AlphaPo Hot Wallets Breached Resulting in a Loss of Over $60 Million

Summary

AlphaPo, a crypto payment platform that processes payments for various gambling services, suffered a loss of more than $60 million due to a private key compromise that affected their hot wallets across Bitcoin, Tron, and Ethereum. The stolen funds were transferred to other blockchains, including Avalanche and Bitcoin. The funds on Bitcoin were deposited into the crypto mixer service Sinbad. The loss also includes the losses suffered by CoinsPaid, an entity related to AlphaPo.

Attackers

The attackers have a pattern that aligns closely with operations previously linked to Lazarus, a North Korean hacking group. Addresses associated with the attackers:

Losses

The total confirmed loss was approximately $60 million. Specific losses per blockchain are:

  • Ethereum: $10,716,942
  • Tron: $12,134,862
  • Bitcoin: Approximately $37,148,196

Timeline

  • July 22, 2023, 02:30 AM UTC: Malicious transaction was executed on the Ethereum chain, with roughly $6 million USDT being drained.
  • July 22, 2023, 02:33 AM UTC: Malicious transaction on the Tron chain was executed, with nearly $11 million USDT being transferred.
  • July 23, 2023, 02:30 AM UTC: ZachXBT, on-chain researcher, tweeted about the hack with an estimated loss of $23 Million.
  • July 23, 2023, 02:05 PM UTC: HypeDrop, one of AlphaPo’s customers, halted their operations, pointing to provider issues.
  • July 25, 2023, 07:52 PM UTC: An additional $37 million in stolen funds were disclosed, bringing the total loss to approximately $60 million.

Security Failure Causes

Private Key Compromise: The attackers gained access to the private keys of AlphaPo’s hot wallets. It’s not clear how the private keys were compromised, but the resulting breach indicates a significant architectural and operational security oversight.