Topic: Payment processor hacked, more than $23M in crypto stolen - page 2. (Read 362 times)
Don't design your payment processor to be custodial - instead, make it track an extended public key, and use the last three derivation numbers (account for user accounts, type and index as a combined number) in order to support up to 2^31 accounts and 2^62 payments for each account respectively. This also works for any cryptocurrency that uses BIP44 derivation rules and secp256k1 keys - Bitcoin, Litecoin, Ethereum, even all cryptonote coins such as Monero and Zcash (as well as everything else listed on SLIP-44: https://github.com/satoshilabs/slips/blob/master/slip-0044.md)
Payment processor Alphapo was hacked for 23 million USD in BTC, ETH and XRP. Did anyone here use them because I can't remember I ever heard about them before.
Nobody even heard about them but I think people indirectly used them with gambling websites, so we could be hearing other casinos having problems, not just ones mentioned in this article.Does anyone know if Alphapo has any connections with casinos that are active in bitcointalk forum?
Still, that shouldn't be a reason to keep all of it in a hot wallet. Every local supermarket here doesn't put large banknotes in the cash register, but instantly drops it into a safe. I'd expect payment processors to use the digital equivalent of this.
There is always a chance this was some type of inside job, and not even cold wallets could help in that case. 
If a company processes $23M either daily or weekly, this means they have enough funds to hire experts or procure any security architecture. So why the hack?
Security is one of those things that money alone can't solve. Even exchanges like MtGox and Bitfinex had good money back then; it all just boils down to one thing(mostly) — complacency caused by incompetence. Even the biggest of companies get hacked.
If a company processes $23M either daily or weekly, this means they have enough funds to hire experts or procure any security architecture. So why the hack?
Large software companies get hacked too. There's simply no expert that can always prevent all problems. 
I'm surprised they keep that much money in hot wallets. In my mind, hot wallets are only meant for amounts you can afford to lose. It makes me wonder how much money they process if they consider this "pocket change".
It might because that much money are the inflows and the outflows made by the payment processor on a daily basis? As already mentioned by others, Alphapo is a business to business processor for crypto gambling services. What we should worry about is which casinos are using Alphapo's services. I reckon if you have some coins in big gambling operators, you might be safe because they can absorb the loss. But withdraw if you have money you do not want to lose if held in a smaller casino.
I do not actually understand how hacks happen. I am not a hacker and I have never considered hacking in my life. But then I have this strong conviction that hacks happen from inwards. I mean a member of the team leaks information that will lead to hacking. I might be totally wrong, but my instinct is strong on this one.
If a company processes $23M either daily or weekly, this means they have enough funds to hire experts or procure any security architecture. So why the hack?
It might because that much money are the inflows and the outflows made by the payment processor on a daily basis?
Still, that shouldn't be a reason to keep all of it in a hot wallet. Every local supermarket here doesn't put large banknotes in the cash register, but instantly drops it into a safe. I'd expect payment processors to use the digital equivalent of this. 
I'm surprised they keep that much money in hot wallets. In my mind, hot wallets are only meant for amounts you can afford to lose. It makes me wonder how much money they process if they consider this "pocket change".
It might because that much money are the inflows and the outflows made by the payment processor on a daily basis? As already mentioned by others, Alphapo is a business to business processor for crypto gambling services. What we should worry about is which casinos are using Alphapo's services. I reckon if you have some coins in big gambling operators, you might be safe because they can absorb the loss. But withdraw if you have money you do not want to lose if held in a smaller casino.
Or do such a big companies have their own child company for payment processing?
It seems that Alphapo isn't serving regular users, don't be surprised if you haven't heard of it.It's a wholesaler specialist payment processor if you look at the registration process. I think your first requirement is to at least have a service of a certain scale and deposit some money as liquidity.
So exactly, this hack involves money for almost of all thier partner/client services.
Checking Whois https://www.whois.com/whois/alphapo.net
Domain:alphapo.net
Registrar:NameCheap, Inc.
Registered On:2020-01-28
Expires On:2025-01-28
Updated On:2021-07-16
The site is over three years of existence they are not good in marketing like many of us here I never read about or heard of this payment processor and checking online they only become popular after this hacking incident.
They are not popular, now they are not secured either, it's better for them to upgrade their security first before thinking of marketing.
Domain:alphapo.net
Registrar:NameCheap, Inc.
Registered On:2020-01-28
Expires On:2025-01-28
Updated On:2021-07-16
The site is over three years of existence they are not good in marketing like many of us here I never read about or heard of this payment processor and checking online they only become popular after this hacking incident.
They are not popular, now they are not secured either, it's better for them to upgrade their security first before thinking of marketing.
It's alphapo.net according to most articles. None talks about alpopay.com, which seems to offer a similar service, but who knows? They could just be masquerading.
Most of these hacks are highly unbelievable. They all seem to me like just insider jobs.
You can't tempt some humans with $23M every day and think they won't wake up one day, team up, steal the funds and share the spoils in the Bahamas
Most of these hacks are highly unbelievable. They all seem to me like just insider jobs.
You can't tempt some humans with $23M every day and think they won't wake up one day, team up, steal the funds and share the spoils in the Bahamas
I'm surprised they keep that much money in hot wallets. In my mind, hot wallets are only meant for amounts you can afford to lose. It makes me wonder how much money they process if they consider this "pocket change".
I wonder if all the stolen coins belong to their clients or if it's a combination of client funds + their own profits.
In that twitter thread that mk4 shared its mentioned that one of their clients (HypeDrop) had to disable withdrawals so it seems that not only their funds was lost in that hack.Another reason why custodian payment processors are dangerous, despite being simpler and more user-friendly
Iirc the only crypto payment processor I ever used was Paycek and it was very user friendly (its non-custodial ofc) so I don't know how easier custodial ones could be. 
I am sure that I have never seen anyone mention or recommend Alphapo in any discussions about crypto payment processors.
Probably because it only focuses on huge businesses as payment processors such as casinos, not on typical payment processor for smaller merchants. 
I am sure that I have never seen anyone mention or recommend Alphapo in any discussions about crypto payment processors. I wonder if all the stolen coins belong to their clients or if it's a combination of client funds + their own profits. Another reason why custodian payment processors are dangerous, despite being simpler and more user-friendly.
Did anyone here use them because I can't remember I ever heard about them before.
These services work on the back-end of gambling sites, so I don't think people would necessarily notice the company name.
Twitter discussion for those interested: https://twitter.com/zachxbt/status/1682941291825627137
Which one is the real AlphaPo, this alphapo.net or this alpopay.com. Or both of them?
By the way, does anyone know which crypto payment processors do casinos like Stake.com and sportsbet.io use? Definitely, BTCPayserver can't be an option for them because they constantly get deposit/withdraws, i.e. have a huge cashflow (or call it a cryptoflow) and have to manage some of their funds in USD/Euro. Or do such a big companies have their own child company for payment processing?
By the way, does anyone know which crypto payment processors do casinos like Stake.com and sportsbet.io use? Definitely, BTCPayserver can't be an option for them because they constantly get deposit/withdraws, i.e. have a huge cashflow (or call it a cryptoflow) and have to manage some of their funds in USD/Euro. Or do such a big companies have their own child company for payment processing?
I do not think that this platform is discussed here before as i searched in the search bar. But the amount hacked is huge and this really arose many questions and doubts about their security. I checked the link you provided and hypedrop is a NFT marketplace which was using the Alphapo payment processing service. And they have added on their website that they are facing some withdrawals issues now.
I checked on similar web that this website Hypedrop have more than millions of customers. Then you might some members using it here. I didn't find the link to the alphapo website or service providing ads etc. Like they might have anything to contact with them.
I checked on similar web that this website Hypedrop have more than millions of customers. Then you might some members using it here. I didn't find the link to the alphapo website or service providing ads etc. Like they might have anything to contact with them.
Payment processor Alphapo was hacked for 23 million USD in BTC, ETH and XRP. Did anyone here use them because I can't remember I ever heard about them before.
Quote from: https://blockchain.news/news/alphapo-hot-wallets-drained-of-over-23m-in-btc-eth-and-tron
Alphapo, a payment processor for various gambling services, reported a breach of their hot wallets today, July 23, 2023. The breach resulted in a loss of over $23 million in Ethereum (ETH), TRON (TRX), and Bitcoin (BTC) cryptocurrencies. The exact amount of BTC stolen remains unclear.
The stolen funds on Ethereum were swapped for ETH and then bridged to Avalanche and Bitcoin. The addresses involved in the breach include:
0x040a96659fd7118259ebcd547771f6ecb9580d17
0x6d2e8a20b8afa88d92406d315b67822c01e53c38
TKSitnfTLVMRbJsF1i2UH5hNUeHLDrXDiY
TDoNAZHa7WxarUAFbQUhiijTGtd7EpbzRh
TJF7mdFxDuHB4tb9hoyR4SCpKxk7gr23ym1
The stolen funds on Ethereum were swapped for ETH and then bridged to Avalanche and Bitcoin. The addresses involved in the breach include:
0x040a96659fd7118259ebcd547771f6ecb9580d17
0x6d2e8a20b8afa88d92406d315b67822c01e53c38
TKSitnfTLVMRbJsF1i2UH5hNUeHLDrXDiY
TDoNAZHa7WxarUAFbQUhiijTGtd7EpbzRh
TJF7mdFxDuHB4tb9hoyR4SCpKxk7gr23ym1
Jump to: