once hackers struck, hot wallets were often completely drained.

It was not until March 2025 that the Financial Supervisory Commission (FSC) formally required registered exchanges in Taiwan to comply with the 80/20 rule: at least 80% of assets must be stored in cold wallets, and assets circulating in hot wallets may not exceed 20%. From an operational perspective, this inevitably increases costs—when there is less money at the counter, exchanges must rebalance liquidity more frequently to avoid hot wallets being emptied. From a regulatory standpoint, however, this sets a clear stop-loss line for exchanges. Even if a hot wallet is compromised, the maximum loss is capped at 20%.

On January 1, 2026, the FSC tightened the rules even further, requiring the hot-wallet ratio to drop below 15%. Unexpectedly, less than a month after the new regulation came into effect, it was put to the test. Perhaps hackers also noticed that Taiwan’s regulatory environment was becoming increasingly strict, meaning future hauls would likely be smaller, and thus decided to strike while they still could.

But is 85/15 really the ideal allocation? From a regulator’s point of view, the lower the risk, the better. I believe the FSC may eventually move toward 90/10 or even 95/5, forcing exchanges to further reduce the proportion of assets held in hot wallets. This approach is certainly effective. Not only does it prevent an exchange from being seriously crippled by a single hack, but if hackers deem the potential payoff too low, they may simply shift their focus elsewhere.

That said, I don’t support pushing the ratio too low. The less money there is in hot wallets, the harder it is to hack an exchange—but the maximum amount users can withdraw in a single transaction also drops. This makes it more likely that hot wallets will be temporarily depleted, forcing users to wait for funds to be rebalanced. In that scenario, while hackers may be successfully deterred, local users could be driven away as well. If they end up turning to unregulated overseas exchanges with even higher risks, the outcome would be counterproductive.

Beyond the 85/15 requirement, the FSC has also mandated that exchanges adopt ISO 27001 information security certification.

Rule by People vs. Rule of Law

My original impression of ISO 27001 was that it was an expensive, bureaucratic information security certification. Only after digging deeper did I realize that its real purpose is to help exchanges establish a set of standard operating procedures that can be audited and held accountable.

An exchange without ISO certification is like a roadside food stall. The owner might be a great cook, but did they wash their hands after handling cash? Are the ingredients stored separately from cleaning chemicals? No one really knows—it all depends on personal conscience. An exchange certified under ISO 27001, by contrast, is like a central kitchen subject to regular health inspections. It can’t guarantee that nothing will ever go wrong, but it does ensure that every incident is documented, traceable, and improvable. That’s how an industry learns from mistakes, instead of relying on individual improvisation every time something happens.

In the past, people chose exchanges based on user numbers, trading volume, or how wealthy the founder seemed. The unspoken question was: “If something goes wrong, can they afford to compensate users?” But the collapse of FTX in 2022 proved that even the world’s second-largest exchange can implode overnight. If that can happen, what can’t? Rather than handing down heavy sentences after the fact, it’s far more effective to require exchanges to put auditable systems in place beforehand to protect user assets.

Only then did I truly understand what the Financial Supervisory Commission (FSC) has been working on over the past few years. People often asked why compliant Taiwanese exchanges weren’t cheaper, offered fewer trading pairs, and could still get hacked—so where was the competitiveness?

The HOYA BIT incident makes the contrast clear. Using an unregistered exchange is essentially a gamble: you’re betting that the exchange has deep enough pockets, and that the founder will be willing to pay out of their own pocket if something goes wrong. With a compliant exchange, you’re trusting the system. Who the owner is doesn’t matter. The exchange must comply with the 85/15 rule, segregate user assets, and hold ISO 27001 certification. The government monitors these exchanges on your behalf, ensuring that in extreme events, 85% of your assets are safely stored in cold wallets, while 100% of your New Taiwan dollars sit in dedicated trust accounts at banks. Preventing users from losing everything—that is the true purpose of regulation.

In that sense, the fact that HOYA BIT was “quietly hacked” is actually good news. It shows that the systems built over the past few years are starting to work. Users didn’t rush to withdraw funds, and the exchange didn’t have to resort to measures like Bitfinex did years ago, issuing “debt tokens” to ask users to share the pain. If insurance mechanisms can be introduced and support systems further strengthened, the risks of investing in crypto will only continue to fall.

This time, the FSC deserves a round of applause. Just a few years ago, people mocked Taiwanese exchanges as nothing more than “USDT on-ramps.” Who could have imagined that one day, it would be precisely these regulations that make investors more willing to keep their funds on Taiwanese exchanges—instead of just swapping USDT and leaving?