Crypto payment platform Alphapo had at least $31 million drained from its hot wallets on Ether (ETH), TRON (TRX), and Bitcoin (BTC), security experts reported on July 22. Since the number of Bitcoins stolen is uncertain, the figures may be even higher.
According to on-chain sleuth ZachXBT, the funds have been stolen on the Ethereum network, then swapped for ETH before being bridged to the Avalanche and Bitcoin blockchains. As per DeDotFi’s security team, the hack may have been caused by a leak of private keys. Investigations are still in progress.
Alphapo is a payment processor that offers instant transactions in over 30 digital assets and balances in a range of fiat currencies. The company is best known for being the crypto gateway for a number of gambling platforms, including HypeDrop, Ignition and Bovada.
Alphapo Hot Wallet Hacked
Over $31,000,000 stolen, with reports suggesting up to ~$100 million.
Hot wallet was hacked on Ethereum, Tron and BTC. Stolen funds were swapped and distributed among various EOAs.
: Here are the details of the incident pic.twitter.com/bLeCLJvH6G
— De.Fi ️ Web3 Antivirus (@DeDotFiSecurity) July 23, 2023
Following the incident, Alphapo’s client HypeDrop stopped processing crypto transactions. The mystery box platform said on Twitter that it is experiencing issues with deposits and withdrawals as a result of the hack. “Please know that your HypeDrop funds are safe, but we encountered an issue on the cryptocurrency provider’s side. Once the provider’s operations resume, processing deposits will be credited accordingly,” it stated.
Despite not commenting on the incident, a spokesperson for Alphapo told Cointelegraph that deposits and withdrawals are being reinstated for batches of currencies at a time. “We kindly request all our users to refrain from sending funds to the old deposit addresses. However, in the odd case this happens, the funds deriving from such deposits will be additionally verified.”
In another security incident over the past few days, decentralized finance protocol Conic Finance experienced two attacks in a matter of hours. The first exploit saw $3.26 million in Ether stolen, with nearly the entire amount being sent to an Ethereum address in just one transaction. The second incident took place a few hours later, the protocol revealed in a post-mortem report, saying it was a variant of a sandwich attack targeting its pools that had netted the attacker around $300,000.