Reading 3 min Views 4 Published Updated
According to a July 25 report by online sleuth ZachXBT, the alleged Alphapo payment system hack on July 23 resulted in losses in excess of $60 million. Earlier it was reported that the losses amounted to approximately 31 million dollars.
Hack update: An additional $37M stolen on TRON & BTC from this hack has been located.
This now brings the total amount stolen to $60M.
This hack appears to likely have been done by Lazarus as they create a very distinct fingerprint on-chain. pic.twitter.com/ACGSXiDwW3
— ZachXBT (@zachxbt) July 25, 2023
Alphapo is a centralized cryptocurrency payment provider for e-commerce subscription services, gaming sites, and other online businesses. It is known as the provider of the mystery box platform HypeDrop and gaming sites Bovada and Ignition. On July 23, security experts began reporting that at least $21 million had been withdrawn from the site’s hot wallets, with some sources reporting that losses exceeded $31 million.
At the time, Alphapo did not comment on the alleged hack, but told Cointelegraph that deposits and withdrawals were being restored to new addresses. The team said that funds deposited to old addresses will be “additionally verified.” Hypedrop has confirmed that its payment provider is “experiencing issues” that are causing withdrawals to be delayed, but withdrawals will be restored once the issue is resolved.
Related: Curve Conic Finance omnipool platform hacked into $3.2 million in ETH
Neither company has confirmed that the issues were caused by the hack, but security researchers argue that large outflows of funds from known hot wallets, combined with a delay in withdrawals, suggest that the funds may have been moved by an attacker.
A new report by ZachXBT indicates that another $37 million was allegedly stolen from old addresses on the Tron and Bitcoin networks, bringing the total loss to more than $60 million. Citing data from Dune Analytics, the online sleuth claimed that the Lazarus Group could be behind the attack:
“It looks like this hack was done by Lazarus as they create a very clear fingerprint on the network.”
The Lazarus Group is a cybercriminal group first discovered by a consortium of security researchers led by Novetta in 2014. The group is believed to be affiliated with the government of the Democratic People’s Republic of Korea (DPRK).
Alphapo is not the only centralized cryptocurrency provider to have mysteriously large amounts withdrawn from July. On July 7, over $100 million was withdrawn from the Multichain bridge protocol for unexplained reasons. On July 14, the Multichain team announced a halt to operations after it emerged that these withdrawals were caused by an attacker gaining access to the protocol’s private keys through a cloud storage service.