Alphapo is a crypto payment platform used to process payments for multiple gambling services, including Bovada, HypeDrop, and Ignition. In July 2023, the platform suffered a hack that allowed the attacker to steal an estimated $23 million from the platform.
Inside the Attack
The Alphapo hack was made possible by a leak of the private keys of the platform’s hot wallets. With access to these keys, the attacker was able to create transactions that transferred value from these wallets to the attacker’s accounts.
In total, the Alphapo hack stole an estimated $23 million. This included over 6 million USDT, 108k USDC, 100.2 million FTN, 430k TFL, 2.5k ETH, and 1,700 DAI. All of these funds were sent to the same address before being moved across cross-chain bridges.
Lessons Learned from the Attack
This hack was made possible by compromised private keys for the contract’s hot wallets, not any smart contract vulnerabilities. The hack was preventable if private key security practices were implemented.
One example of a defense that could have prevented this attack — or at least made it much harder to perform — is the use of a multi-signature wallet. Breaking the private key up across multiple parties makes it much more difficult for an attacker to gain the access that they need to drain funds from the project.