Alpha Capital “Hacked” — 90% of Investor Funds are Allegedly Lost

Alpha Capital, a DeFi staking platform, has recently reported that it has lost 90% of all investor funds due to a hack. However, there were many red flags that indicated the hack was in fact an inside job, suggesting a rug pull. As investors, it is important to understand subtle signs of unsustainable DeFi models, so that we can avoid future scams.

Unsustainable DeFi Model of Alpha Capital

Launched in November 2022, Alpha Capital’s main product offers a 1%-1.5% daily compound interest on BNB, BUSD, MATIC, and USDC staked on their website through MetaMask, Ledger, and other crypto wallets. However, there is a 5% fee on every deposit, and users would lose their interest if a withdrawal is made 31 days since their deposit. These are the contract addresses controlled by Alpha Capital:

BNB contract on BSC chain: 0xe4018566D1A3178B3b664D0406215096b7a2533B

BUSD contract on BSC chain: 0x95b5dC0B8bd219Cb85181c35e84968E900eF497

MATIC contract on Polygon chain: 0x95b5dC0B8bd219Cb85181c35e84968E900eF4971

USDC contract on Polygon chain: 0x5b7B9B51D2526E832A4D2A6603b1AdCf6Bd8d841

Although a 1%-1.5% interest may not sound a lot, it is compounded daily. This model is similar to the UST yields of Anchor Protocol that played a big part in the collapse of Terra Luna. Additionally, the fact that investors are practically forced to leave their funds for a month gives plenty of time for all sorts of exploits.

How Did Alpha Capital Get Hacked?

Alpha Capital had a wallet for “insurance fund” where they were putting a small percentage of the yields and deposit funds into it. After the hack, they announced on their Telegram channel that while attempting to create an Application Programming Interface (API) on their website for the insurance fund wallet, a hacker managed to access the File Transfer Protocol (FTP) of their website. As a result, the hacker was able to steal their private keys, making off with roughly 90% of the funds. Alpha Capital was able to save the remaining 10% of the funds worth $250,000, and refunded them to investors in USDC via MATIC.

Source: Telegram

Several community members criticized Alpha Capital’s incompetence in security protocols, as using FTP alone is not a secure way to transfer files. However, some pointed out that FTP is particularly vulnerable to brute-force attack, which involves guessing passwords, suggesting an inside job is likely to be the case.

The information provided in this article is intended for general guidance and information purposes only. Contents of this article are under no circumstances intended to be considered as investment, business, legal or tax advice. We do not accept any responsibility for individual decisions made based on this article and we strongly encourage you to do your own research before taking any action. Although best efforts are made to ensure that all information provided herein is accurate and up to date, omissions, errors, or mistakes may occur. 
Disclosure: Authors are invested in cryptocurrency projects and have cryptocurrency holdings - including those covered on this website. 

Stay Connected


Latest Articles