Hacker transfers $70M out of payment platform UPCX

Update April 1, 1:42 pm UTC: This article has been updated to add comments from Cyvers co-founder and chief technology officer Meir Dolev.

An unauthorized party withdrew about $70 million in digital assets from open-source payment platform UPCX, according to a security alert issued on April 1.

The blockchain security firm Cyvers flagged suspicious activity involving 18.4 million UPC tokens, estimating the value of the compromised funds at $70 million.

Cyvers said someone accessed a UPCX address and upgraded its ProxyAdmin contract. The attacker then executed a function that allows admins to withdraw, leading to fund transfers from three different management accounts. 

At the time of writing, the stolen tokens had not been swapped for other crypto assets.

Cointelegraph contacted UPCX for comment but did not receive an immediate response. 

UPCX acknowledged it had detected “unauthorized activity” involving its management accounts. The team suspended deposits and withdrawals for UPCX in response to the incident. It said user assets are unaffected by the issue and it is actively investigating the matter. 

UPC’s token price dropped amid news of the incident. According to CoinGecko, UPC’s token prices dropped 7%, from a high of $4.06 to a low of $3.77 during the incident. 

UPCX 24-hour price chart. Source: CoinGecko

Related: Hacker steals $8.4M from RWA restaking protocol Zoth

In a statement, Cyvers co-founder and chief technology officer Meir Dolev told Cointelegraph that while the root cause of the attack remained under investigation, these types of incidents often stem from compromised credentials or flawed access control mechanisms. 

Dolev told Cointelegraph that both of these vulnerabilities have been the predominant cause of Web3 losses in 2024. The executive said the same causes were responsible for over 80% of the stolen funds during the year. 

The cybersecurity executive also said the attack pattern was similar to previous exploits. Dolev told Cointelegraph: 

The executive added that the hack underscored an urgent need to enhance security around wallet permissions, multisignature implementations and runtime transaction validation. 

The $70 million stolen in the incident would more than double the amount lost in the previous month. In March, crypto stolen from hacks only reached $33 million. 

Magazine: Memecoins are ded — But Solana ‘100x better’ despite revenue plunge