Alphapo, a cryptocurrency payment service provider, reportedly suffered a significant security breach of its hot wallet resulting in a loss of more than $60 million, with some reports suggesting total losses could reach around $100 million, according to De.Fithe web3 antivirus company.
The original hack had been discovered on July 23 by blockchain researcher ZachXBT, who reported that “Alphapo hot wallets for $23M+ were empty on ETH, TRON, BTC.”
An Alphapo wallet was reportedly hacked across multiple platforms, with stolen funds spread across several External Owned Accounts (EOAs).
ZachXBT posted a update on his inquiry on July 25, commenting:
“Another $37 million has been stolen on TRON and BTC through this hack.
This now brings the total amount stolen to $60 million.
This hack seems likely to have been done by Lazarus, as they create a very obvious fingerprint on the necklace.
Continuous attack
As reported by De.Fi, the web3 antivirus, Alphapo is a critical payment processing channel for gambling services such as HypeDrop, Bovada and Ignition. Following the breach, HypeDrop, one of Alphapo’s clients, had to quickly shut down its withdrawal services.
In a statement issued on July 23, HypeDrop assured its users that “if your payment is compromised, your money is safe.” The company also stated that it is actively monitoring the situation and will provide updates as more information becomes available.
Hype Drop later updated users declare,
“Please know that your HypeDrop funds are safe, but we have encountered an issue on the side of the cryptocurrency provider.
Once the provider resumes operations, processing deposits will be credited accordingly.
The attacked wallet, known as Alphapo.eth, had its funds converted into Ethereum (ETH) by the hackers. The money was then funneled through various channels, including Avalanche and Bitcoin. Evidence from the Etherscan transaction records points to a consistent outflow of funds from the Alphapo.eth wallet. Initial estimates put the value of the stolen tokens at around $31 million.
The attacker or attackers involved in the incident are reportedly associated with the addresses “0x6d2e8,” “0x040a9,” “TDoNAZ,” and “TKSitn.”
The consensus among the cybersecurity community is that the investigation into the Alphapo incident is still ongoing.
Preliminary indications from De.Fi suggest leaking private keys may be a possible cause of the breach.
The exact amount of Bitcoin stolen remains unconfirmed beyond De.Fi and ZachXBT’s projections. However, more than $60 million has been discovered at the time of going to press.
