Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 192Bridge Exploit

ALEX Lab Bridge Exploit

DPRK's Lazarus drained $4.3M from ALEX Lab's Stacks cross-chain bridge via a flaw in the bridge's verification logic, traced via on-chain laundering.

Date
Victim
ALEX Lab
Chain(s)
StacksBitcoin
Status
Funds Stolen
Attribution
Lazarus Group (DPRK)

On May 15, 2024, ALEX Lab — a Bitcoin DeFi platform built on the Stacks blockchain — lost approximately $4.3 million when its cross-chain bridge infrastructure was exploited. The on-chain pattern matched Lazarus Group's TTPs from the period, and the project publicly attributed the attack to Lazarus on the basis of the laundering route.

What happened

ALEX Lab provided cross-chain liquidity between Bitcoin (via Stacks' SBTC bridge) and various ERC-20 wrappers. The compromise targeted the verification logic in the bridge component that authorised cross-chain withdrawals.

The exact vulnerability vector was not fully detailed publicly — ALEX Lab's incident disclosures focused on the operational response rather than the technical root cause. From the on-chain evidence, the attacker obtained the ability to withdraw bridged assets without corresponding deposits, drained roughly $4.3M across multiple tokens, and routed the proceeds through cross-chain bridges into anonymising paths consistent with Lazarus' standard playbook.

Aftermath

  • ALEX Lab paused the bridge and offered the attacker a 10% white-hat bounty for the return of funds. No return.
  • The protocol announced a compensation plan funded from protocol revenue and team reserves; reimbursements were processed over the months following the incident.
  • A separate exploit hit ALEX Lab in June 2025 ($8.3M, exploiting a flaw in the self-listing verification logic) — a year later, with a different bug class.

Why it matters

ALEX Lab was one of the few major incidents of 2024 on a Bitcoin-adjacent L2 (Stacks), illustrating that the security challenges of cross-chain bridging do not change much when one endpoint is Bitcoin: the bridge contracts still live on a smart-contract chain, the verification logic still needs to be airtight, and a compromised signer or a missing check still drains real funds.

The Lazarus attribution also reinforced the pattern documented at Atomic Wallet, Stake.com, and many others: mid-size DeFi/wallet/bridge incidents in the $4-50M range through 2023-2024 were disproportionately Lazarus operations, often running in parallel with much larger CEX-focused attacks like DMM Bitcoin and WazirX.

Sources & on-chain evidence

  1. [01]coindesk.comhttps://www.coindesk.com/business/2024/05/15/bitcoin-defi-tool-alex-lab-loses-43m-in-hack-offers-10-bounty-for-stolen-funds
  2. [02]bitcoinist.comhttps://bitcoinist.com/defi-protocol-alex-lab-4-million-hack-linked-to-lazarus-group/
  3. [03]coinfomania.comhttps://coinfomania.com/alex-labs-confirms-major-security-breach-suspends-platform-operations-and-launches-full-investigation-into-multi-asset-hack/

Related filings