The crypto payments platform UPCX has temporarily suspended deposits and withdrawals due to a security incident that may have resulted in the loss of approximately $70 million in digital assets.
On April 1, the platform announced it discovered unauthorized access to a management account. In response, UPCX promptly paused all user transactions as a safety measure while initiating an internal investigation. The team reassured users that their funds remain safe and untouched.
Security specialists at Cyvers flagged the breach after uncovering several dubious transactions linked to the platform.
Based on their findings, the attacker compromised a key administrative wallet, altered its smart contract permissions, and activated a function that permitted them to transfer 18.4 million UPC tokens, worth around $70 million.
According to Cyvers, the stolen assets are still held in a single wallet, and as of the time of reporting, no further attempts to exchange or move the funds have been detected.
Cyvers CTO Meir Dolev shared with CryptoSlate that this attack follows patterns seen in the largest exploits over the past year, which have primarily resulted from compromised credentials or inadequate access control, accounting for more than 80% of stolen funds within the Web3 space last year.
Dolev stated:
“This incident resembles attack patterns we’ve noted in previous breaches, where access to crucial administrative roles allowed for malicious upgrades and fund theft. It highlights the pressing need for improved security regarding wallet permissions, multisig implementations, and real-time transaction validation.”
Q1 Hacks
The UPCX breach marks the first major hack of the second quarter, contributing to an increasing list of attacks this year.
Data from PeckShield indicates that over $1.63 billion has been stolen across more than 60 crypto exploits during the first quarter. This represents a 131% increase from the first quarter of 2024, which saw losses of $706 million.
The most significant attacks in the first quarter included a $1.46 billion exploit targeting Bybit and a $69.1 million breach at Phemex, which together accounted for 94% of total losses.
March alone recorded 20 separate hacks that resulted in over $33 million in losses. The largest theft was from DeFi protocol Abracadabra.money, amounting to $13 million, followed closely by an $8.4 million exploit at Zoth, a platform for real-world asset staking.
Mentioned in this article
