$70M Stolen from UPCX Uauthorised Smart Contract Hack

An unauthorised entity withdrew approximately $70 million in digital assets from UPCX, an open-source payment platform, according to a security alert issued on 1 April.

Crypto security firm Cyvers, which has tracked and exposed several major cybercrimes, identified the breach involving 18.4 million UPC tokens.

Cyvers reported that the attacker gained access to a UPCX address and modified its ProxyAdmin contract.

By exploiting an administrative function, the perpetrator initiated fund withdrawals from three separate management accounts.

Multiple suspicious transactions were recorded, prompting UPCX to acknowledge the breach, though the company provided only limited details about its security measures.

While UPCX downplayed the specifics, Cyvers' findings highlight the scale of the attack.

As an open-source crypto payment system, UPCX now faces a significant security crisis that could impact its credibility and future operations.

Hacker Still Holding Onto the Assets

The hackers stole more UPC tokens than are currently in circulation and have yet to offload any assets.

Their identity and strategy for converting the stolen funds remain unclear.

As of this writing, the tokens have not been swapped for other cryptocurrencies.

Following the exploit, the hacker's wallet became the seventh-largest holder of UPC.

Hours after the breach, all stolen tokens remained untouched in the wallet, likely due to limited liquidity and trading options.

The wallet itself was newly created, with no prior activity aside from a small test transaction of 10 UPC just minutes before the main attack.

Notably, the hacker did not even deposit ETH for gas fees but instead directly interacted with the token contract, executing the transfer with minimal costs and no intermediary steps.

UPC Falls 7% After Security Breach, Recovers Slightly

UPCX confirmed detecting "unauthorised activity" in its management accounts and has since suspended deposits and withdrawals.

The team assured users that their assets remain unaffected and is actively investigating the breach.

Following the exploit, the stolen UPC tokens were consolidated into a single address.

Given that UPC is only traded on Gate.IO and MEXC, with limited liquidity pools, the hacker’s ability to offload assets may be restricted.

The incident triggered a price drop, with UPC falling 7% from a high of $4.06 to a low of $3.77 before recovering slightly to $4.01, according to CoinMarketCap.

UPC Hack Shows Repeating Attack Trends

Cyvers co-founder and CTO Meir Dolev stated that while the root cause of the attack is still under investigation, similar breaches typically result from compromised credentials or weak access controls—factors responsible for over 80% of Web3 losses in 2024.

Dolev stated:

“This incident mirrors attack patterns we’ve documented in prior exploits, where access to critical administrative roles enabled malicious upgrades and fund drainage.”

Dolev noted that the attack followed patterns seen in previous exploits, emphasizing the urgent need for stronger wallet permissions, multisignature security, and real-time transaction validation.

The $70 million theft more than doubles the $33 million lost to crypto hacks in March, highlighting the growing scale of such threats.

Not Much Commotion Caused Despite Hack

Although development on UPCX began in late 2023, significant activity only picked up in early 2025.

Yet, the project remains relatively obscure compared to other Web3 payment platforms.

While the $70 million breach is a severe blow to UPCX, its broader market impact remains uncertain.

The largest crypto hack in history occurred just over a month ago, and its repercussions are still unfolding.

By contrast, UPCX is a minor player—its admission of the breach on X received barely over 12,000 views at the time of writing.

Notably, the hacker’s wallet has yet to move the stolen UPC tokens, raising questions about how they intend to cash out.

Given that the stolen amount is nearly five times the circulating supply, any liquidation attempt could trigger a sharp price collapse.

The UPCX breach stands out for its scale yet relative lack of market disruption.

If investigators can track the attackers and freeze the assets, the damage may be contained.

Otherwise, the looming threat of liquidation could weigh on UPC’s recovery for the foreseeable future.