In the early hours of Sunday, 23 July, hackers drained over $31 million in digital currencies from crypto payment gateway operator, Alphapo.
According to reports, the attackers got away with cryptocurrencies including Bitcoin (BTC), Ether (ETH), and Tron (TRX) contained in several hot wallets linked to the platform.
$31 Million Worth Of ETH, BTC, and TRX Stolen From Crypto Payments Platform Alphapo
On-chain sleuth ZachXBT revealed details of the attack, noting that the funds stolen on the Ethereum blockchain were swapped for ETH and then bridged to Avalanche (AVAX) and Bitcoin (BTC) networks. He also revealed details of three wallet addresses through which the funds were moved.
Alphapo facilitates instant payment support for over 30 cryptocurrencies and is the payments partner for crypto-focused gambling platforms such as HypeDrop, Bovda, and Ignition. In response to the attack, all three platforms were unable to facilitate customer withdrawals as users could not access their balances in BTC, ETH, and TRX.
Web3 antivirus and security service DeDotFi suggested that digital currencies upwards of $100 million were stolen from various hot wallets on the platform. The agency linked the hack to the potential leakage of private keys and confirmed that investigations are underway.
Blockchain analytics firm PeckShield corroborated ZachXBT’s report, confirming that $6.074 million USDT, $108,000 USDC, 100.2 million Fast Token (FTN), and 1,700 DAI were drained from Alphapo.
The culprit then swapped the stablecoins and “some other tokens” for 5,730 ETH ($10.7 million) and bridged them to Bitcoin via the Avalanche bridge. 12 million USDT and 5.2 million TRX were moved to a second wallet and later transferred to a third wallet involved in the hack.
Cybersecurity experts SlowMist conducted a deep analysis of the attack and reported that the hacker’s moves resembled prior exploits undertaken by the infamous North Korean hacking group Lazarus.
As per security experts, the exact amount of BTC stolen from the platform remains unconfirmed.
Alphapo Partners Suspend Deposit And Withdrawals Until Issue Is Fixed
As soon as the hack was discovered, HypeDrop put out a Twitter statement announcing that it had suspended all deposits and withdrawals. The crypto gaming platform promised users that their funds were safe and said the issue was from the side of its payments service provider, without mentioning Alphapo by name.
HypeDrop confirmed that it will process deposits once Alphapo resumes operations but all pending withdrawals will be canceled and users will have to put in a new request for them to be processed.
Experts say the Alphapo attack could have a significant impact on several high-profile crypto-gambling sites, all of which use the payment gateway to facilitate crypto transactions for users.
July Saw Over $100 Million Stolen From Various Crypto Platforms
The incident adds to the rising tally of Web3 exploits and hacks that occurred this month. According to data from crypto analytics firm DeFillama, hackers have gotten away with over $100 million from exploits on several blockchains this month, coming second only to March 2023 when over $200 million in crypto was stolen.
The most expensive of the bunch was the July 7 attack that took place on the Fantom (FTM) bridge of cross-chain protocol Multichain, which saw hackers get away with $126 million in wrapped Bitcoin (WBTC), USDC, DAI, wrapped Ether (wETH), and LINK.
There were unconfirmed reports making rounds that said the hack was a rug-pull event orchestrated by Multichain itself where the administrator key was compromised. Multichain ceased operations soon after the hack, citing a lack of funds to continue. Last week, the decentralized finance (DeFi) protocol Conic Finance was exploited in a $3.25 million hack where the culprits got away with 1,727 ETH by draining an Ether liquidity pool.
Blockchain security firms linked the attack to an issue on the Curve Finance-based platform’s price oracle contract which was below industry standards.
Earlier this month, bad actors got their hands on the official Twitter accounts of Aptos Network (APT) and its CEO Mo Shaikh. The hackers then went on to promote a fraudulent airdrop and provided a link asking users to participate to claim free APT tokens.
Other platforms hacked this month include the $60 million rug-pull that occurred on AnubisDAO, $1.5 million in ETH stolen from Rodeo Finance, and the ArcadiaFi hack where a code vulnerability led to $455,000 in Ethereum and Optimism (OP) being drained.