Author

Topic: Payment processor hacked, more than $23M in crypto stolen (Read 399 times)

hero member
Activity: 2996
Merit: 598
Leading Crypto Sports Betting & Casino Platform
I have never heard of them, but probably because I rarely gamble, it said that it's a payment processor for gambling service. Seems like it's not for individual, I suppose their client is mostly casino owner/company. It also said that one of their client operates several illegal casino so this payment processor never do background check on their client, no wonder their platform is not secured.
It's not for the average Joes like us, this is the reason that there's not much information about this payment processor until this hacking incident,  if you're into gambling it's a concern if one of the casinos you're playing has it as their partner because it will have an impact on their finances if it's true that they facilitate payment for illegal casinos they are then conniving and it's not good on their reputation and there's legal implications on this, payment processor should check the reputation of their partners even if they work for companies only.
sr. member
Activity: 1400
Merit: 268
Fully Regulated Crypto Casino
I have never heard of them, but probably because I rarely gamble, it said that it's a payment processor for gambling service. Seems like it's not for individual, I suppose their client is mostly casino owner/company. It also said that one of their client operates several illegal casino so this payment processor never do background check on their client, no wonder their platform is not secured.
legendary
Activity: 3094
Merit: 1127
Ouch, this should really sting!!!

I think it's high time individuals,  companies,  pretty much everybody  started using multisig wallets to avoid these huge losses!

Am sure we dread the process of X,Y,Z approving the transaction as it losses some precious time, but it saves us from losing such colossal sums in a blink of an eye!!

Hope Alphapo doesn't close shop because of this unfortunate incident  Cry
Really hard to believe that they wont really be closing up their doors or having that significant period pause of their services considering that this incident does involved not a small amount and for sure there would really be
further investigations whether this one is purely been hacked and never had those possibilities of some possible inside job.Honestly, i dont really have any the trust in speaking about these hacking incidents that they are
actually be literally hacked be someone because we do have instances and been proved out about inside jobs and other relevant correlated things happened which it do really give out that doubt most of the time.
Its not something new, where payment processors, bridges, online wallets are the hottest target of these hackers considering that the reward on getting once they do succeed is really huge or does involves
multi-million of dollars which is something that casual for them to consider. Security of these platforms should really be that mind out.
hero member
Activity: 882
Merit: 792
Watch Bitcoin Documentary - https://t.ly/v0Nim
There is nothing wrong with that, hackers are a strategical weapon for governments and it's better to use these brains wisely rather than to rot them in prison.
There is nothing good in their hypocrisy and double standards, when it's allowed to do harm to others if they allow it.
It's silly to assume governments can't use those hackers to track and harm their own citizens, as well as other countries and regions, and they are obviously doing all of that.
I seriously doubt anything I read in news these days, because real journalist don't exist anymore, and when they say ''unknown hackers'' I always assume they work for government.
What's the point of rotting talented people in prison? Hackers are talented, they are good at math, problem solving, programming, they are good but do bad job. Logically, it will be better if pro-people government uses them against enemy countries but it's true that bad government uses them against their own people.
There is a thing that I think about recently. Let's take the USA for example, are the people in government patriots? They always try to remain global superpower, the dominant country. They try to make their own currency a global reserve, they try to have powerful military, they try to control many countries, they try many things, so, are they patriots or not?
legendary
Activity: 2212
Merit: 7064
There is nothing wrong with that, hackers are a strategical weapon for governments and it's better to use these brains wisely rather than to rot them in prison.
There is nothing good in their hypocrisy and double standards, when it's allowed to do harm to others if they allow it.
It's silly to assume governments can't use those hackers to track and harm their own citizens, as well as other countries and regions, and they are obviously doing all of that.
I seriously doubt anything I read in news these days, because real journalist don't exist anymore, and when they say ''unknown hackers'' I always assume they work for government.


legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
People should think critically about what is presented to them, but I think we have already passed the point where people were capable of doing that - it is much easier to surrender to the current of the media than to try to challenge it in any way.
And how exactly you challenged what @ZachXBT said? Did you maybe do a proper research, forensics etc? After all, he didn't claim that its 100% Lazarus behind it.

He suggests that it's probably the same group of hackers because they allegedly left a digital footprint pointing to them, although I'm not an expert to say how credible that is. I want to say that nowadays anyone can use all possible technology and pretend to be someone else while doing bad things online.

This means that if other hackers are skilled enough to carry out an attack and leave a digital footprint that points to Lazarus, they didn't just successfully hack someone, they practically led the investigation into a dead end.

On the other hand, hackers are not the only ones to blame, because they are only using loopholes in the system that are obviously being exploited very successfully. In fact, it is not so important who is behind the hacking, but why so many companies behave so irresponsibly and keep tens of millions of $ worth of cryptocurrencies in hot wallets.
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
I'm surprised they keep that much money in hot wallets. In my mind, hot wallets are only meant for amounts you can afford to lose. It makes me wonder how much money they process if they consider this "pocket change".
Why does $23M surprise you? They are a payment processor after all and more importantly, they offer payment solution to casinos (not casino, casinos, ss) that have a lot of gamblers that constantly make deposits and withdrawals.

I was thinking that exact same thing and that even with the new total of $60 million that it's low.
It comes down to cast vs. risk. This time they gambled and lost (casino joke) but if you have to keep moving from hot to cold and then back out again those costs for BTC and ETH will add up. (ignoring the other coins). And if you have enough programming logic in the back end you might even be able to pay out some people straight from other peoples deposits.

Not your keys, not your coins, not just for exchanges anymore. You don't go to a physical casino and leave your money there when you leave the tables. You put it in your pocket and walk away.

-Dave
hero member
Activity: 882
Merit: 792
Watch Bitcoin Documentary - https://t.ly/v0Nim
I'm surprised they keep that much money in hot wallets. In my mind, hot wallets are only meant for amounts you can afford to lose. It makes me wonder how much money they process if they consider this "pocket change".
Why does $23M surprise you? They are a payment processor after all and more importantly, they offer payment solution to casinos (not casino, casinos, ss) that have a lot of gamblers that constantly make deposits and withdrawals.

When you don't know who's to blame, blame Lazarus and North Korea Roll Eyes It turns out that a country where less than 99% of people have access to the internet has the best hackers in the world - and what would happen if the internet was a common thing there? The whole world would probably be hacked Shocked
It probably helps if the national government protects hackers, instead of arresting them.
No, no, the situation will be very different in North Korea. People in that country don't have access to internet, so, people won't be able to become hackers but I think that they do the following: They keep an eye on kids who are talented in physics and mathematics, then take these kids and send in China and Russia for education and training, then they are sent back in North Korea, trained, experienced and capable to work for government. At the moment, the government definitely takes care of them and guarantees comfortable life.

It probably helps if the national government protects hackers, instead of arresting them.
Aren't all governments doing that already?
It's not a secret that US is doing that and they even admitted that in public several times, especially when hackers have the option to choose prison or legal hacking for government  Tongue
This old Guardian article claims that 25% of all hackers in US are working for government, and I am 100% that number is much higher now:
https://www.theguardian.com/technology/2011/jun/06/us-hackers-fbi-informer
There is nothing wrong with that, hackers are a strategical weapon for governments and it's better to use these brains wisely rather than to rot them in prison.
hero member
Activity: 1834
Merit: 879
Rollbit.com ⚔️Crypto Futures
Ouch, this should really sting!!!

I think it's high time individuals,  companies,  pretty much everybody  started using multisig wallets to avoid these huge losses!

Am sure we dread the process of X,Y,Z approving the transaction as it losses some precious time, but it saves us from losing such colossal sums in a blink of an eye!!

Hope Alphapo doesn't close shop because of this unfortunate incident  Cry
legendary
Activity: 1722
Merit: 5937
People should think critically about what is presented to them, but I think we have already passed the point where people were capable of doing that - it is much easier to surrender to the current of the media than to try to challenge it in any way.
And how exactly you challenged what @ZachXBT said? Did you maybe do a proper research, forensics etc? After all, he didn't claim that its 100% Lazarus behind it.



Aren't all governments doing that already?
It's not a secret that US is doing that and they even admitted that in public several times, especially when hackers have the option to choose prison or legal hacking for government  Tongue
Of course every developed country has their own teams of hackers doing their dirty work.

legendary
Activity: 2212
Merit: 7064
It probably helps if the national government protects hackers, instead of arresting them.
Aren't all governments doing that already?
It's not a secret that US is doing that and they even admitted that in public several times, especially when hackers have the option to choose prison or legal hacking for government  Tongue
This old Guardian article claims that 25% of all hackers in US are working for government, and I am 100% that number is much higher now:
https://www.theguardian.com/technology/2011/jun/06/us-hackers-fbi-informer
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
Who says that they are the best hacker group in the world?

How many big hacks (and smaller ones too) are connected to that group of hackers in recent years? It is incredible how media propaganda washes the brain by constantly repeating one and the same thing, because they always accuse one and the same group of hacking - just as they used to accuse one terrorist organization for every possible terrorism.

People should think critically about what is presented to them, but I think we have already passed the point where people were capable of doing that - it is much easier to surrender to the current of the media than to try to challenge it in any way.
legendary
Activity: 2576
Merit: 1860
Can you list gambling sites that use them?
I've heard names like HypeDrop, Ignition and Bovada being mentioned in articles but I can't say I heard about any of those before.

I guess I've stumbled upon Bovada a number of times in the past. I'm not a user, though. It's not even available here in my area. I took a quick search of it and while it hasn't been promoted here, it seems it has been operating for quite a while already, since 2011.

Anyway, the stolen funds is actually much higher now. The update says the total stolen is already $60 million.[1] Users of the above-mentioned platforms should brace for some suspensions. If they still can, they should quickly cancel their bets and withdraw all funds.


[1] https://twitter.com/zachxbt/status/1683747073227624448

When you don't know who's to blame, blame Lazarus and North Korea Roll Eyes It turns out that a country where less than 99% of people have access to the internet has the best hackers in the world - and what would happen if the internet was a common thing there? The whole world would probably be hacked Shocked
It probably helps if the national government protects hackers, instead of arresting them.

Not just protect but even sponsor them, sent them to reliable universities in China to hone their skills. They're not just protected and state-sponsored; they're state-employed. They don't belong to the 99%, apparently because they're part of a special circle, a very productive one.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
When you don't know who's to blame, blame Lazarus and North Korea Roll Eyes It turns out that a country where less than 99% of people have access to the internet has the best hackers in the world - and what would happen if the internet was a common thing there? The whole world would probably be hacked Shocked
It probably helps if the national government protects hackers, instead of arresting them.
hero member
Activity: 2926
Merit: 567
Before or prior to the hacking incident majority did not know there was a payment processor name Alhapo checking the internet  they became popular because of the hacking incident I have Google Alhapo did not add any keywords but all the articles or content are about Alhapo's hacking  157,000 results I'm on page 10 but all the results are all about the hacking
great way to be popular.

legendary
Activity: 1722
Merit: 5937
It turns out that a country where less than 99% of people have access to the internet has the best hackers in the world - and what would happen if the internet was a common thing there? The whole world would probably be hacked Shocked
Who says that they are the best hacker group in the world?

After all, why country that is capable of developing nuke and long range missiles couldn't have a capable state sponsored hacker group? I don't think that they are so backwards as we like to think. Well, at least not at things that matter to them, e.g military.
legendary
Activity: 1288
Merit: 1081
Goodnight, o_e_l_e_o 🌹
If a company processes $23M either daily or weekly, this means they have enough funds to hire experts or procure any security architecture. So why the hack?
Large software companies get hacked too. There's simply no expert that can always prevent all problems.
If a company processes $23M either daily or weekly, this means they have enough funds to hire experts or procure any security architecture. So why the hack?

Security is one of those things that money alone can't solve. Even exchanges like MtGox and Bitfinex had good money back then; it all just boils down to one thing(mostly) — complacency caused by incompetence. Even the biggest of companies get hacked.

Atleast I have known and learnt not to blame any company or project that is hacked. I have always believed that hacks are as a result of not investing much on security and not employing competent experts.
Now I have known, what to do next is to measure the degree of complacency and incompetence by the project owners as said by Mk4. But then, I think those lapses and loopholes can be covered immediately after the hack to avoid public scrutiny.
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
I'm surprised they keep that much money in hot wallets. In my mind, hot wallets are only meant for amounts you can afford to lose. It makes me wonder how much money they process if they consider this "pocket change".

Such things do not surprise me at all, and there are only two reasons why some companies behave so irresponsibly - because they themselves are irresponsible and unprofessional, or because at some point they want to hack themselves and blame someone else for it.



According to @ZachXBT, it looks like that infamous North Korean group Lazarus might be behind this.

When you don't know who's to blame, blame Lazarus and North Korea Roll Eyes It turns out that a country where less than 99% of people have access to the internet has the best hackers in the world - and what would happen if the internet was a common thing there? The whole world would probably be hacked Shocked
legendary
Activity: 1722
Merit: 5937
There is always a chance this was some type of inside job, and not even cold wallets could help in that case.
According to @ZachXBT, it looks like that infamous North Korean group Lazarus might be behind this. Also, total amount lost now is more than $60M as they located more TRON and BTC that was hacked.
Source: https://twitter.com/zachxbt/status/1683747073227624448


Can you list gambling sites that use them?
I've heard names like HypeDrop, Ignition and Bovada being mentioned in articles but I can't say I heard about any of those before.
sr. member
Activity: 626
Merit: 252
Can you list gambling sites that use them?
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
Don't design your payment processor to be custodial - instead, make it track an extended public key, and use the last three derivation numbers (account for user accounts, type and index as a combined number) in order to support up to 2^31 accounts and 2^62 payments for each account respectively. This also works for any cryptocurrency that uses BIP44 derivation rules and secp256k1 keys - Bitcoin, Litecoin, Ethereum, even all cryptonote coins such as Monero and Zcash (as well as everything else listed on SLIP-44: https://github.com/satoshilabs/slips/blob/master/slip-0044.md)
legendary
Activity: 2212
Merit: 7064
Payment processor Alphapo was hacked for 23 million USD in BTC, ETH and XRP. Did anyone here use them because I can't remember I ever heard about them before.
Nobody even heard about them but I think people indirectly used them with gambling websites, so we could be hearing other casinos having problems, not just ones mentioned in this article.
Does anyone know if Alphapo has any connections with casinos that are active in bitcointalk forum?

Still, that shouldn't be a reason to keep all of it in a hot wallet. Every local supermarket here doesn't put large banknotes in the cash register, but instantly drops it into a safe. I'd expect payment processors to use the digital equivalent of this.
There is always a chance this was some type of inside job, and not even cold wallets could help in that case.
mk4
legendary
Activity: 2870
Merit: 3873
Paldo.io 🤖
If a company processes $23M either daily or weekly, this means they have enough funds to hire experts or procure any security architecture. So why the hack?

Security is one of those things that money alone can't solve. Even exchanges like MtGox and Bitfinex had good money back then; it all just boils down to one thing(mostly) — complacency caused by incompetence. Even the biggest of companies get hacked.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
If a company processes $23M either daily or weekly, this means they have enough funds to hire experts or procure any security architecture. So why the hack?
Large software companies get hacked too. There's simply no expert that can always prevent all problems.
legendary
Activity: 1288
Merit: 1081
Goodnight, o_e_l_e_o 🌹
I'm surprised they keep that much money in hot wallets. In my mind, hot wallets are only meant for amounts you can afford to lose. It makes me wonder how much money they process if they consider this "pocket change".

It might because that much money are the inflows and the outflows made by the payment processor on a daily basis? As already mentioned by others, Alphapo is a business to business processor for crypto gambling services. What we should worry about is which casinos are using Alphapo's services. I reckon if you have some coins in big gambling operators, you might be safe because they can absorb the loss. But withdraw if you have money you do not want to lose if held in a smaller casino.

I do not actually understand how hacks happen. I am not a hacker and I have never considered hacking in my life. But then I have this strong conviction that hacks happen from inwards. I mean a member of the team leaks information that will lead to hacking. I might be totally wrong, but my instinct is strong on this one.
If a company processes $23M either daily or weekly, this means they have enough funds to hire experts or procure any security architecture. So why the hack?
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
It might because that much money are the inflows and the outflows made by the payment processor on a daily basis?
Still, that shouldn't be a reason to keep all of it in a hot wallet. Every local supermarket here doesn't put large banknotes in the cash register, but instantly drops it into a safe. I'd expect payment processors to use the digital equivalent of this.
legendary
Activity: 3010
Merit: 1460
I'm surprised they keep that much money in hot wallets. In my mind, hot wallets are only meant for amounts you can afford to lose. It makes me wonder how much money they process if they consider this "pocket change".

It might because that much money are the inflows and the outflows made by the payment processor on a daily basis? As already mentioned by others, Alphapo is a business to business processor for crypto gambling services. What we should worry about is which casinos are using Alphapo's services. I reckon if you have some coins in big gambling operators, you might be safe because they can absorb the loss. But withdraw if you have money you do not want to lose if held in a smaller casino.
hero member
Activity: 2212
Merit: 670
Signature designer - start @$10 - PM me!
Or do such a big companies have their own child company for payment processing?
It seems that Alphapo isn't serving regular users, don't be surprised if you haven't heard of it.
It's a wholesaler specialist payment processor if you look at the registration process. I think your first requirement is to at least have a service of a certain scale and deposit some money as liquidity.
So exactly, this hack involves money for almost of all thier partner/client services.
legendary
Activity: 3416
Merit: 1225
Checking Whois https://www.whois.com/whois/alphapo.net
Domain:alphapo.net
Registrar:NameCheap, Inc.
Registered On:2020-01-28
Expires On:2025-01-28
Updated On:2021-07-16

The site is over three years of existence they are not good in marketing like many of us here I never read about or heard of this payment processor and checking online they only become popular after this hacking incident.

They are not popular, now they are not secured either, it's better for them to upgrade their security first before thinking of marketing.
legendary
Activity: 2338
Merit: 1261
Heisenberg
Which one is the real AlphaPo, this alphapo.net or this alpopay.com. Or both of them?
It's alphapo.net according to most articles. None talks about alpopay.com, which seems to offer a similar service, but who knows? They could just be masquerading.
Most of these hacks are highly unbelievable. They all seem to me like just insider jobs.

You can't tempt some humans with $23M every day and think they won't wake up one day, team up, steal the funds and share the spoils in the Bahamas
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
I'm surprised they keep that much money in hot wallets. In my mind, hot wallets are only meant for amounts you can afford to lose. It makes me wonder how much money they process if they consider this "pocket change".
legendary
Activity: 1722
Merit: 5937
I wonder if all the stolen coins belong to their clients or if it's a combination of client funds + their own profits.
In that twitter thread that mk4 shared its mentioned that one of their clients (HypeDrop) had to disable withdrawals so it seems that not only their funds was lost in that hack.


Another reason why custodian payment processors are dangerous, despite being simpler and more user-friendly
Iirc the only crypto payment processor I ever used was Paycek and it was very user friendly (its non-custodial ofc)  so I don't know how easier custodial ones could be.


hero member
Activity: 1554
Merit: 880
pxzone.online
I am sure that I have never seen anyone mention or recommend Alphapo in any discussions about crypto payment processors.
Probably because it only focuses on huge businesses as payment processors such as casinos, not on typical payment processor for smaller merchants.
legendary
Activity: 2730
Merit: 7065
I am sure that I have never seen anyone mention or recommend Alphapo in any discussions about crypto payment processors. I wonder if all the stolen coins belong to their clients or if it's a combination of client funds + their own profits. Another reason why custodian payment processors are dangerous, despite being simpler and more user-friendly.
mk4
legendary
Activity: 2870
Merit: 3873
Paldo.io 🤖
Did anyone here use them because I can't remember I ever heard about them before.

These services work on the back-end of gambling sites, so I don't think people would necessarily notice the company name.

Twitter discussion for those interested: https://twitter.com/zachxbt/status/1682941291825627137
hero member
Activity: 882
Merit: 792
Watch Bitcoin Documentary - https://t.ly/v0Nim
Which one is the real AlphaPo, this alphapo.net or this alpopay.com. Or both of them?
By the way, does anyone know which crypto payment processors do casinos like Stake.com and sportsbet.io use? Definitely, BTCPayserver can't be an option for them because they constantly get deposit/withdraws, i.e. have a huge cashflow (or call it a cryptoflow) and have to manage some of their funds in USD/Euro. Or do such a big companies have their own child company for payment processing?
member
Activity: 110
Merit: 70
I do not think that this platform is discussed here before as i searched in the search bar. But the amount hacked is huge and this really arose many questions and doubts about their security. I checked the link you provided and hypedrop is a NFT marketplace which was using the Alphapo payment processing service. And they have added on their website that they are facing some withdrawals issues now.

I checked on similar web that this website Hypedrop have more than millions of customers. Then you might some members using it here. I didn't find the link to the alphapo website or service providing ads etc. Like they might have anything to contact with them.
legendary
Activity: 1722
Merit: 5937
Payment processor Alphapo was hacked for 23 million USD in BTC, ETH and XRP. Did anyone here use them because I can't remember I ever heard about them before.

Alphapo, a payment processor for various gambling services, reported a breach of their hot wallets today, July 23, 2023. The breach resulted in a loss of over $23 million in Ethereum (ETH), TRON (TRX), and Bitcoin (BTC) cryptocurrencies. The exact amount of BTC stolen remains unclear.

The stolen funds on Ethereum were swapped for ETH and then bridged to Avalanche and Bitcoin. The addresses involved in the breach include:

    0x040a96659fd7118259ebcd547771f6ecb9580d17
    0x6d2e8a20b8afa88d92406d315b67822c01e53c38
    TKSitnfTLVMRbJsF1i2UH5hNUeHLDrXDiY
    TDoNAZHa7WxarUAFbQUhiijTGtd7EpbzRh
    TJF7mdFxDuHB4tb9hoyR4SCpKxk7gr23ym1
Jump to: