Cyber Incident Victim: Bovada

On July 23, 2023, security experts observed abnormal outflows from hot wallets associated with Alphapo, a centralized cryptocurrency payment provider servicing gaming platforms including Bovada, Ignition, and HypeDrop. Initial estimates indicated losses of at least $21 million, with some reports suggesting over $31 million had been drained. Alphapo did not publicly confirm a security breach but acknowledged operational disruptions by informing customers that deposits and withdrawals were being migrated to new wallet addresses. The company stated funds sent to old addresses would undergo additional verification processes. HypeDrop, one of Alphapo’s clients, separately notified users of withdrawal delays attributed to its payment provider’s technical issues but assured services would resume after resolution. Security researchers cited the combination of large unauthorized fund movements from known hot wallets and systemic withdrawal suspensions as indicators of a potential exploit.

By July 25, on-chain investigator ZachXBT revised the estimated losses to over $60 million, identifying an additional $37 million exfiltrated from Alphapo’s legacy addresses on the Tron and Bitcoin blockchains. Analysis of transaction patterns suggested involvement of the Lazarus Group, a North Korean state-linked cybercrime entity first documented in 2014. The attack disrupted payment processing for Bovada and other platforms reliant on Alphapo’s infrastructure, though neither Alphapo nor its clients explicitly acknowledged the incident as a hack. The breach occurred amid a series of high-value cryptocurrency exploits in July 2023, including a separate $100 million incident affecting cross-chain protocol Multichain, though no direct connection between these events was established in available reporting. Alphapo’s mitigation efforts focused on migrating services to new wallets while investigating the original addresses.