Cyber Incident Victim: HypeDrop
Date:
Jul 2023
Location:
North Korea
Summary
A cybersecurity breach targeting the payment provider Alphapo resulted in losses exceeding $60 million, impacting its client platforms including HypeDrop, which experienced withdrawal delays. The incident involved unauthorized outflows from hot wallets across multiple blockchains, initially estimated at $31 million before revised analysis revealed additional losses on Tron and Bitcoin networks. Security researchers attributed the attack to the Lazarus Group, citing distinctive on-chain patterns linked to the North Korean-affiliated cybercrime entity. While Alphapo acknowledged operational disruptions and migrated deposit addresses, neither it nor affected platforms explicitly confirmed the hack, though stalled withdrawals and abnormal fund movements suggested external compromise. The incident followed similar large-scale exploits against centralized crypto services, highlighting systemic vulnerabilities in private key management and cloud storage security.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Alphapo payment provider hack, detected on July 23, 2023, resulted in significant financial losses affecting multiple online platforms, including mystery box service HypeDrop and gambling sites Bovada and Ignition. Initial reports from security experts indicated that Alphapo’s hot wallets were drained of at least $21 million, with some estimates exceeding $31 million. Alphapo, a centralized crypto payment provider servicing e-commerce subscriptions, gaming platforms, and other digital businesses, did not publicly confirm the breach but acknowledged operational disruptions. The company informed Cointelegraph that deposits and withdrawals were being migrated to new addresses, with funds sent to old addresses requiring additional verification. HypeDrop separately confirmed its payment provider was experiencing issues causing withdrawal delays but assured users that normal operations would resume after resolution. Security researchers cited abnormal outflows from known hot wallets and subsequent withdrawal freezes as indicators of unauthorized fund movement, though neither Alphapo nor HypeDrop explicitly attributed the incident to malicious activity at this stage.
On July 25, on-chain investigator ZachXBT revised the estimated losses to over $60 million, identifying an additional $37 million drained from Alphapo-associated addresses on the Tron and Bitcoin networks. ZachXBT’s analysis, referencing Dune Analytics data, suggested the Lazarus Group—a cybercrime collective linked to North Korea—likely executed the attack based on distinctive transactional patterns. The incident occurred amid other high-profile crypto breaches in July 2023, including Multichain’s $100 million exploit attributed to compromised private keys. Alphapo’s response focused on restoring deposit and withdrawal functionality through new wallet addresses while implementing enhanced verification for legacy transactions. The hack disrupted HypeDrop’s withdrawal processing, though the platform maintained service continuity pending resolution. No further public statements from Alphapo or HypeDrop addressed the revised loss estimates or Lazarus Group allegations, leaving the attribution and full impact scope unconfirmed by the affected entities.