The alleged Alphapo payments provider hack of July 23 is now estimated to have caused losses exceeding $60 million, according to a July 25 report from on-chain sleuth ZachXBT. The loss was previously reported at roughly $31 million.
Hack update: An additional $37M stolen on TRON & BTC from this hack has been located.
— ZachXBT (@zachxbt) July 25, 2023
This now brings the total amount stolen to $60M.
This hack appears to likely have been done by Lazarus as they create a very distinct fingerprint on-chain. pic.twitter.com/ACGSXiDwW3
Alphapo is a centralized crypto payment provider for e-commerce subscription services, gaming sites and other online businesses. It’s known as the provider for mystery box platform HypeDrop and gambling sites Bovada and Ignition. On July 23, security experts began reporting that the site’s hot wallets appeared to have been drained of at least $21 million, with some sources reporting that the losses exceeded $31 million.
At the time, Alphapo did not comment on the alleged hack, but it did tell Cointelegraph that deposits and withdrawals were being reinstated at new addresses. The team said funds deposited to old addresses will be “additionally verified.” HypeDrop confirmed that its payment provider was “experiencing issues” that were causing withdrawals to be delayed but that withdrawals would be reinstated once the issue was resolved.
Related: Curve omnipool platform Conic Finance hacked for $3.2M in ETH
Neither company confirmed that the issues were caused by a hack, but security researchers have argued that the large outflows from known hot wallets, combined with stalled withdrawals, imply that the funds may have been moved by an attacker.
The new report from ZachXBT identifies an additional $37 million allegedly drained from the old addresses on the Tron and Bitcoin networks, bringing the total to more than $60 million in losses. Citing data from Dune Analytics, the on-chain sleuth argued that the Lazarus Group may be behind the attack:
“This hack appears to likely have been done by Lazarus as they create a very distinct fingerprint on-chain.”
The Lazarus Group is a cybercrime group first identified by a consortium of security researchers led by Novetta in 2014. The group is believed to have ties to the government of North Korea.
Alphapo is not the only centralized crypto provider to have suffered mysteriously large withdrawals in July. On July 7, cross-chain bridging protocol Multichain suffered over $100 million in unexplained withdrawals. On July 14, the Multichain team announced that it would stop operations after revealing that these withdrawals had been caused by an attacker accessing the protocol’s private keys through a cloud storage service.