AlphaPo Hack
Incident Overview
AlphaPo, a crypto payment platform, was compromised via private key, resulting in a loss of approximately $23M across Bitcoin, Tron, and Ethereum chains.
AlphaPo, which processes payments for numerous gambling services, suffered an exploit involving their hot wallets in Bitcoin, Tron, and Ethereum. The root cause was a private key compromise. The stolen assets were swapped for 5,742 ETH and bridged to Avalanche through several addresses. On the Avalanche chain, the funds were swapped for BTC and bridged to the Bitcoin chain.
On the Tron chain, the funds were swapped for 118,482,405 TRX and then transferred through several addresses.
22,851,804 USD loss confirmed across Ethereum and Tron chains:
10,716,942 USD worth 5,742 ETH on Ethereum:
- 2,464.3 ETH
- 4,555,628 USDT
- 108,050 USDC
- 1,687 DAI
- 100,218,957 non-liquid FTN
- 430,080 non-liquid TFL
12,134,862 USD on Tron:
- 11,673,373 USDT
- 5,542,290 TRX
The estimated loss ranges from $23M to a potential $100M since funds lost on the Bitcoin chain are not revealed yet.
Attacker Addresses:
- https://etherscan.io/address/0x040a9665…580d17
- https://etherscan.io/address/0x6d2e8a20…e53c38
- https://etherscan.io/address/0x8dc4f02e…3805e8
- https://tronscan.org/#/address/TKSitnfTLVMRbJsF1i2UH5hNUeHLDrXDiY
- https://tronscan.org/#/address/TDoNAZHa7WxarUAFbQUhiijTGtd7EpbzRh
Funds Holder as of July 24, 2023:
- https://tronscan.org/#/address/TJF7mdFxDuHB4tb9hoyR4SCpKxk7gr23ym
USDT Drain Transaction:
https://etherscan.io/tx/0x68139cda…55a7ce
ETH Drain Transaction:
https://etherscan.io/tx/0xd77012e2…d1d064
TRX Drain Transaction:
https://tronscan.org/#/transaction/a7d8b7b3e9df0ac88298d415128b6b136e6b8ee09c285545ecfed6e0b03b83b4
USDT Drain Transaction:
https://tronscan.org/#/transaction/61600fc1e7ac37e7de8bd9f07eb50660f2ef5cb2e8968146869bd5f606221bf8
Bridging to Avalanche:
https://etherscan.io/tx/0x072dbb01…189a1f
Bridging to Bitcoin:
https://snowtrace.io/tx/0x0cb7c5f3…fb90a9
Incident Report
Protocol Information
Market Context at Time of Hack
What the Attacker Needed to Succeed
Understanding the prerequisites for this type of attack helps auditors identify protocols that are most at risk and helps developers build better defenses.
What Auditors Should Check
If you're auditing a protocol with similar architecture to AlphaPo, these are the critical security checks that could have prevented this incident (July 2023).
- Verify all logic paths related to Access Control are guarded by proper access controls and input validation - see the Access Control Attacks attack class for patterns
- Review privileged functions (owner, admin, governance) for potential abuse vectors - centralization risks should be documented and bounded with timelocks or multi-sigs
Master these auditing techniques with hands-on labs and real exploit scenarios in the Smart Contract Hacking course.
Free TrialRelated Attack Classes
The technique used in this hack maps to these vulnerability classes in our security curriculum:
Sources & References
- 01
- 02
-
03
Web Archive https://archive.ph/vjjat
Learn to Prevent the Next AlphaPo
The AlphaPo hack is one of many attacks that skilled auditors are trained to detect before deployment. Master real exploit patterns and defense techniques with hands-on Web3 security training.