Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 147Private Key Compromise

AlphaPo Payment Provider Drain

A private-key compromise drained $60M from AlphaPo's hot wallets across Tron, Bitcoin and Ethereum. The FBI attributed the payment-processor breach to Lazarus.

Date
Victim
AlphaPo
Chain(s)
TronBitcoinEthereum
Status
Funds Stolen
Attribution
Lazarus Group (DPRK)

On July 23, 2023, the centralised crypto-payment provider AlphaPo — which processed payments for gambling sites, e-commerce subscriptions and other online businesses — was drained of approximately $60 million across its hot wallets on Tron, Bitcoin and Ethereum. The FBI later attributed the attack to North Korea's Lazarus Group based on the laundering route and on-chain pattern.

What happened

AlphaPo operated as the back-end crypto rails for several large online businesses, holding meaningful balances in hot wallets to service customer deposits and merchant payouts. The compromise was a textbook private-key extraction from AlphaPo's signing infrastructure — exact vector never publicly detailed.

Initial loss estimates from the first hours of the incident were around $23M (largely Ethereum-side outflows visible on standard explorers). Investigator ZachXBT subsequently identified additional outflows on Tron and Bitcoin, bringing the total to approximately $60M.

The breakdown (selected):

  • 6M+ USDT (Tron-side)
  • 108K USDC
  • 100.2M FTN
  • 430K TFL
  • 2.5K ETH
  • 1,700 DAI
  • Plus $37M in TRON and BTC identified by ZachXBT post-hoc.

The laundering route — including Sinbad mixer deposits matching prior Lazarus operations — was the key signal for the eventual FBI attribution.

Aftermath

  • AlphaPo halted operations on affected chains and rotated keys.
  • The company absorbed the loss from corporate reserves; merchant customers were largely made whole.
  • No public recoveries from the attacker's wallets.

Why it matters

AlphaPo is one of a tight cluster of mid-summer 2023 Lazarus operations — alongside Atomic Wallet (June, $100M+), Stake.com (September, $41M), CoinEx (September, $54M), and Mixin Network (September, $200M) — that established Lazarus' parallel targeting of payment-processor infrastructure alongside its more visible exchange-focused campaigns.

The structural lesson: any business holding multi-chain hot-wallet balances on behalf of end customers is a Lazarus-relevant target, regardless of consumer brand recognition. Payment processors, custody-as-a-service providers, on-chain accounting platforms — all sit in the same crosshairs as exchanges, and need the same operational-security investment, even if their public profile is lower.

Sources & on-chain evidence

  1. [01]bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/lazarus-hackers-linked-to-60-million-alphapo-cryptocurrency-heist/
  2. [02]bitcoinist.comhttps://bitcoinist.com/hackers-stole-60-million-from-alphapo/
  3. [03]decrypt.cohttps://decrypt.co/150282/north-korean-hacker-cell-lazarus-allegedly-behind-60m-alphapo-hack

Related filings