Alphapo, a cryptocurrency payment services provider, has reportedly suffered a significant security breach within its hot wallet, resulting in a loss of more than $60 million. Some reports suggest total losses could be around $100 million, he said. De.Fithe web3 antivirus company.
The original hack had been discovered on July 23 by blockchain researcher ZachXBT, who reported that “Alphapo hot wallets emptied for $23M+ on ETH, TRON, BTC.”
An Alphapo wallet was reportedly hacked across multiple platforms, with stolen funds being spread across several third-party accounts (EOAs).
ZachXBT posted update on his investigation on July 25, commenting:
“Another $37 million has been found stolen through this hack on TRON and BTC.
This now brings the total amount stolen to $60 million.
This hack seems likely to have been carried out by Lazarus, as they create a very distinct fingerprint on the chain.”
Persistent attack
As reported by De.Fi, the web3 antivirus, Alphapo is a crucial channel for processing payments for gambling services such as HypeDrop, Bovada and Ignition. After the breach, HypeDrop, one of Alphapo’s customers, had to quickly disable recording services.
In a statement issued on July 23, HypeDrop assured its users that “if your payment has been affected, your money is safe.” The company also stated that it is actively monitoring the situation and will provide updates as more information becomes available.
HypeDrop later updated users declare,
“Know that your HypeDrop funds are safe, but we have encountered an issue on the cryptocurrency provider side.
Once the provider’s operations resume, the deposits processed will be credited accordingly.”
The attacked wallet, known as Alphapo.eth, had the funds converted into Ethereum (ETH) by the hackers. The money was then routed through various channels, including Avalanche and Bitcoin. Evidence from the Etherscan transaction data points to a consistent outflow of funds from the Alphapo.eth wallet. Initial estimates put the value of the stolen tokens at around $31 million.
The attacker(s) involved in the incident are reportedly linked to the addresses ‘0x6d2e8’, ‘0x040a9’, ‘TDoNAZ’ and ‘TKSitn’.
The consensus within the cybersecurity community is that the investigation into the Alphapo incident is still ongoing.
Preliminary indications from De.Fi suggest that private key leakage could be a possible cause of the breach.
The exact amount of stolen Bitcoin remains unconfirmed beyond De.Fi and ZachXBT’s projections. However, at the time of writing, more than $60 million has been discovered.