Alphapo, a cryptocurrency payment service provider, reportedly suffered a significant security breach within its hot wallet, resulting in a loss of over $60 million, with some reports suggesting total losses could amount to around $100 million, according to De.Fi, the web3 antivirus company.
The original hack was discovered on July 23 by blockchain investigator, ZachXBT, who reported that “Alphapo hot wallets were drained for $23M+ on ETH, TRON, BTC.”
A wallet belonging to Alphapo was reportedly hacked across the multiple platforms, with stolen funds being dispersed across various External Owned Accounts (EOAs).
ZachXBT posted an update to his investigation on July 25, commenting,
“An additional $37M stolen on TRON & BTC from this hack has been located.
This now brings the total amount stolen to $60M.
This hack appears to likely have been done by Lazarus as they create a very distinct fingerprint on-chain.”
Ongoing attack
As reported by De.Fi, the web3 antivirus, Alphapo is a crucial conduit for processing payments for gambling services such as HypeDrop, Bovada, and Ignition. Following the breach, HypeDrop, one of Alphapo’s customers, had to turn off withdrawal services swiftly.
In a statement released on July 23, HypeDrop reassured its users that “if your payment has been affected, your funds are secure.” The company also stated that it is actively monitoring the situation and would provide updates as more information becomes available.
HypeDrop later updated users stating,
“Please know that your HypeDrop funds are safe, but we encountered an issue on the cryptocurrency provider’s side.
Once the provider’s operations resume, processing deposits will be credited accordingly.”
The attacked wallet, known as Alphapo.eth, had its funds converted into Ethereum (ETH) by the hackers. The funds were then routed through different channels, including Avalanche and Bitcoin. Evidence from the Etherscan transaction records points to a consistent outflow of funds from the Alphapo.eth wallet. Initial estimates put the value of the stolen tokens to be in the region of $31 million.
The attacker or attackers involved in the incident are reportedly associated with the addresses ‘0x6d2e8,’ ‘0x040a9,’ ‘TDoNAZ,’ and ‘TKSitn.’
The consensus among the cybersecurity community is that the investigation into the Alphapo incident is still ongoing.
Preliminary indications from De.Fi suggests that private key leakage could be a potential cause of the breach.
The exact amount of stolen Bitcoin remains unconfirmed outside of De.Fi and ZachXBT’s projections. However, over $60 million has been discovered as of press time.