Crypto payment processor Alphapo suffered a devastating security breach on July 22, 2023, with losses initially estimated at $23 million before ballooning to a staggering $60 million as investigators uncovered additional stolen funds across multiple blockchains. The incident, which has been linked to North Korea’s notorious Lazarus Group, sent shockwaves through the cryptocurrency security community and raised fresh concerns about the vulnerability of hot wallet infrastructure.
TL;DR
- Alphapo, a crypto payments processor for gambling platforms, lost over $60 million in a hot wallet breach
- The attack began at 02:30 AM UTC on July 22, targeting Ethereum, Tron, and Bitcoin wallets
- Breakdown: ~$10.7M from Ethereum, ~$12.1M from Tron, and ~$37.1M from Bitcoin
- On-chain investigator ZachXBT first flagged the breach, which was later attributed to Lazarus Group by the FBI
- HypeDrop, one of Alphapo’s clients, halted operations citing provider issues
The Attack Timeline
The breach unfolded rapidly in the early morning hours of July 22. At 02:30 AM UTC, a malicious transaction was executed on the Ethereum blockchain, draining roughly $6 million in USDT from Alphapo’s hot wallet. Just three minutes later, at 02:33 AM UTC, a second attack targeted the Tron network, transferring nearly $11 million in USDT. The initial damage appeared contained at approximately $23 million across both chains.
However, the situation worsened significantly over the following days. On-chain researcher ZachXBT first reported the hack on July 23, estimating losses at $23 million. By July 25, an additional $37 million in stolen funds on the Bitcoin and Tron networks was identified, bringing the total confirmed loss to approximately $60 million. The breakdown across blockchains was severe: $10,716,942 from Ethereum, $12,134,862 from Tron, and approximately $37,148,196 from Bitcoin.
Who Is Alphapo?
Alphapo operates as a cryptocurrency payment processing platform serving the online gambling industry. The company processes transactions for several well-known gambling services, including HypeDrop, Bovada, and Ignition. These platforms rely on Alphapo’s infrastructure to handle deposits, withdrawals, and payment flows in various cryptocurrencies.
The hack had immediate downstream effects. HypeDrop, one of Alphapo’s major clients, suspended operations on July 23, pointing to provider issues without initially disclosing the full extent of the breach. Users of the platform found themselves unable to access their funds, highlighting the cascading risks of centralized payment processing in the crypto ecosystem.
The Lazarus Group Connection
The attack pattern exhibited characteristics closely aligned with operations previously attributed to Lazarus Group, a state-sponsored North Korean hacking collective also known as APT38. The Federal Bureau of Investigation later formally attributed the theft to the group, confirming what on-chain analysts had suspected from the beginning.
The attackers moved quickly to launder the stolen funds, transferring assets across blockchains including Avalanche and Bitcoin. Notably, the Bitcoin-denominated stolen funds were deposited into Sinbad, a crypto mixer service designed to obscure transaction trails. This laundering technique is consistent with previous Lazarus Group operations, which have been linked to billions of dollars in cryptocurrency thefts over recent years.
Private Key Compromise
The root cause of the breach was identified as a private key compromise affecting Alphapo’s hot wallets. While the exact method by which the attackers obtained the private keys remains unclear, the incident revealed significant gaps in the platform’s security architecture and operational oversight. Hot wallets, by their nature, maintain internet connectivity to facilitate real-time transactions, making them inherently more vulnerable than cold storage solutions.
The scale of the loss — touching three separate blockchains — suggests that either a single point of failure existed across all wallet infrastructures or that the attackers conducted a coordinated assault exploiting a common vulnerability in Alphapo’s key management system.
Why This Matters
The Alphapo hack serves as yet another reminder that despite the maturing cryptocurrency ecosystem, fundamental security challenges persist. With Bitcoin trading at approximately $29,771 and Ethereum at $1,864 on the day of the attack, the $60 million theft represented a significant blow to confidence in crypto payment infrastructure. The involvement of a state-sponsored actor like Lazarus Group underscores that crypto platforms are not merely targets for opportunistic hackers — they face sophisticated, well-resourced adversaries. For the broader market, which was already navigating regulatory headwinds and a pullback from recent 12-month highs, the incident reinforced the critical importance of robust custody solutions and multi-layered security protocols. As institutional interest in digital assets continues to grow, the industry must confront the reality that security failures of this magnitude threaten to undermine the very adoption it seeks to accelerate.
Disclaimer: This article is for informational purposes only and does not constitute financial advice. Always conduct your own research before making investment decisions.
initial estimate was $23M and it turned out to be $60M. these payment processors always underreport first, happened with every major hack in 2023
hypedrop halted operations because their payment processor got drained. wonder how many users are still waiting for funds
ZachXBT doing the work that actual security teams should be doing. The guy flagged this before any official announcement.
$37M on bitcoin alone. lazarus running the same playbook since 2017 and nobody patches the hot wallets