More Than 100 Million Dollars Worth of Crypto Stolen – Inside The Alphapo Hack

In the crypto space, security breaches are an ever-present threat, and the recent incident involving Alphapo, a prominent payment processor for various gambling services, highlights the severity of these risks. 

On July 23, 2023, on-chain sleuth ZachXBT reported a significant security breach that resulted in the loss of more than $23 million in cryptocurrencies from its hot wallets. However, as the investigation deepens, it has become apparent that the scale of the heist is far greater than initially reported.

What is Alphapo?

Alphapo is a payment processor that helps businesses utilize digital currencies as a payment method. They offer payments in over 30 digital currencies, along with the accumulation of balances in 23 fiat currencies. Alphapo offer different channels for various use cases, such as iGaming and E-commerce with some of their major clients being Bovada and Ignition

One of Alphapo’s prominent clients, HypeDrop, resorted to disabling withdrawals in response to the security breach. HypeDrop issued a statement assuring their customers that their funds are safe. 

Dissecting the Attack

While the exact method the hackers used to compromise Alphapo’s hot wallets remains a mystery, our team used QLUETM by Blockchain Intelligence Group to trace the stolen cryptocurrencies (Ethereum, TRON, and Bitcoin) taken from Alphapo’s hot wallets. The information we uncovered using QLUETM points to the Lazarus Group as the likely culprits behind this attack. 

Here’s what we discovered until now:

The perpetrators siphoned 11,673,373 USDT (US $11,673,373) and 5,542,290 TRX (US $445,742) from Alphapo’s wallets. They swapped the stolen USDT to TRX and consolidated the stolen TRX with the converted TRX coins in a new address. Afterward, the attackers transferred the consolidated 118,351,300 TRX coins to a new address. 

One crucial lead in identifying the attackers came from their next move. The hackers split the stolen TRX coins, sending 58,750,203 TRX to a fresh address. This address was particularly interesting because it had previously received 99,497 TRX from an address (TNMW5….hAJem) that was linked to the Atomic Wallet hack. 

That the same address (TNMW5….hAJem), linked to the Atomic Wallet hack, had sent 20,885,366 TRX to yet another wallet. This wallet was associated with the funds stolen in the Atomic Wallet hack and has received a total of 27,121,678 TRX coins.

QLUETM graph: TRX tokens drained and consolidated in hacker addresses

On the Ethereum side, the perpetrators drained Alphapo’s hot wallet off of a number of coins and tokens:

  • 2,490.14 ETH (US $4,715,961.8)
  • 108,050.3 USDC (US $108,050.3)
  • 6,074,170.8 USDT (US $6,074,170.8)
  • 1,687.9 DAI (US $1,687.9)
  • 100,218,957.4 FTN (US $91,949,170)
  • 430,080.84 TFL (US $189,235)

They converted all stable coins (USDC, USDC and DAI) to 3,252.35 ETH (US $6,050,737) and the combined amount of 5,716.77 ETH (US $10,634,160) was sent to a new address

QLUETM graph: Alphapo hot wallet drained of Ethereum and other tokens

It was at that moment that the hackers behind the breach executed a sophisticated plan to cover their tracks. They swiftly bridged the stolen Ethereum to other blockchains, including Avalanche and Bitcoin. Eventually, the perpetrators deposited the stolen funds in Sinbad, the same exact cryptocurrency mixer used by the Lazarus Group in previous attacks.

QLUETM graph: stolen funds swapped to BTC and deposited into Sinbad mixer and exchanges

The stolen funds are still on the move at the time of writing this article and one crucial aspect remains elusive – the identity of the hackers responsible for this heist. What’s certain is that the aftermath of this incident is likely to have far-reaching consequences for Alphapo and its customers. The incident serves as a reminder of the ever-present threat to the crypto space and the pressing need for heightened security measures.

Learn how QLUETM helped unravel the details of the Alphapo hack and use it today to investigate your most sophisticated cases.

Written By: Omar Marzouk
Writer, Content marketing at Blockchain Intelligence Group


  • Solutions
  • Training
  • Resources
  • Support