Alpha Capital “Hacked” — 90% of Investor Funds are Allegedly Lost

Alpha Capital, a DeFi staking platform, has recently reported that it has lost 90% of all investor funds due to a hack. However, there were many red flags that indicated the hack was in fact an inside job, suggesting a rug pull. As investors, it is important to understand subtle signs of unsustainable DeFi models, so that we can avoid future scams.

Unsustainable DeFi Model of Alpha Capital

Launched in November 2022, Alpha Capital’s main product offers a 1%-1.5% daily compound interest on BNB, BUSD, MATIC, and USDC staked on their website through MetaMask, Ledger, and other crypto wallets. However, there is a 5% fee on every deposit, and users would lose their interest if a withdrawal is made 31 days since their deposit. These are the contract addresses controlled by Alpha Capital:

BNB contract on BSC chain: 0xe4018566D1A3178B3b664D0406215096b7a2533B

BUSD contract on BSC chain: 0x95b5dC0B8bd219Cb85181c35e84968E900eF497

MATIC contract on Polygon chain: 0x95b5dC0B8bd219Cb85181c35e84968E900eF4971

USDC contract on Polygon chain: 0x5b7B9B51D2526E832A4D2A6603b1AdCf6Bd8d841

Although a 1%-1.5% interest may not sound a lot, it is compounded daily. This model is similar to the UST yields of Anchor Protocol that played a big part in the collapse of Terra Luna. Additionally, the fact that investors are practically forced to leave their funds for a month gives plenty of time for all sorts of exploits.

How Did Alpha Capital Get Hacked?

Alpha Capital had a wallet for “insurance fund” where they were putting a small percentage of the yields and deposit funds into it. After the hack, they announced on their Telegram channel that while attempting to create an Application Programming Interface (API) on their website for the insurance fund wallet, a hacker managed to access the File Transfer Protocol (FTP) of their website. As a result, the hacker was able to steal their private keys, making off with roughly 90% of the funds. Alpha Capital was able to save the remaining 10% of the funds worth $250,000, and refunded them to investors in USDC via MATIC.

Source: Telegram

Several community members criticized Alpha Capital’s incompetence in security protocols, as using FTP alone is not a secure way to transfer files. However, some pointed out that FTP is particularly vulnerable to brute-force attack, which involves guessing passwords, suggesting an inside job is likely to be the case.

Previous articleMeme Coins 2023: How Smart People Get Rich Investing in Them
Next articleWill Digital Currency Group (DCG) file for Bankruptcy?
Ronal is a Senior China Blockchain Correspondant who has been covering the Chinese blockchain industry since its inception. He has written extensively on the subject, and his work has been featured in some of the world’s leading publications. Ronal is an expert on the Chinese blockchain market and has a deep understanding of the technology and its potential applications.