<img src="https://secure.glue1lazy.com/215876.png" style="display:none;">

Hack Track: Alphapo Flow of Funds Analysis

On the 22nd of July, Alphapo, a cryptocurrency payment gateway suffered a massive security breach leading to at least $110 million being drained from its hot wallets on Ethereum and Tron blockchain.

What is Alphapo?

Established in 2018, Alphapo is a Curacao-based crypto payment gateway that offers instant transactions in over 30 digital assets. It has over 100,000 users and is best known as the crypto gateway for several gambling platforms, including HypeDrop, Ignition, and Bovada.

Industry response

ZachXBT, a famous cryptocurrency analyst on Twitter, announced the hack adding that the stolen funds were swapped for ETH and bridged to Bitcoin and Avalanche.

In response to the recent news, HypeDrop, a customer of Alphapo, temporarily disabled withdrawals. They also issued a statement on Twitter explaining the situation: "Our provider is currently working to solve some recent issues from their side. They are facing problems specifically related to withdrawals of BTC, ETH, and TRX, as well as deposits for ETH and TRX”.

Hot Wallet Attack: The Alleged Cause of the $110 Million Hack 

The hack allegedly took place due to an attack on the platform’s hot wallets, leading to a drain of nearly $110 million. 

A hot wallet refers to a cryptocurrency wallet that maintains a constant connection to the internet and the cryptocurrency network. These wallets are specifically designed for sending and receiving cryptocurrencies, providing real-time access to the number of tokens available for use. With a hot wallet, users can actively manage their digital assets and monitor their current balance with ease.

The primary concern with hot wallets lies in their constant connection to the internet, making them more susceptible to cybersecurity threats. This vulnerability extends to both user-owned hot wallets and those maintained by the organization or exchange.

For instance, hackers can exploit phishing emails to gain unauthorized access to a person's laptop, which, in turn, provides them with an entry point to hack the individual's hot wallet. The risk of such attacks underscores the importance of robust security measures to safeguard digital assets in the world of cryptocurrencies.

Merkle Science’s Flow of Funds Analysis 

Summary of the hack

The attacker stole $101 million from Alphapo hot wallets on the Ethereum blockchain

The attacker was able to hop over to the Bitcoin blockchain, where the funds are currently unmoved in 67 newly minted Bitcoin addresses

The attacker also gained access to the platform’s hot wallet on the Tron blockchain and stole over 118 million TRX tokens amounting to approximately $9.5 million 

Merkle Science’s blockchain forensics visualization tool ‘Tracker’ depicting the flow of funds 
Merkle Science’s blockchain forensics visualization tool ‘Tracker’ depicts the flow of funds 



1. The attacker got access to the hot wallet on Ethereum and was able to pilfer approximately $101 million in the following tokens:

Amount USD $1,687.75 $77,040.38 $90,594,630.27 $107,993.17 $6,073,034.94 $4,647,340.36 $101,501,726.87


2. DAI, USDC, and USDT tokens were swapped for an additional 3,252 ETH.

3. The 5,716.77 ETH ($10.5 Million) were then sent to an associate address (Attacker E2) of the attacker before being split into 67 different Ethereum addresses. 

4. What followed next was a series of bridge transactions, after which the attacker was able to hop over to the BTC blockchain, where the funds are currently unmoved in 67 newly minted Bitcoin addresses. 

5. TrueFil (TFL) and Fasttoken (FTN) tokens worth ~ $90 million are currently unmoved in the Attacker E1 address. 


1. In addition to the Ethereum hot wallet, the attacker (Attacker T1) also had access to the Tron hot wallet which resulted in over 118 million TRX tokens amounting to approximately $9.5 million

2. After 2 hops, approximately 59 Million TRX tokens have been moved to an associate address, which has further sent funds to a group of new TRX addresses. 


Use of cross-chain bridges in laundering stolen funds 

The use of cross-chain bridges in laundering crime proceeds has emerged as a concerning trend in the DeFi ecosystem. Hackers make use of cross-chain bridges to transfer stolen funds across various blockchains, deliberately creating a complex trail of funds that poses significant challenges for investigators trying to track their illicit activities. 

For further insights into other such techniques used by hackers to obfuscate the trail of stolen funds, read: https://blog.merklescience.com/general/decoding-money-laundering-typologies